[strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]

Miroslav Svoboda goodmirek at goodmirek.cz
Sun Apr 19 10:11:04 CEST 2015


Hi Stephen,

So I assume there is no longer any syntax error reported.

>From logfile I see there is no acceptable traffic selector. I assume that 
you have a home PC (Ubuntu) with Strongswan which you want to connect to 
the office VPN concentrator with IP 17.11.7.5 running Windows. I suppose 
VPN concentrator in the office is not configured to route any traffic 
towards you home PC's IP address, thus you will need a virtual IP address 
assigned to your home PC by the VPN concentrator. Also I suppose you want 
to route all traffic via that VPN once connected.
Then, please try to modify "left=%defaultroute" to "left=%any" and add 
"rightsubnet=0.0.0.0/0" and "leftsourceip=%config". You should not specify 
"leftsubnet", it has same effect as "leftsubnet=%dynamic".
According to documentation at wiki 
<https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection> configuration 
directive "left=defaultroute%" was used prior to version 5.0.0, superseded 
by "left=%any".
leftsubnet=%dynamic (or omitting leftsubnet at all) and 
rightsubnet=0.0.0.0/0 will create your traffic selector. It says that 
anything (0.0.0.0/0) from your side will be routed to remote host and that 
the remote host will route towards your PC (left==local) a traffic which 
would fit your dynamically assigned IP. Should you want to route towards 
office network only office-related traffic then change 
"rightsubnet=<subnet_used_in_Stephen's_office>".

If that didn't help please can you provide output of 'ipsec statusall' and 
also more details about network topology?

Regards,
Miroslav

On Saturday, April 18, 2015 at 5:28:12 PM UTC+2, Stephen Feyrer wrote:
>
> Hi Miroslav,
>
> Thank you.  The conn section as presented below was copied and pasted from 
> web page for convenience (this stripped the leading white spaced from the 
> conn section).  For the moment the white spaces are in form of TAB 
> characters.  I will test with space characters and complete this email.
>
> I Apologise for the lack of white spaces in the conn section of below 
> email.  I have now tested with both spaces and tabs, each producing the 
> same error as below.
>
>
> --
> Kind regards
>
> Stephen Feyrer.
>
>
> On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda <good... at goodmirek.cz 
> <javascript:>> wrote:
>
> Hi Stephen,
>
> I believe the issue might be caused as the "conn" section is not compliant 
> with prescribed format. There should be at least one whitespace at the 
> beginning of each line within the section. Only sections can and shall 
> start at the first character of the line.
>
> Supposed correction:
> *conn VPN-OFFICE-COM*
> *   keyexchange=ikev1*
>    *type=transport*
>    *authby=secret*
>    *ike=3des-sha1-modp1024*
>    *rekey=no*
>    *left=%defaultroute*
>    *leftprotoport=udp/l2tp*
>    *right=vpn.office.com <http://vpn.office.com>*
>    *rightprotoport=udp/l2tp*
>    *rightid=17.11.7.5*
>    *auto=add*
>
> Regards,
> Miroslav
>
> Message: 3
> Date: Fri, 17 Apr 2015 14:08:57 +0100
> From: "Stephen Feyrer" <stephen... at btinternet.com <javascript:>>
> To: us... at lists.strongswan.org <javascript:>
> Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error,
>         unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
> Message-ID: <op.xw8ms... at sveta.home.org <javascript:>>
> Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
>
> Hi Neol,
>
> Thank you.  I have removed the file /etc/strongswan.d/VPN.conf
>
> In /etc/ipsec.conf I have the same configuration.  At least there is
> progress, unfortunately I am still baffled.  This is the previously
> working configuration.
>
> code:
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
>          # strictcrlpolicy=yes
>          # uniqueids = no
>
> conn VPN-OFFICE-COM
> keyexchange=ikev1
> type=transport
> authby=secret
> ike=3des-sha1-modp1024
> rekey=no
> left=%defaultroute
> leftprotoport=udp/l2tp
> right=vpn.office.com
> rightprotoport=udp/l2tp
> rightid=17.11.7.5
> auto=add
>
>
> Having restarted ipsec, I get the following result
>
> code:
>
> # ipsec up VPN-OFFICE-COM
> initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
> parsed ID_PROT response 0 [ SA V V ]
> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> received FRAGMENTATION vendor ID
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> received Cisco Unity vendor ID
> received XAuth vendor ID
> received unknown vendor ID: [Available On Request]
> received unknown vendor ID: [Available On Request]
> local host is behind NAT, sending keep alives
> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
> parsed ID_PROT response 0 [ ID HASH V ]
> received DPD vendor ID
> IKE_SA VPN-OFFICE-COM[1] established between
> 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
> generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID
> NAT-OA NAT-OA ]
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
> parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID
> N((24576)) NAT-OA ]
> received 28800s lifetime, configured 0s
> no acceptable traffic selectors found
> establishing connection 'VPN-OFFICE-COM' failed
>
>
>
> --
> Kind regards
>
>
> Stephen Feyrer
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150419/fc19ff50/attachment.html>


More information about the Users mailing list