[solved]IPsec broken after Snapshot update

Pandos

After update to new Snapshot Version:
2.1-BETA1 (i386)
built on Thu May 16 01:01:38 EDT 2013
FreeBSD 8.3-RELEASE-p8 FreeBSD 8.3-RELEASE-p8 #1: Thu May 16 01:29:21 EDT 2013 root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 i386

IPsec wont start anymore because of an "anonymous" user in /var/etc/ipsec/racoon.conf:

May 16 12:28:01	racoon: ERROR: fatal parse failure (1 errors)
May 16 12:28:01	racoon: ERROR: /var/etc/ipsec/racoon.conf:59: "anonymous" syntax error
May 16 12:28:01	racoon: DEBUG: filename: /var/etc/ipsec/ca-1.crt
May 16 12:28:01	racoon: DEBUG: filename: /var/etc/ipsec/cert-1.crt
May 16 12:28:01	racoon: INFO: Resize address pool from 0 to 253
May 16 12:28:01	racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf

I deleted all Tunnels and reboot machine before setting them up again. With no luck.

How to change anonymous to desired configuration? (Manual edit of racoon.conf wil be overwritten)

Here's an Snapshot of /var/etc/ipsec/racoon.conf:

remote anonymous
{
	ph1id 1;
	exchange_mode main;
	my_identifier address *******************;
	peers_identifier fqdn "******************";
	ike_frag on;
	generate_policy = unique;
	initial_contact = off;
	nat_traversal = off;
	certificate_type x509 "cert-1.crt" "cert-1.key";
	ca_type x509 "ca-1.crt";
	dpd_delay = 10;
	dpd_maxfail = 5;
	support_proxy on;
	proposal_check strict;
	passive on;

Regards

Sven

eri--

Seems your config has been truncated.
Can you post again?

Pandos

OK, here we go :)

# This file is automatically generated. Do not edit path pre_shared_key "/var/etc/ipsec/psk.txt";

path certificate  "/var/etc/ipsec";

listen
{
	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
	isakmp **.***.**.*** [500];
	isakmp_natt **.***.**.*** [4500];
}

mode_cfg
{
	auth_source external;
	group_source system;
	pool_size 253;
	network4 192.168.50.1;
	netmask4 255.255.255.0;
	dns4 8.8.8.8;
	dns4 127.0.0.1;
	default_domain "****.com";
	split_dns "****.com";
	pfs_group 2;
}

extcfg { script "/var/etc/ipsec/ipsec.php" }

remote anonymous
{
	ph1id 1;
	exchange_mode main;
	my_identifier address **.***.**.***;
	peers_identifier fqdn "****.com";
	ike_frag on;
	generate_policy = unique;
	initial_contact = off;
	nat_traversal = off;
	certificate_type x509 "cert-1.crt" "cert-1.key";
	ca_type x509 "ca-1.crt";
	dpd_delay = 10;
	dpd_maxfail = 5;
	support_proxy on;
	proposal_check strict;
	passive on;

	proposal
	{
		authentication_method xauth_rsa_server;
		encryption_algorithm aes 128;
		hash_algorithm sha1;
		dh_group 2;
		lifetime time 28800 secs;
	}
}

sainfo subnet 192.168.10.0/24 any nat subnet 192.168.10.0/24 any anonymous
{
	remoteid 1;
	encryption_algorithm aes 128;
	authentication_algorithm hmac_sha1;
	pfs_group 2;
	lifetime time 28800 secs;
	compression_algorithm deflate;
}

Thanks in advance

Sven

jimp

Try this change:

http://files.pfsense.org/jimp/patches/extcfg-fix.patch

Use the System Patches package, Path Strip=1, Base=/, Ignore Whitespace=Checked

Looks like it may just be missing a semicolon in that extcfg script line.

Pandos

Thanks for the patch, but it seems not to work.

Error is now:

May 16 18:22:28	racoon: ERROR: fatal parse failure (1 errors)
May 16 18:22:28	racoon: ERROR: /var/etc/ipsec/racoon.conf:29: ";" syntax error

Regards

Sven

Pandos

OK, solved.
Reverted the Patch and disabled Phase2. Add an new Phase2 and now racoon is up again.

Thanks a lot for your support. Like psSense a lot. Switched yesterday from Endian and i'm very impressed.

Regards

Sven