Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
* * **type=transport* * **authby=secret* * **ike=3des-sha1-modp1024* * **rekey=no* * **left=%defaultroute* * **leftprotoport=udp/l2tp* * **right=vpn.office.com http://vpn.office.com* * **rightprotoport=udp/l2tp* * **rightid=17.11.7.5* * **auto=add* Regards, Miroslav Message: 3 Date: Fri, 17 Apr 2015 14:08:57 +0100 From: Stephen Feyrer stephen...@btinternet.com To: us...@lists.strongswan.org Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] Message-ID: op.xw8ms...@sveta.home.org Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com http://vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer -- Kind regards Stephen Feyrer -- Kind regards Stephen Feyrer ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVNNzJAAoJEDg5KY9j7GZY8z0QAJ7703tO6Unb5O/6wc8ImHck hDLKZj0wrlMDD/uDCWVA7bbi
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
* * **leftprotoport=udp/l2tp* * **right=vpn.office.com http://vpn.office.com* * **rightprotoport=udp/l2tp* * **rightid=17.11.7.5* * **auto=add* Regards, Miroslav Message: 3 Date: Fri, 17 Apr 2015 14:08:57 +0100 From: Stephen Feyrer stephen...@btinternet.com To: us...@lists.strongswan.org Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] Message-ID: op.xw8ms...@sveta.home.org Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com http://vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer -- Kind regards Stephen Feyrer -- Kind regards Stephen Feyrer ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVNNzJAAoJEDg5KY9j7GZY8z0QAJ7703tO6Unb5O/6wc8ImHck hDLKZj0wrlMDD/uDCWVA7bbi//HmIeFqnf032GzeTQLTUAeEwUyght8ocoBImmr2 yiT3D9KkXlRzixKs8Ci
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
VPN-OFFICE-COM[14]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Thank you for your help. I hope this tells you more than it does me. -- Kind regards Stephen Feyrer. On Sun, 19 Apr 2015 09:11:04 +0100, Miroslav Svoboda good...@goodmirek.cz wrote: Hi Stephen, So I assume there is no longer any syntax error reported. From logfile I see there is no acceptable traffic selector. I assume that you have a home PC (Ubuntu) with Strongswan which you want to connect to the office VPN concentrator with IP 17.11.7.5 running Windows. I suppose VPN concentrator in the office is not configured to route any traffic towards you home PC's IP address, thus you will need a virtual IP address assigned to your home PC by the VPN concentrator. Also I suppose you want to route all traffic via that VPN once connected. Then, please try to modify left=%defaultroute to left=%any and add rightsubnet=0.0.0.0/0 and leftsourceip=%config. You should not specify leftsubnet, it has same effect as leftsubnet=%dynamic. According to documentation at wiki configuration directive left=defaultroute% was used prior to version 5.0.0, superseded by left=%any. leftsubnet=%dynamic (or omitting leftsubnet at all) and rightsubnet=0.0.0.0/0 will create your traffic selector. It says that anything (0.0.0.0/0) from your side will be routed to remote host and that the remote host will route towards your PC (left==local) a traffic which would fit your dynamically assigned IP. Should you want to route towards office network only office-related traffic then change rightsubnet=subnet_used_in_Stephen's_office. If that didn't help please can you provide output of 'ipsec statusall' and also more details about network topology? Regards, Miroslav On Saturday, April 18, 2015 at 5:28:12 PM UTC+2, Stephen Feyrer wrote: Hi Miroslav, Thank you. The conn section as presented below was copied and pasted from web page for convenience (this stripped the leading white spaced from the conn section). For the moment the white spaces are in form of TAB characters. I will test with space characters and complete this email. I Apologise for the lack of white spaces in the conn section of below email. I have now tested with both spaces and tabs, each producing the same error as below. -- Kind regards Stephen Feyrer. On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda good...@goodmirek.cz wrote: Hi Stephen, I believe the issue might be caused as the conn section is not compliant with prescribed format. There should be at least one whitespace at the beginning of each line within the section. Only sections can and shall start at the first character of the line. Supposed correction: conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Regards, Miroslav Message: 3 Date: Fri, 17 Apr 2015 14:08:57 +0100 From: Stephen Feyrer stephen...@btinternet.com To: us...@lists.strongswan.org Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] Message-ID: op.xw8ms...