Racoon: fatal parse failure???
-
Hi everyone,
I've setup a few pfSense based IPSEC VPN connections just fine. However, this current one is having some issues and I can't figure out why. Here is what the error log says on the pfSense device:
–--- BEGIN LOG -----
Feb 9 21:48:37 racoon: ERROR: fatal parse failure (1 errors)
Feb 9 21:48:37 racoon: ERROR: /var/etc/racoon.conf:43: "any" syntax error
Feb 9 21:48:37 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 9 21:48:37 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Feb 9 21:48:37 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Feb 9 16:40:18 racoon: ERROR: fatal parse failure (1 errors)
Feb 9 16:40:18 racoon: ERROR: /var/etc/racoon.conf:43: "any" syntax error
Feb 9 16:40:18 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 9 16:40:18 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Feb 9 16:40:18 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Feb 9 16:35:00 racoon: ERROR: fatal parse failure (1 errors)
Feb 9 16:35:00 racoon: ERROR: /var/etc/racoon.conf:43: "any" syntax error
Feb 9 16:35:00 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 9 16:35:00 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Feb 9 16:35:00 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)----- END LOG -----
Here is what my config looks like:
---- BEGIN CONFIG ----
This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 24.xxx.xxx.xxx [500];
isakmp_natt 24.xxx.xxx.xxx [4500];
}remote 199.xxx.xxx.xxx
{
ph1id 1;
exchange_mode main;
my_identifier address 24.xxx.xxx.xxx;
peers_identifier address 199.xxx.xxx.xxx;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = off;dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;proposal
{
authentication_method pre_shared_key;
encryption_algorithm aes 128;
hash_algorithm sha1;
dh_group 2;
lifetime time 172800 secs;
}
}sainfo subnet / any subnet 192.168.1.0/24 any
{
remoteid 1;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;compression_algorithm deflate;
}–-- END CONFIG ---
I'm using the latest release of pfSense 2.0.1 i386. The other side is reporting a timeout on P1. Any ideas?
-
What do you have configured in phase 2 for local and remote network? You're missing the subnet, which would usually be impossible to save, but there must be some missing input validation there under some unusual circumstance.
-
cmb:
MODE= Tunnel
Local Subnet = LAN
Remote Subnet = 192.168.1.0/24
P2 Prot = ESP
P2 Trans = AES (128 bit)
P2 Auth = SHA1I unchecked all of the other algorithms that are not in use, PFS is OFF, and under advanced I have it auto pinging the public IP of the remote subs public IP.
It really seems like the UI isn't writing the config right to me but I can't be certain.
Update: I tried some things today (cause I need to get this working obviously so I'm not giving up) and found the following in the system log when I updated my IPSec configuration:
php: /vpn_ipsec.php: The command '/usr/local/sbin/setkey -f /tmp/spd.conf.reload.1328896680.16SIqQ 2>&1' returned exit code '1', the output was 'line 1: syntax error at [/] parse failed, line 1.'
php: /vpn_ipsec.php: The command '/usr/local/sbin/setkey -f /var/etc/spd.conf' returned exit code '1', the output was 'line 1: syntax error at [/] parse failed, line 1.'
Not sure if this helps but I thought I would post it.
-
Sounds like your LAN doesn't have an IP subnet on it? eg Interfaces>LAN set to type "none"?
-
It is set to none as I have a bridge setup. Sorry, forgot to mention that (this is the only difference between this and the other pfSense routers I've setup). I have OPT1/WLAN/LAN bridge together so the wifi and opt clients can all have the same subnet.
I think the config isn't being written properly due to this configuration. ??
-
RESOLVED! ;D
Your last post got me thinking about the LAN setting in my IPSec config. I decided to try setting it from the LAN to my bridged connection and BAM it started working. Stupid mistake on my part. Thanks to everyone for their help, I hope this helps someone else in the future!
-
Misconfiguration, but one we should prohibit. http://redmine.pfsense.org/issues/2201