Help with error (racoon.conf:2: "500" parse error)
-
Hello,
When i set up new pfsense instalation, then IPsec worked fine. One day it does not start up this service and display this error.
Jan 2 16:50:43 racoon: ERROR: /var/etc/racoon.conf:2: "500" parse error Jan 2 16:50:43 racoon: ERROR: fatal parse failure (1 errors)I opened /var/etc/racoon.conf who has no changed since it worked i guess.
listen { isakmp [500]; } path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; remote xxx.xxx.xxx.xxx { exchange_mode main; my_identifier address "xxx.xxx.xxx.xxx"; peers_identifier address xxx.xxx.xxx.xxx; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 3600 secs; } lifetime time 3600 secs; } sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 3600 secs; } remote xxx.xxx.xxx.xxx { exchange_mode main; my_identifier address "xxx.xxx.xxx.xxx"; peers_identifier address xxx.xxx.xxx.xxx; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 3600 secs; } lifetime time 3600 secs; } sainfo address 192.168.1.0/24 any address 192.168.5.0/24 any { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 3600 secs; } remote xxx.xxx.xxx.xxx { exchange_mode main; my_identifier address "xxx.xxx.xxx.xxx"; peers_identifier address xxx.xxx.xxx.xxx; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 3600 secs; } lifetime time 3600 secs; } sainfo address 192.168.1.0/24 any address xxx.xxx.xxx.xxx/23 any { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 3600 secs; } remote anonymous { exchange_mode main; my_identifier address "xxx.xxx.xxx.xxx"; initial_contact on; passive on; generate_policy on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 3600 secs; } lifetime time 3600 secs; } sainfo anonymous { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 3600 secs; }How to solve this?
I tried to comment out:
listen { #isakmp [500]; }then it worked atleast phrase 1
Help! :))
Tnx!
-
Are you already running one of the latest snapshots? Which version is this? (please include version and build date from status>system)
-
Name pfsense
Version 1.0.1
built on Sun Oct 29 01:07:16 UTC 2006
Platform pfSenseP.s I tried to backup settings, then reset factory defaults, then back. Result the same.
-
Have you set a failover ipsec option by chance?
-
Yes i set once, but then i emptied this field and save. That is the problem? And how to solve that? It was empty before and now, but maybe something has left in configuration?
:)
-
Yes i set once, but then i emptied this field and save. That is the problem? And how to solve that? It was empty before and now, but maybe something has left in configuration?
:)
Double check that the field really is empty and not a space, etc.
-
I am shure that this field is empty. Could it be so, i pressed on empty Failover IP SAVE button, and by that moment ipsec sopped? It seems so.
-
Try setting your WANIP in this box and see if it goes away. It may be a problem of us clearing the item. Also, try this from a shell and let me know what it says:
cat /cf/conf/config.xml | grep failoverip
-
In case the IP is not cleared download your config.xml from diagnostics>backup/restore, manually remove the item and upload it again. But first Do what Scott asked for please.
-
Ok,
Ill checked WAN ip, and there ir everything ok.
Interfaces: WAN Type: Static Static IP configuration: Correct Other settings - empty FTP Helper Disable the userland FTP-Proxy application [CHECKED] Block private networks [CHECKED]Diagnostics: Ping Host : www.yahoo.com Interface WAN Count 3 Ping output: PING www.yahoo-ht2.akadns.net (209.73.186.238) from 159.148.175.210: 56 data bytes 64 bytes from 209.73.186.238: icmp_seq=0 ttl=50 time=176.817 ms 64 bytes from 209.73.186.238: icmp_seq=1 ttl=50 time=176.690 ms 64 bytes from 209.73.186.238: icmp_seq=2 ttl=50 time=176.749 ms --- www.yahoo-ht2.akadns.net ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 176.690/176.752/176.817/0.052 mscat /cf/conf/config.xml | grep failoverip returned nothing.
/cf/conf/config.xml - only here found some failover string and no more in this file.
<dhcpd><lan><enable>yes</enable> <range><from>192.168.1.101</from> <to>192.168.1.199</to></range> <defaultleasetime><maxleasetime><netmask>[b]<failover_peerip>[/b] <gateway><dnsserver>192.168.1.200</dnsserver></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></lan></dhcpd> -
What version is this again? That all looks fine to me.
-
Version 1.0.1
built on Sun Oct 29 01:07:16 UTC 2006Tnx ;)
-
-
I reseted my two month old settings from backup and there now is error like this, whats wrong??
Jan 3 11:08:10 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Jan 3 11:08:10 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=19) Jan 3 11:08:10 racoon: INFO: fe80::230:4fff:fe25:33b0%rl0[500] used as isakmp port (fd=18) Jan 3 11:08:10 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Jan 3 11:08:10 racoon: INFO: xxx.xxx.xxx.xxx[500] used as isakmp port (fd=17) Jan 3 11:08:10 racoon: INFO: fe80::201:29ff:fe93:1125%vr0[500] used as isakmp port (fd=16) Jan 3 11:08:10 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Jan 3 11:08:10 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15) Jan 3 11:08:10 racoon: INFO: ::1[500] used as isakmp port (fd=14) Jan 3 11:08:10 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13) Jan 3 11:08:10 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 3 11:08:10 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Jan 3 11:08:09 racoon: INFO: racoon shutdown Jan 3 11:08:08 racoon: INFO: caught signal 15 -
Same over here. I am to dumb to get IPsec to work… :-[
I got some Firewall block messages from TCP Port 500 in the logs.
My static site is really knocked down on ports - do I have to open up something special here?Needless to say, the tunnel is not coming up and I cannot ping a host on the other side.
Both pfSenses are 1.0.1 Snapshot 2006-DEC-23 with PPPoE ADSL.
Office has a static IP, home a dynamic one. NO SAD or SPD entries on static side and only SPD on dynamic end where I also get this:Diagnostics: System logs: IPSEC VPN
Jan 4 10:48:10 racoon: ERROR: fatal parse failure (1 errors)
Jan 4 10:48:10 racoon: ERROR: /var/etc/racoon.conf:2: "500" parse error
Jan 4 10:48:10 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jan 4 10:48:10 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)Does the "500" parse error relate to a port issue??
-
Ill try to reinstall pfsense. Maybe that helps.
-
Any news here?
I still get the parse error and have no idea where to look.
Installation is vanilla 1.0.1 with current snapshot, 1.0.1-SNAPSHOT-12-28-2006, built on Thu Jan 4 13:07:12 EST 2007
I added squid, (freeradius…), NTP, nmap (...) and mc.IPsec install was from Hoba's tutorial.
What firewall ruleset do you recommend for IPsec use? UDP 500 and EAP on WAN or gateway's LAN address?
That's not covered by the tutorial AFAIK.Greatly appreciate your help!
-
I reinstalled all system and now its works. I think that's a bug.