@sveta.home.org Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Stephen, So I assume there is no longer any syntax error reported. From logfile I see there is no acceptable traffic selector. I assume that you have a home PC (Ubuntu) with Strongswan which you want to connect to the office VPN concentrator with IP 17.11.7.5 running Windows. I suppose VPN concentrator in the office is not configured to route any traffic towards you home PC's IP address, thus you will need a virtual IP address assigned to your home PC by the VPN concentrator. Also I suppose you want to route all traffic via that VPN once connected. Then, please try to modify left=%defaultroute to left=%any and add rightsubnet=0.0.0.0/0 and leftsourceip=%config. You should not specify leftsubnet, it has same effect as leftsubnet=%dynamic. According to documentation at wiki https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection configuration directive left=defaultroute% was used prior to version 5.0.0, superseded by left=%any. leftsubnet=%dynamic (or omitting leftsubnet at all) and rightsubnet=0.0.0.0/0 will create your traffic selector. It says that anything (0.0.0.0/0) from your side will be routed to remote host and that the remote host will route towards your PC (left==local) a traffic which would fit your dynamically assigned IP. Should you want to route towards office network only office-related traffic then change rightsubnet=subnet_used_in_Stephen's_office. If that didn't help please can you provide output of 'ipsec statusall' and also more details about network topology? Regards, Miroslav On Saturday, April 18, 2015 at 5:28:12 PM UTC+2, Stephen Feyrer wrote: Hi Miroslav, Thank you. The conn section as presented below was copied and pasted from web page for convenience (this stripped the leading white spaced from the conn section). For the moment the white spaces are in form of TAB characters. I will test with space characters and complete this email. I Apologise for the lack of white spaces in the conn section of below email. I have now tested with both spaces and tabs, each producing the same error as below. -- Kind regards Stephen Feyrer. On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda good...@goodmirek.cz javascript: wrote: Hi Stephen, I believe the issue might be caused as the conn section is not compliant with prescribed format. There should be at least one whitespace at the beginning of each line within the section. Only sections can and shall start at the first character of the line. Supposed correction: *conn VPN-OFFICE-COM* * keyexchange=ikev1* *type=transport* *authby=secret* *ike=3des-sha1-modp1024* *rekey=no* *left=%defaultroute* *leftprotoport=udp/l2tp* *right=vpn.office.com http://vpn.office.com* *rightprotoport=udp/l2tp* *rightid=17.11.7.5* *auto=add* Regards, Miroslav Message: 3 Date: Fri, 17 Apr 2015 14:08:57 +0100 From: Stephen Feyrer stephen...@btinternet.com javascript: To: us...@lists.strongswan.org javascript: Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] Message-ID: op.xw8ms...@sveta.home.org javascript: Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
to left=%any and add rightsubnet=0.0.0.0/0 and leftsourceip=%config. You should not specify leftsubnet, it has same effect as leftsubnet=%dynamic. According to documentation at wiki https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection configuration directive left=defaultroute% was used prior to version 5.0.0, superseded by left=%any. leftsubnet=%dynamic (or omitting leftsubnet at all) and rightsubnet= 0.0.0.0/0 will create your traffic selector. It says that anything ( 0.0.0.0/0) from your side will be routed to remote host and that the remote host will route towards your PC (left==local) a traffic which would fit your dynamically assigned IP. Should you want to route towards office network only office-related traffic then change rightsubnet=subnet_used_in_Stephen's_office. If that didn't help please can you provide output of 'ipsec statusall' and also more details about network topology? Regards, Miroslav On Saturday, April 18, 2015 at 5:28:12 PM UTC+2, Stephen Feyrer wrote: Hi Miroslav, Thank you. The conn section as presented below was copied and pasted from web page for convenience (this stripped the leading white spaced from the conn section). For the moment the white spaces are in form of TAB characters. I will test with space characters and complete this email. I Apologise for the lack of white spaces in the conn section of below email. I have now tested with both spaces and tabs, each producing the same error as below. -- Kind regards Stephen Feyrer. On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda good...@goodmirek.cz wrote: Hi Stephen, I believe the issue might be caused as the conn section is not compliant with prescribed format. There should be at least one whitespace at the beginning of each line within the section. Only sections can and shall start at the first character of the line. Supposed correction: *conn VPN-OFFICE-COM* * keyexchange=ikev1* *type=transport* *authby=secret* *ike=3des-sha1-modp1024* *rekey=no* *left=%defaultroute* *leftprotoport=udp/l2tp* *right=vpn.office.com http://vpn.office.com* *rightprotoport=udp/l2tp* *rightid=17.11.7.5* *auto=add* Regards, Miroslav Message: 3 Date: Fri, 17 Apr 2015 14:08:57 +0100 From: Stephen Feyrer stephen...@btinternet.com To: us...@lists.strongswan.org Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] Message-ID: op.xw8ms...@sveta.home.org Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Stephen, I believe the issue might be caused as the conn section is not compliant with prescribed format. There should be at least one whitespace at the beginning of each line within the section. Only sections can and shall start at the first character of the line. Supposed correction: *conn VPN-OFFICE-COM* * keyexchange=ikev1* *type=transport* *authby=secret* *ike=3des-sha1-modp1024* *rekey=no* *left=%defaultroute* *leftprotoport=udp/l2tp* *right=vpn.office.com http://vpn.office.com* *rightprotoport=udp/l2tp* *rightid=17.11.7.5* *auto=add* Regards, Miroslav Message: 3 Date: Fri, 17 Apr 2015 14:08:57 +0100 From: Stephen Feyrer stephen.fey...