IPsec/racoon fails to start, config error

dszp

In recent snapshots, IPsec fails because racoon fails to start on one particular box, including after I backed up the config, reinstalled pfSense and restored the config file. It's working on other installs with different configs still, so it's definitely related to this specific config, but it wasn't changed manually ever, and wasn't changed after the update, it just stopped working after running an upgrade and nothing else. No upgrades to snapshots in the past few days have fixed it. Now that the system logs are working again, I can get logs of why it's not starting, looks like a config error in racoon.conf.

My IPsec log contains only this (one set of entries from bootup after snapshot upgrade, the second try is from me manually clicking Start on the racoon service):

Dec 18 16:50:27	racoon: [Mobile IPsec]: ERROR: fatal parse failure (1 errors)
Dec 18 16:50:27	racoon: [Mobile IPsec]: ERROR: /var/etc/racoon.conf:75: "}" duplicated sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1
Dec 18 16:50:27	racoon: [Mobile IPsec]: INFO: Resize address pool from 0 to 253
Dec 18 16:50:27	racoon: [Mobile IPsec]: INFO: Reading configuration from "/var/etc/racoon.conf"
Dec 18 16:50:27	racoon: [Mobile IPsec]: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Dec 18 16:50:27	racoon: [Mobile IPsec]: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
Dec 18 16:45:28	racoon: [Mobile IPsec]: ERROR: fatal parse failure (1 errors)
Dec 18 16:45:28	racoon: [Mobile IPsec]: ERROR: /var/etc/racoon.conf:75: "}" duplicated sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1
Dec 18 16:45:28	racoon: [Mobile IPsec]: INFO: Resize address pool from 0 to 253
Dec 18 16:45:28	racoon: [Mobile IPsec]: INFO: Reading configuration from "/var/etc/racoon.conf"
Dec 18 16:45:28	racoon: [Mobile IPsec]: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Dec 18 16:45:28	racoon: [Mobile IPsec]: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)

Here's my (IP-and-KeyID-sanitized) /var/etc/racoon.conf file:

# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        isakmp 12.13.14.165 [500];
        isakmp_natt 12.13.14.165 [4500];
}

mode_cfg
{
        auth_source system;
        group_source system;
        pool_size 253;
        network4 172.30.201.1;
        netmask4 255.255.255.0;
        split_network include 172.30.1.0/24, 172.30.99.0/24, 172.30.7.0/24, 172.30.90.0/24, 172.30.95.0/24;
        dns4 172.30.1.254;
        default_domain "nothing.local";
        split_dns "nothing.local";
}

remote anonymous
{
        ph1id 1;
        exchange_mode aggressive;
        my_identifier address 12.13.14.165;
        peers_identifier keyid tag "KeyIDhere";
        ike_frag on;
        generate_policy = unique;
        initial_contact = off;
        nat_traversal = on;

        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;

        proposal
        {
                authentication_method xauth_psk_server;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

sainfo   anonymous
{
        remoteid 1;
        encryption_algorithm aes 128, 3des;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}

sainfo   anonymous
{
        remoteid 1;
        encryption_algorithm aes 128, 3des;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}

sainfo   anonymous
{
        remoteid 1;
        encryption_algorithm aes 128, 3des;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}

sainfo   anonymous
{
        remoteid 1;
        encryption_algorithm aes 128, 3des;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}

sainfo   anonymous
{
        remoteid 1;
        encryption_algorithm aes 128, 3des;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}

And here's the IPsec config file export, also sanitized:

 <ipsec><client><enable><user_source>system</user_source>
		<group_source>system</group_source>
		<pool_address>172.30.201.0</pool_address>
		<pool_netbits>24</pool_netbits>
		 <net_list><dns_domain>nothing.local</dns_domain>
		<dns_server1>172.30.1.254</dns_server1></net_list></enable></client> 
	 <phase1><ikeid>1</ikeid>
		<interface>wan</interface>
		 <mobile><mode>aggressive</mode>
		<myid_type>myaddress</myid_type>
		 <myid_data><peerid_type>keyid tag</peerid_type>
		<peerid_data>KeyIDHere</peerid_data>
		 <encryption-algorithm><name>3des</name></encryption-algorithm> 
		<hash-algorithm>sha1</hash-algorithm>
		<dhgroup>2</dhgroup>
		<lifetime>28800</lifetime>
		<pre-shared-key>PSK HERE</pre-shared-key>
		 <private-key><certref>certrefhere</certref>
		<caref>carefhere</caref>
		<authentication_method>xauth_psk_server</authentication_method>
		 <proposal_check><nat_traversal>on</nat_traversal>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></proposal_check></private-key></myid_data></mobile></phase1> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>lan</type></localid> 
		 <remoteid><type>mobile</type></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>aes</name>
			<keylen>128</keylen></encryption-algorithm-option> 
		 <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
		<pfsgroup>0</pfsgroup>
		<lifetime>3600</lifetime></phase2> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>network</type>

