[solved]IPsec broken after Snapshot update



  • After update to new Snapshot Version:
    2.1-BETA1 (i386)
    built on Thu May 16 01:01:38 EDT 2013
    FreeBSD 8.3-RELEASE-p8 FreeBSD 8.3-RELEASE-p8 #1: Thu May 16 01:29:21 EDT 2013 root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 i386

    IPsec wont start anymore because of an "anonymous" user in /var/etc/ipsec/racoon.conf:

    
    May 16 12:28:01	racoon: ERROR: fatal parse failure (1 errors)
    May 16 12:28:01	racoon: ERROR: /var/etc/ipsec/racoon.conf:59: "anonymous" syntax error
    May 16 12:28:01	racoon: DEBUG: filename: /var/etc/ipsec/ca-1.crt
    May 16 12:28:01	racoon: DEBUG: filename: /var/etc/ipsec/cert-1.crt
    May 16 12:28:01	racoon: INFO: Resize address pool from 0 to 253
    May 16 12:28:01	racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
    
    

    I deleted all Tunnels and reboot machine before setting them up again. With no luck.

    How to change anonymous to desired configuration? (Manual edit of racoon.conf wil be overwritten)

    Here's an Snapshot of /var/etc/ipsec/racoon.conf:

    
    remote anonymous
    {
    	ph1id 1;
    	exchange_mode main;
    	my_identifier address *******************;
    	peers_identifier fqdn "******************";
    	ike_frag on;
    	generate_policy = unique;
    	initial_contact = off;
    	nat_traversal = off;
    	certificate_type x509 "cert-1.crt" "cert-1.key";
    	ca_type x509 "ca-1.crt";
    	dpd_delay = 10;
    	dpd_maxfail = 5;
    	support_proxy on;
    	proposal_check strict;
    	passive on;
    

    Regards

    Sven



  • Seems your config has been truncated.
    Can you post again?



  • OK, here we go :)

    
    # This file is automatically generated. Do not edit path pre_shared_key "/var/etc/ipsec/psk.txt";
    
    path certificate  "/var/etc/ipsec";
    
    listen
    {
    	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    	isakmp **.***.**.*** [500];
    	isakmp_natt **.***.**.*** [4500];
    }
    
    mode_cfg
    {
    	auth_source external;
    	group_source system;
    	pool_size 253;
    	network4 192.168.50.1;
    	netmask4 255.255.255.0;
    	dns4 8.8.8.8;
    	dns4 127.0.0.1;
    	default_domain "****.com";
    	split_dns "****.com";
    	pfs_group 2;
    }
    
    extcfg { script "/var/etc/ipsec/ipsec.php" }
    
    remote anonymous
    {
    	ph1id 1;
    	exchange_mode main;
    	my_identifier address **.***.**.***;
    	peers_identifier fqdn "****.com";
    	ike_frag on;
    	generate_policy = unique;
    	initial_contact = off;
    	nat_traversal = off;
    	certificate_type x509 "cert-1.crt" "cert-1.key";
    	ca_type x509 "ca-1.crt";
    	dpd_delay = 10;
    	dpd_maxfail = 5;
    	support_proxy on;
    	proposal_check strict;
    	passive on;
    
    	proposal
    	{
    		authentication_method xauth_rsa_server;
    		encryption_algorithm aes 128;
    		hash_algorithm sha1;
    		dh_group 2;
    		lifetime time 28800 secs;
    	}
    }
    
    sainfo subnet 192.168.10.0/24 any nat subnet 192.168.10.0/24 any anonymous
    {
    	remoteid 1;
    	encryption_algorithm aes 128;
    	authentication_algorithm hmac_sha1;
    	pfs_group 2;
    	lifetime time 28800 secs;
    	compression_algorithm deflate;
    }
    
    

    Thanks in advance

    Sven


  • Rebel Alliance Developer Netgate

    Try this change:

    http://files.pfsense.org/jimp/patches/extcfg-fix.patch

    Use the System Patches package, Path Strip=1, Base=/, Ignore Whitespace=Checked

    Looks like it may just be missing a semicolon in that extcfg script line.



  • Thanks for the patch, but it seems not to work.

    Error is now:

    May 16 18:22:28	racoon: ERROR: fatal parse failure (1 errors)
    May 16 18:22:28	racoon: ERROR: /var/etc/ipsec/racoon.conf:29: ";" syntax error
    

    Regards

    Sven



  • OK, solved.
    Reverted the Patch and disabled Phase2. Add an new Phase2 and now racoon is up again.

    Thanks a lot for your support. Like psSense a lot. Switched yesterday from Endian and i'm very impressed.

    Regards

    Sven


Log in to reply