[vpn-help] Problem establishing tunnel using Fedora 6: resend limit exceeded for phase1 exchange
Matthew Grooms
mgrooms at shrew.net
Mon May 24 17:11:32 CDT 2010
On 5/21/2010 7:45 AM, Rob Ratcliff wrote:
> I just noticed this in my CMakeCache.txt file:
>
> 175 //Path to a file.
> 176 PATH_INC_NETIPSEC:PATH=PATH_INC_NETIPSEC-NOTFOUND
>
> That looks like an important thing to be missing for an IPSEC-centric
> client. Could this be the problem with the client not being able to
> create the tunnel?
>
> I'm using Linux kernel 2.6.22.14 so I thought that it supported IPSEC
> natively. Is that not the case?
>
On Linux and BSD, the kernel supplies IPsec protocol support (
ESP/AH/IPcomp ) and the Shrew Soft client supplies IKE protocol support.
On windows, the Shrew Soft client supplies both. The client is
responsible for negotiating IPsec security associations. These are used
to by the kernel to encapsulate/encrypt/authenticate packets that match
security policy descriptors.
If you see a 'resend limit exceeded for phase1 exchange' message in the
log output, you are probably looking at one of two issues.
1) Your authentication method or phase1 proposal does not match what is
configured on the VPN gateway. In this case, the gateway sees the IKE
packet but chooses not to respond.
2) The packets are not reaching the gateway or the return packet is not
reaching the client.
If you can contact the administrator who manages the VPN gateway, they
can probably look at the log output and offer some insight into your
particular issue. Another option would be to ask one of the individuals
who has a working site configuration to export it for you using the
Access Manager application.
-Matthew
More information about the vpn-help
mailing list