• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help with error (racoon.conf:2: "500" parse error)

Scheduled Pinned Locked Moved IPsec
18 Posts 4 Posters 10.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    artifact
    last edited by Jan 2, 2007, 3:02 PM

    Hello,

    When i set up new pfsense instalation, then IPsec worked fine. One day it does not start up this service and display this error.

    
    Jan 2 16:50:43 	racoon: ERROR: /var/etc/racoon.conf:2: "500" parse error
    Jan 2 16:50:43 	racoon: ERROR: fatal parse failure (1 errors)
    
    

    I opened /var/etc/racoon.conf who has no changed since it worked i guess.

    
    listen {
    	isakmp  [500];
    
    }
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    remote xxx.xxx.xxx.xxx {
    	exchange_mode main;
    	my_identifier address "xxx.xxx.xxx.xxx";
    
    	peers_identifier address xxx.xxx.xxx.xxx;
    	initial_contact on;
    	support_proxy on;
    	proposal_check obey;
    
    	proposal {
    		encryption_algorithm 3des;
    		hash_algorithm sha1;
    		authentication_method pre_shared_key;
    		dh_group 2;
    		lifetime time 3600 secs;
    	}
    	lifetime time 3600 secs;
    }
    
    sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any {
    	encryption_algorithm 3des;
    	authentication_algorithm hmac_sha1;
    	compression_algorithm deflate;
    	pfs_group 2;
    	lifetime time 3600 secs;
    }
    
    remote xxx.xxx.xxx.xxx {
    	exchange_mode main;
    	my_identifier address "xxx.xxx.xxx.xxx";
    
    	peers_identifier address xxx.xxx.xxx.xxx;
    	initial_contact on;
    	support_proxy on;
    	proposal_check obey;
    
    	proposal {
    		encryption_algorithm 3des;
    		hash_algorithm sha1;
    		authentication_method pre_shared_key;
    		dh_group 2;
    		lifetime time 3600 secs;
    	}
    	lifetime time 3600 secs;
    }
    
    sainfo address 192.168.1.0/24 any address 192.168.5.0/24 any {
    	encryption_algorithm 3des;
    	authentication_algorithm hmac_sha1;
    	compression_algorithm deflate;
    	pfs_group 2;
    	lifetime time 3600 secs;
    }
    
    remote xxx.xxx.xxx.xxx {
    	exchange_mode main;
    	my_identifier address "xxx.xxx.xxx.xxx";
    
    	peers_identifier address xxx.xxx.xxx.xxx;
    	initial_contact on;
    	support_proxy on;
    	proposal_check obey;
    
    	proposal {
    		encryption_algorithm 3des;
    		hash_algorithm sha1;
    		authentication_method pre_shared_key;
    		dh_group 2;
    		lifetime time 3600 secs;
    	}
    	lifetime time 3600 secs;
    }
    
    sainfo address 192.168.1.0/24 any address xxx.xxx.xxx.xxx/23 any {
    	encryption_algorithm 3des;
    	authentication_algorithm hmac_sha1;
    	compression_algorithm deflate;
    	pfs_group 2;
    	lifetime time 3600 secs;
    }
    
    remote anonymous {
    	exchange_mode main;
    	my_identifier address "xxx.xxx.xxx.xxx";
    
    	initial_contact on;
    	passive on;
    	generate_policy on;
    	support_proxy on;
    	proposal_check obey;
    
    	proposal {
    		encryption_algorithm 3des;
    		hash_algorithm sha1;
    		authentication_method pre_shared_key;
    		dh_group 2;
    		lifetime time 3600 secs;
    	}
    	lifetime time 3600 secs;
    }
    
    sainfo anonymous {
    	encryption_algorithm 3des;
    	authentication_algorithm hmac_sha1;
    	compression_algorithm deflate;
    	pfs_group 2;
    	lifetime time 3600 secs;
    }
    
    

    How to solve this?

    I tried to comment out:

    
    listen {
    	#isakmp  [500];
    
    }
    
    

    then it worked atleast phrase 1

    Help! :))

    Tnx!

