17.1.7. IPsec Troubleshooting

Re-connecting problems with your IPsec tunnel can oftentimes be resolved by following these steps and retrying after each step:

  • Double check your configuration on both ends of your tunnel

  • Change the Init Type to On Demand instead of Connect

  • Create a cron job under Services → Cron that pings an IP address on the other side of the tunnel every 5 minutes to keep the connection open. Use the command ping -c 3 IP_ADDRESS &> /dev/null to do so.

Note

parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify

This error message usually means that the Phase 1 Encryption Parameters do not match and the other side rejected them. Please double check both sides.

Note

invalid HASH_V1 payload length, decryption failed?

This is most likely due to an incorrect PSK on one of the peers. Since the PSK is incorporated into the key material used so secure the IKEv1 packets they can’t be decrypted properly if the PSKs don’t match.