IPsec wont start

jcpolo

I have a fresh install and the service status for IPsec says stopped… every time I try to start it... I get

Jan 17 06:17:04 racoon: ERROR: fatal parse failure (1 errors)
Jan 17 06:17:04 racoon: ERROR: /var/etc/racoon.conf:5: "on" syntax error
Jan 17 06:17:04 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jan 17 06:17:04 racoon: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net)
Jan 17 05:49:48 racoon: ERROR: fatal parse failure (1 errors)
Jan 17 05:49:48 racoon: ERROR: /var/etc/racoon.conf:5: "on" syntax error
Jan 17 05:49:48 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jan 17 05:49:48 racoon: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net)

I have not even had a chance to add any vpn's yet either. I replaced my Netscreen with pfsense 1.2rc4 and have existing vpn tunnels out there trying to hit my new pfsense and cant even get the service to start. Any assistance would be great!

sullrich

Please show us the contents of /var/etc/racoon.conf

jcpolo

I tried Adding something after making this post and the service still wouldnt stop. I deleted it but the conf file still has this information in it….

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote rcon.denisrv.com {
exchange_mode main;
my_identifier fqdn "denisrv";

peers_identifier address rcon.denisrv.com;
initial_contact on;
support_proxy on;
proposal_check obey;

proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo address 192.168.1.0/24 any address 192.168.4.0/24 any {
encryption_algorithm des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}

databeestje

do you have mobile VPN tunnels perhaps? I can not seem to replicate it here.

As in, I have 250 tunnels with the same racoon.

databeestje

To reply tomyself. fqdn names and identifiers will not work in main mode. You will need to add the tunnel as a mobile tunnel/user or set it up with IP addresses as identifiers. That's the way ipsec works.

sullrich

Try changing the mode to aggressive.

jcpolo

To be more specific, I am trying to get a netopia 3346 router with vpn capabilities to main mode vpn into my pfsense firewall. This worked with my netscreen just fine, but I cannot get the service to start on the pfsense side, whenever I add a vpn profile it says the service is basically stopped… and gives that error every time in the log.

example one
"remote side"
Netopia 3346-ENT router on a static ip
main mode vpn
static ip
des

pretty standard stuff....

I match up the settings on the pfsense side and the service fails to start giving me the error listed in the beginning.

jcpolo

Service Description Status
racoon IPSEC VPN Stopped

This is what I was taking about when I said the service doesnt appear to be running at all.

jcpolo

How about is there a simple netopia ipsec to pfsense how to? I have read on forums about people getting it working with monowall so it should be about the same situation right?

Has anyone else gotten a netopia to Pfsense ipsec tunnel working?