DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4 Weeks Ago
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default ipsec.conf Syntax error

I've been running ipsec on my OpenBSD 5.3 router without issue since 5.3 became available. I've finally just gotten around to upgrading to version 6.4 today and my ipsec.conf file which works perfectly fine in 5.3 is giving me a syntax error in 6.4 and for the life of me I can't figure it out. I tried stripping the comments out and reducing it down to just one VPN connection but I'm still getting a syntax error when booting up. I've attached a pic of the boot screen as well as my ipsec.conf file. Any help would be greatly appreciated.

Thanks.

ipsec.conf is below.
Code:
# VPN to Company A RV042
ike dynamic esp from 10.10.10.0/24 to 192.168.11.0/24 peer 96.30.1.11 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company B RV042
ike dynamic esp from 10.10.10.0/24 to 192.168.12.0/24 peer 96.30.1.12 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company C RV340
ike dynamic esp from 10.10.10.0/24 to 192.168.13.0/24 peer 96.30.1.13 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company D RV042G
ike dynamic esp from 10.10.10.0/24 to 192.168.14.0/24 peer 96.30.1.14 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company E RV042G
ike dynamic esp from 10.10.10.0/24 to 192.168.15.0/24 peer 96.30.1.15 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company F RV320
ike dynamic esp from 10.10.10.0/24 to 192.168.16.0/24 peer 96.30.1.16 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company G RV340
ike dynamic esp from 10.10.10.0/24 to 192.168.17.0/24 peer 96.30.1.17 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company H RV130
ike dynamic esp from 10.10.10.0/24 to 192.168.18.0/24 peer 96.30.1.18 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company I RV130W
ike dynamic esp from 10.10.10.0/24 to 192.168.19.0/24 peer 96.30.1.19 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company J RV345
ike dynamic esp from 10.10.10.0/24 to 192.168.20.0/24 peer 96.30.1.20 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
# VPN to Company K RV345P
ike dynamic esp from 10.10.10.0/24 to 192.168.21.0/24 peer 96.30.1.21 main auth hmac-sha1 enc aes-256 group modp1536 quick auth hmac-sha1 enc aes-256 srcid 96.69.72.49 psk "pa$$word"
Attached Images
File Type: jpg ipsecerror.JPG (869.6 KB, 23 views)

Last edited by Dr-D; 4 Weeks Ago at 09:34 AM.
Reply With Quote
  #2   (View Single Post)  
Old 4 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,381
Default

I am unable to reproduce the problem when I copied and pasted your configuration file locally:
Code:
$ ipsecctl -nf your.ipsec.conf.file
$
What happens when you test the file this way?
Reply With Quote
  #3   (View Single Post)  
Old 4 Weeks Ago
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Quote:
Originally Posted by jggimi View Post
I am unable to reproduce the problem when I copied and pasted your configuration file locally:
Code:
$ ipsecctl -nf your.ipsec.conf.file
$
What happens when you test the file this way?
The same thing happens.
Attached Images
File Type: jpg ipsecerror2.JPG (36.9 KB, 11 views)
Reply With Quote
  #4   (View Single Post)  
Old 4 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,381
Default

No, that is not exactly the same thing. You show two errors. The first, a permission problem. The second, a syntax error without a line number defined. When I intentionally create a syntax error, I get a mesage that tells me which line number has the error.

Due to this difference in behavior, try correcting the permission problem. The file should be owned by root:wheel and have a 600 file mode (-rw-------).
Reply With Quote
  #5   (View Single Post)  
Old 4 Weeks Ago
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

Changing the file permission fixed it. I learned something new today. You are a god!

Thank you.
Reply With Quote
  #6   (View Single Post)  
Old 4 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,381
Default

Sweet! Now, if you want to, you can report this bug to the Project. If you're feeling really energetic, you can debug ipsecctl and post a proposed fix. (I would, but I'm at $DAYJOB and don't have ready access to my test systems.)
Reply With Quote
  #7   (View Single Post)  
Old 4 Weeks Ago
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

I don't think the problem is a bug. The problem was likely due to copying the ipsec.conf file from the old BSD router to a Windows machine via WinSCP then onto a USB flash drive then finally onto the new BSD router. Wouldn't that play havoc with file permissions?
Reply With Quote
  #8   (View Single Post)  
Old 4 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,381
Default

From here, it looks like the permissions error is produced correctly, but the syntax error is both extraneous and misleading.
Reply With Quote
  #9   (View Single Post)  
Old 4 Weeks Ago
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default

I don't work in UNIX/Linux world enough to get it truly burned into my brain like I'd like to. That syntax error message was driving me absolutely insane because I knew there wasn't a syntax error. Had I been able to understand the message immediately before the syntax error line (group writable or world read/writable) then I would have known how to fix the problem as you did. Should it occur again the future now I'll know what to do. It's always good to learn something new everyday.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Pf.conf:29 syntax error CyberJet OpenBSD Security 17 3rd May 2013 06:41 PM
Am I blind? syntax error: `(' unexpected guitarscn Programming 1 10th November 2010 08:53 PM
shc unistd.h:239: error: syntax error before '&' token laraaj OpenBSD General 3 11th September 2010 07:21 AM
I need help with make.conf syntax troberts FreeBSD Ports and Packages 4 1st June 2008 03:58 AM
relayd (and hoststated) give syntax error for 'check script' gwl OpenBSD Security 2 2nd May 2008 04:53 PM


All times are GMT. The time now is 01:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick