Racoon: ERROR: /var/etc/ipsec/racoon.conf:14: "e" syntax error

sarics

Hi All,

this is my first time here, I've done a huge google and search for solution, before posting this to here.

Today, we have restarted our racoon service on our pfSense box (2.1-RELEASE (amd64), built on Wed Sep 11 18:17:48 EDT 2013 FreeBSD 8.3-RELEASE-p11). The only thing that has been changed since the last restart, was an OpenVPN install, but I've try to disable it, and the result was the same. It was only a try, but it's not starting again, and we can only see this message in our logs:

Dec 6 15:12:14	racoon: ERROR: fatal parse failure (1 errors)
Dec 6 15:12:14	racoon: ERROR: /var/etc/ipsec/racoon.conf:14: "e" syntax error
Dec 6 15:12:14	racoon: WARNING: /var/etc/ipsec/racoon.conf:9: "0660" admin port support not compiled in
Dec 6 15:12:14	racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Dec 6 15:12:14	racoon: INFO: @(#)This product linked OpenSSL 0.9.8y 5 Feb 2013 (http://www.openssl.org/)
Dec 6 15:12:14	racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

I don't know, what went wrong, I've reloaded our config backup, but the results are the same. Here is the racoon.conf:

# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/ipsec/psk.txt";

path certificate  "/var/etc/ipsec";

listen
{
	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
	isakmp XXX.XXX.XXX.XXX [500];
	isakmp_natt XXX.XXX.XXX.XXX [4500];
}

extcfg { script "/var/etc/ipsec/ipsec.php" }

remote XXX.XXX.XXX.XXX
{
	ph1id 1;
	exchange_mode aggressive;
	my_identifier address XXX.XXX.XXX.XXX;
	peers_identifier address XXX.XXX.XXX.XXX;
	ike_frag on;
	generate_policy = off;
	initial_contact = on;
	nat_traversal = on;

	dpd_delay = 10;
	dpd_maxfail = 5;
	support_proxy on;
	proposal_check strict;

	proposal
	{
		authentication_method pre_shared_key;
		encryption_algorithm aes 256;
		hash_algorithm sha1;
		dh_group 2;
		lifetime time 86400 secs;
	}
}

sainfo subnet 192.168.200.0/24 any subnet 192.168.17.0/24 any
{
	remoteid 1;
	encryption_algorithm aes 256;
	authentication_algorithm hmac_sha1;
	pfs_group 2;
	lifetime time 28800 secs;
	compression_algorithm deflate;
}

Please help me :-)

sarics

When I try to submit any command from cli, the following are the results:

[2.1-RELEASE][root@domain.com]/var/etc/ipsec(34): racoonctl show-event
send: Bad file descriptor

sarics

I've made changes in the /etc/inc/vpn.inc, commented out the generation of extcfg - and the tunnel is up again.

//$racoonconf .= "extcfg { script \"{$g['varetc_path']}/ipsec/ipsec.php\" }\n";

What the hell was that, and where did this problem has came?

jimp

Dec 6 15:12:14	racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

pfSense 2.1 uses IPsec tools 0.8.1, not 0.8.0. Somehow you are not running 2.1 binaries, but you have 2.1 PHP code.

sarics

@jimp:

pfSense 2.1 uses IPsec tools 0.8.1, not 0.8.0. Somehow you are not running 2.1 binaries, but you have 2.1 PHP code.

Sorry for the late answer, but how does it possible, if I didn't touch the command line, unless this issue? As I wrote earlier, I just implemented a new OpenVPN server through a wizard on the web interface, added 2 packages (sudo, and OpenVPN Client Export Wizard), and nothing else.

It is a solution if I downgrade the package to 0.8.0 somehow? Could you help me please to do this, because the reason why we choose pfSense was the webconfigurator - no one understands FreeBSD.

Thank you in advance

jimp

Packages would not touch that. There aren't any that would replace the racoon binaries.

The safest way forward would be to backup your config, wipe/reinstall 2.1, and then restore your backup.