Racoon: fatal parse failure???

LuckyURE

Hi everyone,

I've setup a few pfSense based IPSEC VPN connections just fine.  However, this current one is having some issues and I can't figure out why.  Here is what the error log says on the pfSense device:

–--- BEGIN LOG -----

Feb 9 21:48:37 racoon: ERROR: fatal parse failure (1 errors)
Feb 9 21:48:37 racoon: ERROR: /var/etc/racoon.conf:43: "any" syntax error
Feb 9 21:48:37 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 9 21:48:37 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Feb 9 21:48:37 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Feb 9 16:40:18 racoon: ERROR: fatal parse failure (1 errors)
Feb 9 16:40:18 racoon: ERROR: /var/etc/racoon.conf:43: "any" syntax error
Feb 9 16:40:18 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 9 16:40:18 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Feb 9 16:40:18 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Feb 9 16:35:00 racoon: ERROR: fatal parse failure (1 errors)
Feb 9 16:35:00 racoon: ERROR: /var/etc/racoon.conf:43: "any" syntax error
Feb 9 16:35:00 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 9 16:35:00 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Feb 9 16:35:00 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

----- END LOG -----

Here is what my config looks like:

---- BEGIN CONFIG ----

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 24.xxx.xxx.xxx [500];
isakmp_natt 24.xxx.xxx.xxx [4500];
}

remote 199.xxx.xxx.xxx
{
ph1id 1;
exchange_mode main;
my_identifier address 24.xxx.xxx.xxx;
peers_identifier address 199.xxx.xxx.xxx;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = off;

dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;

proposal
{
authentication_method pre_shared_key;
encryption_algorithm aes 128;
hash_algorithm sha1;
dh_group 2;
lifetime time 172800 secs;
}
}

sainfo subnet / any subnet 192.168.1.0/24 any
{
remoteid 1;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;

compression_algorithm deflate;
}

–-- END CONFIG ---

I'm using the latest release of pfSense 2.0.1 i386.  The other side is reporting a timeout on P1.  Any ideas?

cmb

What do you have configured in phase 2 for local and remote network? You're missing the subnet, which would usually be impossible to save, but there must be some missing input validation there under some unusual circumstance.

LuckyURE

cmb:

MODE= Tunnel
Local Subnet = LAN
Remote Subnet = 192.168.1.0/24
P2 Prot = ESP
P2 Trans = AES (128 bit)
P2 Auth = SHA1

I unchecked all of the other algorithms that are not in use, PFS is OFF, and under advanced I have it auto pinging the public IP of the remote subs public IP.

It really seems like the UI isn't writing the config right to me but I can't be certain.

Update:  I tried some things today (cause I need to get this working obviously so I'm not giving up) and found the following in the system log when I updated my IPSec configuration:

php: /vpn_ipsec.php: The command '/usr/local/sbin/setkey -f /tmp/spd.conf.reload.1328896680.16SIqQ 2>&1' returned exit code '1', the output was 'line 1: syntax error at [/] parse failed, line 1.'

php: /vpn_ipsec.php: The command '/usr/local/sbin/setkey -f /var/etc/spd.conf' returned exit code '1', the output was 'line 1: syntax error at [/] parse failed, line 1.'

Not sure if this helps but I thought I would post it.

cmb

Sounds like your LAN doesn't have an IP subnet on it? eg Interfaces>LAN set to type "none"?

LuckyURE

It is set to none as I have a bridge setup.  Sorry, forgot to mention that (this is the only difference between this and the other pfSense routers I've setup).  I have OPT1/WLAN/LAN bridge together so the wifi and opt clients can all have the same subnet.

I think the config isn't being written properly due to this configuration. ??

LuckyURE

RESOLVED!  ;D

Your last post got me thinking about the LAN setting in my IPSec config.  I decided to try setting it from the LAN to my bridged connection and BAM it started working.  Stupid mistake on my part.  Thanks to everyone for their help, I hope this helps someone else in the future!

cmb

Misconfiguration, but one we should prohibit. http://redmine.pfsense.org/issues/2201