@btinternet.com To: users@lists.strongswan.org Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] Message-ID: op.xw8ms7kfx77...@sveta.home.org Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Miroslav, Thank you. The conn section as presented below was copied and pasted from web page for convenience (this stripped the leading white spaced from the conn section). For the moment the white spaces are in form of TAB characters. I will test with space characters and complete this email. I Apologise for the lack of white spaces in the conn section of below email. I have now tested with both spaces and tabs, each producing the same error as below. -- Kind regards Stephen Feyrer. On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda goodmi...@goodmirek.cz wrote: Hi Stephen, I believe the issue might be caused as the conn section is not compliant with prescribed format. There should be at least one whitespace at the beginning of each line within the section. Only sections can and shall start at the first character of the line. Supposed correction: conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Regards, Miroslav Message: 3 Date: Fri, 17 Apr 2015 14:08:57 +0100 From: Stephen Feyrer stephen.fey...@btinternet.com To: users@lists.strongswan.org Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] Message-ID: op.xw8ms7kfx77...@sveta.home.org Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi, I am hoping someone can help me. At first this looks like a simple error but I don't think it is. To put this into some context, so you can ignore this paragraph if you're not interested. A few months ago, I got my home PC - (Gentoo Linux) setup to VPN into the office which is a Windows environment. Shortly after I moved house and my phone line. Only at that time my ISP had a fault on the phone line at my new house so no internet connection. Once the internet was resolved, the first thing I did was update my PC. Next I found that my VPN was no longer working. I was careful to look for messages that required configuration updates, I saw none for StrongSwan. Code: * Starting ... /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] invalid config file '/etc/strongswan.conf' Starting strongSwan 5.2.2 IPsec [starter]... Code: # ipsec up vpn.office.com /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] invalid config file '/etc/strongswan.conf' initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA vpn.office.com[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N(([Available On Request])) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'vpn.office.com' failed The only other issue of note is that the behaviour of Networkmanager appears to have changed during boot. Previously, there was a 1 second wait, now that is gone. I have searched the web for similar issues and found none. The details of how my VPN came to be setup as it is are available here: https://forums.gentoo.org/viewtopic-t-998042-postdays-0-postorder-asc-start-0.html code: # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf code: # strongswan.d/VPN.conf conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add At the time of writing I have just tried commenting out the whole of VPN.conf and then going line by line uncommenting but now even with all the lines uncommented, I get this message. code: # ipsec up VPN-OFFICE-COM /etc/strongswan.d/Xerox.conf:15: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [VPN-OFFICE-COM] invalid config file '/etc/strongswan.conf' no config named 'VPN-OFFICE-COM' Please help! -- Kind regards Stephen Feyrer___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer On Fri, 17 Apr 2015 11:49:04 +0100, Noel Kuntze n...@familie-kuntze.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Stephen, The configuration for the conns go into /etc/ipsec.conf, not /etc/strongswan.d or /etc/strongswan.conf. Only the plugin and logger configurations go into /etc/stronswan,d/ or /etc/strongswan.conf. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 17.04.2015 um 12:27 schrieb Stephen Feyrer: Hi, I am hoping someone can help me. At first this looks like a simple error but I don't think it is. To put this into some context, so you can ignore this paragraph if you're not interested. A few months ago, I got my home PC - (Gentoo Linux) setup to VPN into the office which is a Windows environment. Shortly after I moved house and my phone line. Only at that time my ISP had a fault on the phone line at my new house so no internet connection. Once the internet was resolved, the first thing I did was update my PC. Next I found that my VPN was no longer working. I was careful to look for messages that required configuration updates, I saw none for StrongSwan. Code: * Starting ... /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] invalid config file '/etc/strongswan.conf' Starting strongSwan 5.2.2 IPsec [starter]... Code: # ipsec up vpn.office.com /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] invalid config file '/etc/strongswan.conf' initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Apologies!!! Thank you, Noel! -- Kind regards Stephen Feyrer. On Fri, 17 Apr 2015 14:08:57 +0100, Stephen Feyrer stephen.fey...@btinternet.com wrote: Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users