Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved]IPsec broken after Snapshot update

    2.1 Snapshot Feedback and Problems - RETIRED
    3
    6
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Pandos
      last edited by

      After update to new Snapshot Version:
      2.1-BETA1 (i386)
      built on Thu May 16 01:01:38 EDT 2013
      FreeBSD 8.3-RELEASE-p8 FreeBSD 8.3-RELEASE-p8 #1: Thu May 16 01:29:21 EDT 2013 root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 i386

      IPsec wont start anymore because of an "anonymous" user in /var/etc/ipsec/racoon.conf:

      
      May 16 12:28:01	racoon: ERROR: fatal parse failure (1 errors)
      May 16 12:28:01	racoon: ERROR: /var/etc/ipsec/racoon.conf:59: "anonymous" syntax error
      May 16 12:28:01	racoon: DEBUG: filename: /var/etc/ipsec/ca-1.crt
      May 16 12:28:01	racoon: DEBUG: filename: /var/etc/ipsec/cert-1.crt
      May 16 12:28:01	racoon: INFO: Resize address pool from 0 to 253
      May 16 12:28:01	racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
      
      

      I deleted all Tunnels and reboot machine before setting them up again. With no luck.

      How to change anonymous to desired configuration? (Manual edit of racoon.conf wil be overwritten)

      Here's an Snapshot of /var/etc/ipsec/racoon.conf:

      
      remote anonymous
      {
      	ph1id 1;
      	exchange_mode main;
      	my_identifier address *******************;
      	peers_identifier fqdn "******************";
      	ike_frag on;
      	generate_policy = unique;
      	initial_contact = off;
      	nat_traversal = off;
      	certificate_type x509 "cert-1.crt" "cert-1.key";
      	ca_type x509 "ca-1.crt";
      	dpd_delay = 10;
      	dpd_maxfail = 5;
      	support_proxy on;
      	proposal_check strict;
      	passive on;
      

      Regards

      Sven

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Seems your config has been truncated.
        Can you post again?

        1 Reply Last reply Reply Quote 0
        • P
          Pandos
          last edited by

          OK, here we go :)

          
          # This file is automatically generated. Do not edit path pre_shared_key "/var/etc/ipsec/psk.txt";
          
          path certificate  "/var/etc/ipsec";
          
          listen
          {
          	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
          	isakmp **.***.**.*** [500];
          	isakmp_natt **.***.**.*** [4500];
          }
          
          mode_cfg
          {
          	auth_source external;
          	group_source system;
          	pool_size 253;
          	network4 192.168.50.1;
          	netmask4 255.255.255.0;
          	dns4 8.8.8.8;
          	dns4 127.0.0.1;
          	default_domain "****.com";
          	split_dns "****.com";
          	pfs_group 2;
          }
          
          extcfg { script "/var/etc/ipsec/ipsec.php" }
          
          remote anonymous
          {
          	ph1id 1;
          	exchange_mode main;
          	my_identifier address **.***.**.***;
          	peers_identifier fqdn "****.com";
          	ike_frag on;
          	generate_policy = unique;
          	initial_contact = off;
          	nat_traversal = off;
          	certificate_type x509 "cert-1.crt" "cert-1.key";
          	ca_type x509 "ca-1.crt";
          	dpd_delay = 10;
          	dpd_maxfail = 5;
          	support_proxy on;
          	proposal_check strict;
          	passive on;
          
          	proposal
          	{
          		authentication_method xauth_rsa_server;
          		encryption_algorithm aes 128;
          		hash_algorithm sha1;
          		dh_group 2;
          		lifetime time 28800 secs;
          	}
          }
          
          sainfo subnet 192.168.10.0/24 any nat subnet 192.168.10.0/24 any anonymous
          {
          	remoteid 1;
          	encryption_algorithm aes 128;
          	authentication_algorithm hmac_sha1;
          	pfs_group 2;
          	lifetime time 28800 secs;
          	compression_algorithm deflate;
          }
          
          

          Thanks in advance

          Sven

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Try this change:

            http://files.pfsense.org/jimp/patches/extcfg-fix.patch

            Use the System Patches package, Path Strip=1, Base=/, Ignore Whitespace=Checked

            Looks like it may just be missing a semicolon in that extcfg script line.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • P
              Pandos
              last edited by

              Thanks for the patch, but it seems not to work.

              Error is now:

              May 16 18:22:28	racoon: ERROR: fatal parse failure (1 errors)
              May 16 18:22:28	racoon: ERROR: /var/etc/ipsec/racoon.conf:29: ";" syntax error
              

              Regards

              Sven

              1 Reply Last reply Reply Quote 0
              • P
                Pandos
                last edited by

                OK, solved.
                Reverted the Patch and disabled Phase2. Add an new Phase2 and now racoon is up again.

                Thanks a lot for your support. Like psSense a lot. Switched yesterday from Endian and i'm very impressed.

                Regards

                Sven

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.