You might encounter the message IKE Phase 1 Deleted in the following scenarios.
If you get the message at the beginning of a VPN connection, ignore it.
If your connection status shows Connecting for a relatively longer duration, and then you encounter the status message, it means an error has occurred in the connection procedure.
Possible Cause: Connectivity issues with your machine.
Action: Rectify the connectivity issues and proceed.
Possible Cause: The gateway is down or VPN service is not running on the gateway.
Action: Ensure that the gateway is prepared for a VPN connection.
Possible Cause: Issues with the login credentials.
Action: In the case of a Standard IPsec gateway, ensure that the certificate password is valid. If you are connecting to a Nortel Contivity server, ensure that the group credentials are valid.
If you are a non-root user and while attempting a VPN connection you receive the message Failed to connect to the Racoon Daemon, do the following:
Ensure that IKE is running.
For details, refer to IKE Status.
If IKE is not running, start it.
For details, refer to Failed to Connect to IKE.
If IKE is running, check the IKE log.
For details, refer to IKE Log.
If you see the message ERROR: File does not have correct permissions. Expected : 432 Has : 384 in the IKE log, verify that you have the required user privileges to use VPN Client.
For details, refer to Non-Root Access.
When connected to a Nortel server, encryption/decryption of IP fragmentation is not handled effectively. Therefore, applications sending IP fragments might not work.
But in the case of TCP applications, you might use the workaround of setting the route MTU (to the gateway server) to less than 1400 for Ethernet. The recommended MTU is 1350.
To do this, after a successful VPN connection, do the following:
At the command prompt, enter ip route.
The routing information to the VPN server is displayed in the following format:
VPNSERVERIPADDR via GATEWAYIPADDR dev NETWORKDEVICE
Delete the route using the following command:
route delete VPNSERVERIPADDR
Add the route with your mss value using the following command:
route add VPNSERVERIPADDR gw GATEWAYIPADDR NETWORKDEVICE mss 1350
HINT: For variable details, refer to the routing information (discussed in Step 1).
If you have an iptables firewall running on your machine with policies configured to deny outgoing and incoming packets, configure the following rules to allow the packets:
Table 1. Outgoing Packets
Port | Configuration Command |
---|---|
UDP-500 |
iptables -A OUTPUT -p UDP -s 0/0 -d 0/0 --dport 500 -j ACCEPT |
UDP-4500 |
iptables -A OUTPUT -p UDP -s 0/0 -d 0/0 --dport 4500 -j ACCEPT |
Table 2. Incoming Packets
Port | Configuration Command |
---|---|
UDP-500 |
iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 500 -j ACCEPT |
UDP-4500 |
iptables -A INPUT -p UDP -s 0/0 -d 0/0 --dport 4500 -j ACCEPT |