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Jan 2, 2007, 3:04 PM

      Are you already running one of the latest snapshots? Which version is this? (please include version and build date from status>system)

      1 Reply Last reply Reply Quote 0
      • A
        artifact
        last edited by Jan 2, 2007, 3:23 PM Jan 2, 2007, 3:18 PM

        Name  pfsense
        Version 1.0.1
        built on Sun Oct 29 01:07:16 UTC 2006
        Platform pfSense

        P.s I tried to backup settings, then reset factory defaults, then back. Result the same.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Jan 2, 2007, 5:45 PM

          Have you set a failover ipsec option by chance?

          1 Reply Last reply Reply Quote 0
          • A
            artifact
            last edited by Jan 2, 2007, 6:27 PM Jan 2, 2007, 6:08 PM

            Yes i set once, but then i emptied this field and save. That is the problem? And how to solve that? It was empty before and now, but maybe something has left in configuration?

            :)

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by Jan 2, 2007, 6:45 PM

              @artifact:

              Yes i set once, but then i emptied this field and save. That is the problem? And how to solve that? It was empty before and now, but maybe something has left in configuration?

              :)

              Double check that the field really is empty and not a space, etc.

              1 Reply Last reply Reply Quote 0
              • A
                artifact
                last edited by Jan 2, 2007, 7:05 PM

                I am shure that this field is empty. Could it be so, i pressed on empty Failover IP SAVE button, and by that moment ipsec sopped? It seems so.

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich
                  last edited by Jan 2, 2007, 8:05 PM

                  Try setting your WANIP in this box and see if it goes away.  It may be a problem of us clearing the item.  Also, try this from a shell and let me know what it says:

                  cat /cf/conf/config.xml | grep failoverip

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by Jan 2, 2007, 8:19 PM

                    In case the IP is not cleared download your config.xml from diagnostics>backup/restore, manually remove the item and upload it again. But first Do what Scott asked for please.

                    1 Reply Last reply Reply Quote 0
                    • A
                      artifact
                      last edited by Jan 2, 2007, 8:48 PM

                      Ok,

                      Ill checked WAN ip, and there ir everything ok.

                      Interfaces: WAN
                      Type: Static
                      Static IP configuration: Correct
                      Other settings - empty
                      FTP Helper  Disable the userland FTP-Proxy application  [CHECKED]
                      Block private networks [CHECKED]
                      
                      
                      Diagnostics: Ping
                      
                      Host  : www.yahoo.com
                      Interface  WAN
                      Count 3
                      
                      Ping output:
                      
                      PING www.yahoo-ht2.akadns.net (209.73.186.238) from 159.148.175.210: 56 data bytes
                      64 bytes from 209.73.186.238: icmp_seq=0 ttl=50 time=176.817 ms
                      64 bytes from 209.73.186.238: icmp_seq=1 ttl=50 time=176.690 ms
                      64 bytes from 209.73.186.238: icmp_seq=2 ttl=50 time=176.749 ms
                      
                      --- www.yahoo-ht2.akadns.net ping statistics ---
                      3 packets transmitted, 3 packets received, 0% packet loss
                      round-trip min/avg/max/stddev = 176.690/176.752/176.817/0.052 ms
                      
                      

                      cat /cf/conf/config.xml | grep failoverip returned nothing.

                      /cf/conf/config.xml - only here found some failover string and no more in this file.

                       <dhcpd><lan><enable>yes</enable>
                      			 <range><from>192.168.1.101</from>
                      				<to>192.168.1.199</to></range> 
                      			 <defaultleasetime><maxleasetime><netmask>[b]<failover_peerip>[/b]
                      			 <gateway><dnsserver>192.168.1.200</dnsserver></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></lan></dhcpd> 
                      
                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by Jan 2, 2007, 8:49 PM

                        What version is this again?  That all looks fine to me.