<address>172.30.99.0</address>

			<netbits>24</netbits></localid> 
		 <remoteid><type>mobile</type></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>aes</name>
			<keylen>128</keylen></encryption-algorithm-option> 
		 <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
		<pfsgroup>0</pfsgroup>
		<lifetime>3600</lifetime></phase2> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>network</type>

<address>172.30.7.0</address>

			<netbits>24</netbits></localid> 
		 <remoteid><type>mobile</type></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>aes</name>
			<keylen>128</keylen></encryption-algorithm-option> 
		 <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
		<pfsgroup>0</pfsgroup>
		<lifetime>3600</lifetime></phase2> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>network</type>

<address>172.30.90.0</address>

			<netbits>24</netbits></localid> 
		 <remoteid><type>mobile</type></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>aes</name>
			<keylen>128</keylen></encryption-algorithm-option> 
		 <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
		<pfsgroup>0</pfsgroup>
		<lifetime>3600</lifetime></phase2> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>network</type>

<address>172.30.95.0</address>

			<netbits>24</netbits></localid> 
		 <remoteid><type>mobile</type></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>aes</name>
			<keylen>128</keylen></encryption-algorithm-option> 
		 <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
		<pfsgroup>0</pfsgroup>
		<lifetime>3600</lifetime></phase2> 
	 <enable></enable></ipsec> 

This is from the system where I installed and restored (due to this issue) previous config file on a snapshot from a couple of days ago (so a "clean" install restored with the above config (entire old config restored not just IPsec) regenerates the same erroneous racoon.conf), but right now it's upgraded to 2.0-BETA4 (i386) built on Sat Dec 18 09:51:58 EST 2010 which is where I got the .conf/config/logs above from. I have also tried unchecking "Enable IPsec" and saving, then re-checking and saving, but no change.

dszp

OK found a little more information. I had a single Mobile IPsec connection configured, but with five Phase-2 entries/networks. Based on the config file error being at line 75, which was where the second "sainfo" of five was located (and the error was about duplicate sainfo sections), I deleted all but one Phase-2 from under the Phase-1 Mobile entry in pfSense. With just one Phase-2, the connection works, racoon runs, traffic flows, the works. So it's an issue with multiple Phase 2's (not sure if it's limited to Mobile IPsec only). Something changed since like I said it used to work fine. I don't know enough about the racoon.conf file syntax to know what changed and I don't have an old version handy to look at, but I'm guessing with this info someone more in-the-know will be able to track this down easily.

Update: since I can reproduce this and see the change needed to fix it (minus secondary Phase 2 tunnels working), I opened a bug in redmine: http://redmine.pfsense.org/issues/1116

mxx

Hi,

are static ipsec tunnels affected too?
At least I can say that (static ip <-> static ip) ipsec with 2 p2s does work fine for me on the 11th Dec snapshot.

andrew0401

On the current snapshot - IPSEC takes a couple of reboots before it will connect and then this appears in the log

php: /vpn_ipsec.php: The command '/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config' returned exit code '1', the output was ''

Andrew

jimp

I tested it on yesterday's snapshot and it worked perfectly for me, even reconnected after a DPD loss.

IPsec will never take "a couple of reboots" to connect. The most you might have to do to IPsec is restart the racoon service (Status > Services) but even then that wasn't necessary in my testing.

mxx

I had some issues yesterday (snapshot 11th Dec) when I changed the (more than one) p2 configs. The new p2s didn't work + I got errors in system logs about racoon.
When I upgraded to the most recent snapshot, everything started to work again flawlessly.. no errors.
I have 3 p1s (certificates) with static addresses  and on each 2 p2s..

dszp

Note that Chris Buechler just updated the Redmine ticket for this bug to report that:

the original bug is fixed, and the later issue with non-0 exit status on racoonctl is fixed in ipsec-tools 0.8.0.

Looks like this fixes a bug with Downed Peer Detection (DPD) as well. This is great to hear!

cmb

@David:

Note that Chris Buechler just updated the Redmine ticket for this bug to report that:

the original bug is fixed, and the later issue with non-0 exit status on racoonctl is fixed in ipsec-tools 0.8.0.

Looks like this fixes a bug with Downed Peer Detection (DPD) as well. This is great to hear!

if you want to try it:
http://forum.pfsense.org/index.php/topic,33010.0.html