Racoon: fatal parse failure???



  • Hi everyone,

    I've setup a few pfSense based IPSEC VPN connections just fine.  However, this current one is having some issues and I can't figure out why.  Here is what the error log says on the pfSense device:

    –--- BEGIN LOG -----

    Feb 9 21:48:37 racoon: ERROR: fatal parse failure (1 errors)
    Feb 9 21:48:37 racoon: ERROR: /var/etc/racoon.conf:43: "any" syntax error
    Feb 9 21:48:37 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Feb 9 21:48:37 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    Feb 9 21:48:37 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    Feb 9 16:40:18 racoon: ERROR: fatal parse failure (1 errors)
    Feb 9 16:40:18 racoon: ERROR: /var/etc/racoon.conf:43: "any" syntax error
    Feb 9 16:40:18 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Feb 9 16:40:18 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    Feb 9 16:40:18 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    Feb 9 16:35:00 racoon: ERROR: fatal parse failure (1 errors)
    Feb 9 16:35:00 racoon: ERROR: /var/etc/racoon.conf:43: "any" syntax error
    Feb 9 16:35:00 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Feb 9 16:35:00 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    Feb 9 16:35:00 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

    ----- END LOG -----

    Here is what my config looks like:

    ---- BEGIN CONFIG ----

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    isakmp 24.xxx.xxx.xxx [500];
    isakmp_natt 24.xxx.xxx.xxx [4500];
    }

    remote 199.xxx.xxx.xxx
    {
    ph1id 1;
    exchange_mode main;
    my_identifier address 24.xxx.xxx.xxx;
    peers_identifier address 199.xxx.xxx.xxx;
    ike_frag on;
    generate_policy = off;
    initial_contact = on;
    nat_traversal = off;

    dpd_delay = 10;
    dpd_maxfail = 5;
    support_proxy on;
    proposal_check claim;

    proposal
    {
    authentication_method pre_shared_key;
    encryption_algorithm aes 128;
    hash_algorithm sha1;
    dh_group 2;
    lifetime time 172800 secs;
    }
    }

    sainfo subnet / any subnet 192.168.1.0/24 any
    {
    remoteid 1;
    encryption_algorithm aes 128;
    authentication_algorithm hmac_sha1;

    compression_algorithm deflate;
    }

    –-- END CONFIG ---

    I'm using the latest release of pfSense 2.0.1 i386.  The other side is reporting a timeout on P1.  Any ideas?



  • What do you have configured in phase 2 for local and remote network? You're missing the subnet, which would usually be impossible to save, but there must be some missing input validation there under some unusual circumstance.



  • cmb:

    MODE= Tunnel
    Local Subnet = LAN
    Remote Subnet = 192.168.1.0/24
    P2 Prot = ESP
    P2 Trans = AES (128 bit)
    P2 Auth = SHA1

    I unchecked all of the other algorithms that are not in use, PFS is OFF, and under advanced I have it auto pinging the public IP of the remote subs public IP.

    It really seems like the UI isn't writing the config right to me but I can't be certain.

    Update:  I tried some things today (cause I need to get this working obviously so I'm not giving up) and found the following in the system log when I updated my IPSec configuration:

    php: /vpn_ipsec.php: The command '/usr/local/sbin/setkey -f /tmp/spd.conf.reload.1328896680.16SIqQ 2>&1' returned exit code '1', the output was 'line 1: syntax error at [/] parse failed, line 1.'

    php: /vpn_ipsec.php: The command '/usr/local/sbin/setkey -f /var/etc/spd.conf' returned exit code '1', the output was 'line 1: syntax error at [/] parse failed, line 1.'

    Not sure if this helps but I thought I would post it.



  • Sounds like your LAN doesn't have an IP subnet on it? eg Interfaces>LAN set to type "none"?



  • It is set to none as I have a bridge setup.  Sorry, forgot to mention that (this is the only difference between this and the other pfSense routers I've setup).  I have OPT1/WLAN/LAN bridge together so the wifi and opt clients can all have the same subnet.

    I think the config isn't being written properly due to this configuration. ??



  • RESOLVED!  ;D

    Your last post got me thinking about the LAN setting in my IPSec config.  I decided to try setting it from the LAN to my bridged connection and BAM it started working.  Stupid mistake on my part.  Thanks to everyone for their help, I hope this helps someone else in the future!



  • Misconfiguration, but one we should prohibit. http://redmine.pfsense.org/issues/2201


Log in to reply