                        1 Reply Last reply Reply Quote 0
                        • A
                          artifact
                          last edited by Jan 3, 2007, 8:30 AM Jan 2, 2007, 8:56 PM

                          Version 1.0.1
                          built on Sun Oct 29 01:07:16 UTC 2006

                          Tnx ;)

                          1 Reply Last reply Reply Quote 0
                          • A
                            artifact
                            last edited by Jan 2, 2007, 9:07 PM

                            Also if i try to launch racoon from shell

                            racoon -f /var/etc/racoon.conf

                            racoon: failed to parse configuration file.

                            1 Reply Last reply Reply Quote 0
                            • A
                              artifact
                              last edited by Jan 3, 2007, 10:55 AM

                              I reseted my two month old settings from backup and there now is error like this, whats wrong??

                              
                              Jan 3 11:08:10 	racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                              Jan 3 11:08:10 	racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=19)
                              Jan 3 11:08:10 	racoon: INFO: fe80::230:4fff:fe25:33b0%rl0[500] used as isakmp port (fd=18)
                              Jan 3 11:08:10 	racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                              Jan 3 11:08:10 	racoon: INFO: xxx.xxx.xxx.xxx[500] used as isakmp port (fd=17)
                              Jan 3 11:08:10 	racoon: INFO: fe80::201:29ff:fe93:1125%vr0[500] used as isakmp port (fd=16)
                              Jan 3 11:08:10 	racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                              Jan 3 11:08:10 	racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
                              Jan 3 11:08:10 	racoon: INFO: ::1[500] used as isakmp port (fd=14)
                              Jan 3 11:08:10 	racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
                              Jan 3 11:08:10 	racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
                              Jan 3 11:08:10 	racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
                              Jan 3 11:08:09 	racoon: INFO: racoon shutdown
                              Jan 3 11:08:08 	racoon: INFO: caught signal 15
                              
                              
                              1 Reply Last reply Reply Quote 0
                              • J
                                jahonix
                                last edited by Jan 4, 2007, 11:54 AM Jan 4, 2007, 11:41 AM

                                Same over here. I am to dumb to get IPsec to work…  :-[

                                I got some Firewall block messages from TCP Port 500 in the logs.
                                My static site is really knocked down on ports - do I have to open up something special here?

                                Needless to say, the tunnel is not coming up and I cannot ping a host on the other side.
                                Both pfSenses are 1.0.1 Snapshot 2006-DEC-23 with PPPoE ADSL.
                                Office has a static IP, home a dynamic one. NO SAD or SPD entries on static side and only SPD on dynamic end where I also get this:

                                Diagnostics: System logs: IPSEC VPN
                                Jan 4 10:48:10 racoon: ERROR: fatal parse failure (1 errors)
                                Jan 4 10:48:10 racoon: ERROR: /var/etc/racoon.conf:2: "500" parse error
                                Jan 4 10:48:10 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
                                Jan 4 10:48:10 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)

                                Does the  "500" parse error  relate to a port issue??

                                1 Reply Last reply Reply Quote 0
                                • A
                                  artifact
                                  last edited by Jan 5, 2007, 6:46 AM

                                  Ill try to reinstall pfsense. Maybe that helps.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    jahonix
                                    last edited by Jan 8, 2007, 2:44 PM Jan 7, 2007, 9:08 PM

                                    Any news here?

                                    I still get the parse error and have no idea where to look.
                                    Installation is vanilla 1.0.1 with current snapshot, 1.0.1-SNAPSHOT-12-28-2006, built on Thu Jan 4 13:07:12 EST 2007
                                    I added squid, (freeradius…), NTP, nmap (...) and mc.

                                    IPsec install was from Hoba's tutorial.
                                    What firewall ruleset do you recommend for IPsec use? UDP 500 and EAP on WAN or gateway's LAN address?
                                    That's not covered by the tutorial AFAIK.

                                    Greatly appreciate your help!

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      artifact
                                      last edited by Jan 8, 2007, 2:35 PM

                                      I reinstalled all system and now its works. I think that's a bug.

                                      1 Reply Last reply Reply Quote 0
                                      18 out of 18
                                      • First post
                                        18/18
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                        This community forum collects and processes your personal information.
                                        consent.not_received