Racoon.conf read error???



  • I am creating an IPSEC VPN between two of PFSense boxes.  Each of them are running the same firmware.  One of them is receiving a few errors when I try and start the VPN.  I have checked and I can see and read the racoon.conf file.  I am at a lose because the logs don't tell me much.  Any assistance would be great!

    Last 500 IPsec log entries
    Apr 21 22:12:45 racoon: ERROR: fatal parse failure (1 errors)
    Apr 21 22:12:45 racoon: ERROR: /var/etc/racoon.conf:19: "2" syntax error
    Apr 21 22:12:45 racoon: DEBUG: reading config file /var/etc/racoon.conf
    Apr 21 22:12:45 racoon: DEBUG: call pfkey_send_register for IPCOMP
    Apr 21 22:12:45 racoon: DEBUG: call pfkey_send_register for ESP
    Apr 21 22:12:45 racoon: DEBUG: call pfkey_send_register for AH
    Apr 21 22:12:45 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Apr 21 22:12:45 racoon: INFO: @(#)This product linked OpenSSL 0.9.8y 5 Feb 2013 (http://www.openssl.org/)
    Apr 21 22:12:45 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    Apr 21 22:12:42 racoon: ERROR: fatal parse failure (1 errors)
    Apr 21 22:12:42 racoon: ERROR: /var/etc/racoon.conf:19: "2" syntax error
    Apr 21 22:12:42 racoon: DEBUG: reading config file /var/etc/racoon.conf
    Apr 21 22:12:42 racoon: DEBUG: call pfkey_send_register for IPCOMP
    Apr 21 22:12:42 racoon: DEBUG: call pfkey_send_register for ESP
    Apr 21 22:12:42 racoon: DEBUG: call pfkey_send_register for AH
    Apr 21 22:12:42 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Apr 21 22:12:42 racoon: INFO: @(#)This product linked OpenSSL 0.9.8y 5 Feb 2013 (http://www.openssl.org/)
    Apr 21 22:12:42 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)


  • Rebel Alliance Developer Netgate

    It's saying there is a config error on line 19 of your racoon.conf. In order to see what that is, we'd need to see the whole racoon.conf file.



  • Here is the config file below. Upon review of it the only thing I see that is wrong is the network address in what looks to be line 19.  It refers to an IP of 10.50.x.x and my IP ranges are 10.9.0.x and on the other side of the VPN it is 10.2.1.x….  I'm leery of editing this file as it states that it is auto generated.

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
            adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
            isakmp xxx.193.xxx.85 [500];
            isakmp_natt xxx.193.xxx.85 [4500];
    }

    mode_cfg
    {
            auth_source system;
            group_source system;
            pool_size -2;
            network4 10.50.1.1;
            netmask4 255.255.255.255;
    }

    remote xxx.46.xxx.208
    {
            ph1id 1;
            exchange_mode aggressive;
            my_identifier address xxx.193.xxx.85;
            peers_identifier address xxx.46.xxx.208;
            ike_frag on;
            generate_policy = off;
            initial_contact = on;
            nat_traversal = on;

    dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check claim;

    proposal
            {
                    authentication_method pre_shared_key;
                    encryption_algorithm aes 256;
                    hash_algorithm sha1;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
    }

    remote anonymous
    {
            ph1id 2;
            exchange_mode aggressive;

    mode_cfg
    {
            auth_source system;
            group_source system;
            pool_size -2;
            network4 10.9.0.1;
            netmask4 255.255.255.255;
    }

    remote xxx.46.xxx.208
    {
            ph1id 1;
            exchange_mode aggressive;
            my_identifier address xxx.193.xxx.85;
            peers_identifier address xxx.46.xxx.208;
            ike_frag on;
            generate_policy = off;
            initial_contact = on;
            nat_traversal = on;


  • Rebel Alliance Developer Netgate

    @DaetaS:

    pool_size -2;
           network4 10.50.1.1;
           netmask4 255.255.255.255;

    Guessing that's why, your mobile IP pool is too small. I thought the input validation rejected that, maybe not. Put a larger subnet in there, such at 10.50.1.0/24

    Pool size shouldn't be negative, and it's negative because the mask is /32 when it shouldn't be.



  • Thank you! I was working with site-to-site VPN so intently I didn't even think to look at the mobile VPN page.  All is well now.

    Thanks again!


Log in to reply