next »

[artifact]

Hello,

When i set up new pfsense instalation, then IPsec worked fine. One day it does not start up this service and display this error.

Code:

Jan 2 16:50:43 racoon: ERROR: /var/etc/racoon.conf:2: "500" parse error
Jan 2 16:50:43 racoon: ERROR: fatal parse failure (1 errors)

I opened /var/etc/racoon.conf who has no changed since it worked i guess.

Code:

listen {
isakmp  [500];

}
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote xxx.xxx.xxx.xxx {
exchange_mode main;
my_identifier address "xxx.xxx.xxx.xxx";

peers_identifier address xxx.xxx.xxx.xxx;
initial_contact on;
support_proxy on;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 3600 secs;
}
lifetime time 3600 secs;
}

sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 2;
lifetime time 3600 secs;
}

remote xxx.xxx.xxx.xxx {
exchange_mode main;
my_identifier address "xxx.xxx.xxx.xxx";

peers_identifier address xxx.xxx.xxx.xxx;
initial_contact on;
support_proxy on;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 3600 secs;
}
lifetime time 3600 secs;
}

sainfo address 192.168.1.0/24 any address 192.168.5.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 2;
lifetime time 3600 secs;
}

remote xxx.xxx.xxx.xxx {
exchange_mode main;
my_identifier address "xxx.xxx.xxx.xxx";

peers_identifier address xxx.xxx.xxx.xxx;
initial_contact on;
support_proxy on;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 3600 secs;
}
lifetime time 3600 secs;
}

sainfo address 192.168.1.0/24 any address xxx.xxx.xxx.xxx/23 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 2;
lifetime time 3600 secs;
}

remote anonymous {
exchange_mode main;
my_identifier address "xxx.xxx.xxx.xxx";

initial_contact on;
passive on;
generate_policy on;
support_proxy on;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 3600 secs;
}
lifetime time 3600 secs;
}

sainfo anonymous {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 2;
lifetime time 3600 secs;
}

How to solve this?

I tried to comment out:

Code:

listen {
#isakmp  [500];

}

then it worked atleast phrase 1

Help! )

Tnx!

[hoba]

Are you already running one of the latest snapshots? Which version is this? (please include version and build date from status>system)

[artifact]

Name     pfsense
Version    1.0.1
built on Sun Oct 29 01:07:16 UTC 2006
Platform    pfSense

P.s I tried to backup settings, then reset factory defaults, then back. Result the same.

[sullrich]

Have you set a failover ipsec option by chance?

[artifact]

Yes i set once, but then i emptied this field and save. That is the problem? And how to solve that? It was empty before and now, but maybe something has left in configuration?

[sullrich]

Yes i set once, but then i emptied this field and save. That is the problem? And how to solve that? It was empty before and now, but maybe something has left in configuration?

Double check that the field really is empty and not a space, etc.

[artifact]

I am shure that this field is empty. Could it be so, i pressed on empty Failover IP SAVE button, and by that moment ipsec sopped? It seems so.

[sullrich]

Try setting your WANIP in this box and see if it goes away.  It may be a problem of us clearing the item.  Also, try this from a shell and let me know what it says:

cat /cf/conf/config.xml | grep failoverip

[hoba]

In case the IP is not cleared download your config.xml from diagnostics>backup/restore, manually remove the item and upload it again. But first Do what Scott asked for please.

[artifact]

Ok,

Ill checked WAN ip, and there ir everything ok.

Code:

Interfaces: WAN
Type: Static
Static IP configuration: Correct
Other settings - empty
FTP Helper  Disable the userland FTP-Proxy application  [CHECKED]
Block private networks [CHECKED]

Code:

Diagnostics: Ping

Host  : www.yahoo.com
Interface  WAN
Count 3
   
Ping output:

PING www.yahoo-ht2.akadns.net (209.73.186.238) from 159.148.175.210: 56 data bytes
64 bytes from 209.73.186.238: icmp_seq=0 ttl=50 time=176.817 ms
64 bytes from 209.73.186.238: icmp_seq=1 ttl=50 time=176.690 ms
64 bytes from 209.73.186.238: icmp_seq=2 ttl=50 time=176.749 ms

--- www.yahoo-ht2.akadns.net ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 176.690/176.752/176.817/0.052 ms
 

cat /cf/conf/config.xml | grep failoverip returned nothing.

/cf/conf/config.xml - only here found some failover string and no more in this file.

Code:

<dhcpd>
<lan>
<enable>yes</enable>
<range>
<from>192.168.1.101</from>
<to>192.168.1.199</to>
</range>
<defaultleasetime/>
<maxleasetime/>
<netmask/>
[b]<failover_peerip/>[/b]
<gateway/>
<dnsserver>192.168.1.200</dnsserver>
</lan>
</dhcpd>

[sullrich]

What version is this again?  That all looks fine to me.

[artifact]

Version 1.0.1
built on Sun Oct 29 01:07:16 UTC 2006


Tnx

[artifact]

Also if i try to launch racoon from shell


# racoon -f /var/etc/racoon.conf
racoon: failed to parse configuration file.

[artifact]

I reseted my two month old settings from backup and there now is error like this, whats wrong??

Code:

Jan 3 11:08:10 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jan 3 11:08:10 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=19)
Jan 3 11:08:10 racoon: INFO: fe80::230:4fff:fe25:33b0%rl0[500] used as isakmp port (fd=18)
Jan 3 11:08:10 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jan 3 11:08:10 racoon: INFO: xxx.xxx.xxx.xxx[500] used as isakmp port (fd=17)
Jan 3 11:08:10 racoon: INFO: fe80::201:29ff:fe93:1125%vr0[500] used as isakmp port (fd=16)
Jan 3 11:08:10 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jan 3 11:08:10 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Jan 3 11:08:10 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Jan 3 11:08:10 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Jan 3 11:08:10 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jan 3 11:08:10 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Jan 3 11:08:09 racoon: INFO: racoon shutdown
Jan 3 11:08:08 racoon: INFO: caught signal 15

[jahonix]

Same over here. I am to dumb to get IPsec to work... 

I got some Firewall block messages from TCP Port 500 in the logs.
My static site is really knocked down on ports - do I have to open up something special here?

Needless to say, the tunnel is not coming up and I cannot ping a host on the other side.
Both pfSenses are 1.0.1 Snapshot 2006-DEC-23 with PPPoE ADSL.
Office has a static IP, home a dynamic one. NO SAD or SPD entries on static side and only SPD on dynamic end where I also get this:
 
Diagnostics: System logs: IPSEC VPN
Jan 4 10:48:10    racoon: ERROR: fatal parse failure (1 errors)
Jan 4 10:48:10    racoon: ERROR: /var/etc/racoon.conf:2: "500" parse error
Jan 4 10:48:10    racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jan 4 10:48:10    racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)

Does the  "500" parse error  relate to a port issue??