[vpn-help] Problem establishing tunnel using Fedora 6: resend limit exceeded for phase1 exchange

Matthew Grooms mgrooms at shrew.net
Mon May 24 17:11:32 CDT 2010


On 5/21/2010 7:45 AM, Rob Ratcliff wrote:
> I just noticed this in my CMakeCache.txt file:
>
> 175 //Path to a file.
> 176 PATH_INC_NETIPSEC:PATH=PATH_INC_NETIPSEC-NOTFOUND
>
> That looks like an important thing to be missing for an IPSEC-centric
> client. Could this be the problem with the client not being able to
> create the tunnel?
>
> I'm using Linux kernel 2.6.22.14 so I thought that it supported IPSEC
> natively. Is that not the case?
>

On Linux and BSD, the kernel supplies IPsec protocol support ( 
ESP/AH/IPcomp ) and the Shrew Soft client supplies IKE protocol support. 
On windows, the Shrew Soft client supplies both. The client is 
responsible for negotiating IPsec security associations. These are used 
to by the kernel to encapsulate/encrypt/authenticate packets that match 
security policy descriptors.

If you see a 'resend limit exceeded for phase1 exchange' message in the 
log output, you are probably looking at one of two issues.

1) Your authentication method or phase1 proposal does not match what is 
configured on the VPN gateway. In this case, the gateway sees the IKE 
packet but chooses not to respond.

2) The packets are not reaching the gateway or the return packet is not 
reaching the client.

If you can contact the administrator who manages the VPN gateway, they 
can probably look at the log output and offer some insight into your 
particular issue. Another option would be to ask one of the individuals 
who has a working site configuration to export it for you using the 
Access Manager application.

-Matthew



More information about the vpn-help mailing list