Mathieu Sauve-Frankel wrote: > Currently the order in which isakmpd, ipsecctl and sasyncd need to be > invoked in order for everything to work is pretty rigid. > > # isakmpd -KS > # ipsecctl -f /etc/ipsec.conf > # sasyncd > > First start isakmpd with -KS, this brings up isakmpd in passive mode, > isakmpd won't initiate any IKE traffic until an sasyncd process sets > isakmpd to "active" mode through the fifo, you can do this by hand by > issuing "M active" into the fifo with echo. Don't forget to load your rules > before you issue this command. > > If you are not going to use sasyncd, don't use -S. >
Hi & thx for the insight. I now realize that the problem is caused by sasyncd not starting. It terminates immediately with the message "config: syntax error". Unfortunately it's not a syntax error in the sasyncd.conf file, but the error really seems to stem from the program "config" that seems to get called in the process of invoking sasyncd ... between stat-ing the config file and parsing it, as I would suppose, because sasyncd will not complain about real, intentional syntax errors in the file or an empty file, but will bail out on wrong file permissions. I have copied over sasyncd.conf from a working installation and changed the sharedkey and peer parameters. But config: syntax error hits me even if I empty the file (which should produce errors about missing sharedkeys and the like) Just to go sure, here's the file: # cat /etc/sasyncd.conf interface carp1 flushmode sync listen on xl0 port 5000 sharedkey [32byte RSA key] peer 10.111.1.2 Plus, "syntax error" does not appear in the sasyncd binary with strings or source code. Sorry again if I'm missing something obvious. /markus
