[strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]

Miroslav Svoboda goodmirek at goodmirek.cz
Mon Apr 20 01:57:42 CEST 2015 

Hi Stephen,

Please delete type=transport or change it to type=tunnel.
Also delete rightprotoport and leftprotoport.

If this did not help, please provide again ipsec statusall + enable logging 
at higher level as described here 
<https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration> 
and provide logfile.

Regards,
Miroslav

On Monday, April 20, 2015 at 1:47:48 AM UTC+2, Stephen Feyrer wrote:
>
> Hi Miroslav,
>
> You are correct, the syntax error is gone.  Sadly, there is not much which 
> I can tell you about my office Network topology.  All that I do know is 
> that we pass through a Windows Firewall before being able to connect our 
> work stations.
>
>
> code:
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
>
> conn VPN-OFFICE-COM
>         keyexchange=ikev1
>         type=transport
>         authby=secret
>         ike=3des-sha1-modp1024
>         rekey=no
>         left=%any
>         leftsourceip=%config
>         leftprotoport=udp/l2tp
>         right=vpn.office.com
>         rightprotoport=udp/l2tp
>         rightid=17.11.7.5
>         rightsubnet=0.0.0.0/0
>         auto=add
>
>
>
> # ipsec up VPN-OFFICE-COM
> initiating Main Mode IKE_SA VPN-OFFICE-COM[14] to 17.11.7.5
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
> parsed ID_PROT response 0 [ SA V V ]
> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> received FRAGMENTATION vendor ID
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> received Cisco Unity vendor ID
> received XAuth vendor ID
> received unknown vendor ID: [HIDDEN]
> received unknown vendor ID: [HIDDEN]
> local host is behind NAT, sending keep alives
> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
> parsed ID_PROT response 0 [ ID HASH V ]
> received DPD vendor ID
> IKE_SA VPN-OFFICE-COM[14] established between 
> 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
> generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ]
> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
> parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N(([HIDDEN])) 
> NAT-OA ]
> received 28800s lifetime, configured 0s
> no acceptable traffic selectors found
> establishing connection 'VPN-OFFICE-COM' failed
>
>
> # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo, 
> x86_64):
> uptime: 3 hours, since Apr 19 20:50:15 2015
> malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 1
> loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 md5 
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 
> pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr 
> kernel-netlink resolve socket-default socket-dynamic farp stroke vici 
> updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym 
> eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls 
> xauth-generic xauth-eap xauth-pam dhcp lookip led unity
> Listening IP addresses:
> 1.2.3.4
> Connections:
> VPN-OFFICE-COM: %any...vpn.office.com IKEv1
> VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication
> VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication
> VPN-OFFICE-COM: child: dynamic[udp/l2tp] === dynamic[udp/l2tp] TRANSPORT
> Security Associations (1 up, 0 connecting):
> VPN-OFFICE-COM[14]: ESTABLISHED 6 seconds ago, 
> 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
> VPN-OFFICE-COM[14]: IKEv1 SPIs: [HIDDEN]_i* [HIDDEN]_r, rekeying disabled
> VPN-OFFICE-COM[14]: IKE proposal: 
> 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>
>
> Thank you for your help.  I hope this tells you more than it does me.
>
>
> --
> Kind regards
>
> Stephen Feyrer.
>
>
>
> On Sun, 19 Apr 2015 09:11:04 +0100, Miroslav Svoboda <good... at goodmirek.cz 
> <javascript:>> wrote:
>
> Hi Stephen,
>
> So I assume there is no longer any syntax error reported.
>
> From logfile I see there is no acceptable traffic selector. I assume that 
> you have a home PC (Ubuntu) with Strongswan which you want to connect to 
> the office VPN concentrator with IP 17.11.7.5 running Windows. I suppose 
> VPN concentrator in the office is not configured to route any traffic 
> towards you home PC's IP address, thus you will need a virtual IP address 
> assigned to your home PC by the VPN concentrator. Also I suppose you want 
> to route all traffic via that VPN once connected.
> Then, please try to modify "left=%defaultroute" to "left=%any" and add 
> "rightsubnet=0.0.0.0/0" and "leftsourceip=%config". You should not 
> specify "leftsubnet", it has same effect as "leftsubnet=%dynamic".
> According to documentation at wiki 
> <https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection> configuration 
> directive "left=defaultroute%" was used prior to version 5.0.0, superseded 
> by "left=%any".
> leftsubnet=%dynamic (or omitting leftsubnet at all) and rightsubnet=
> 0.0.0.0/0 will create your traffic selector. It says that anything (
> 0.0.0.0/0) from your side will be routed to remote host and that the 
> remote host will route towards your PC (left==local) a traffic which would 
> fit your dynamically assigned IP. Should you want to route towards office 
> network only office-related traffic then change 
> "rightsubnet=<subnet_used_in_Stephen's_office>".
>
> If that didn't help please can you provide output of 'ipsec statusall' and 
> also more details about network topology?
>
> Regards,
> Miroslav
>
> On Saturday, April 18, 2015 at 5:28:12 PM UTC+2, Stephen Feyrer wrote:
>>
>> Hi Miroslav,
>>
>> Thank you.  The conn section as presented below was copied and pasted 
>> from web page for convenience (this stripped the leading white spaced from 
>> the conn section).  For the moment the white spaces are in form of TAB 
>> characters.  I will test with space characters and complete this email.
>>
>> I Apologise for the lack of white spaces in the conn section of below 
>> email.  I have now tested with both spaces and tabs, each producing the 
>> same error as below.
>>
>>
>> --
>> Kind regards
>>
>> Stephen Feyrer.
>>
>>
>> On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda <
>> good... at goodmirek.cz> wrote:
>>
>> Hi Stephen,
>>
>> I believe the issue might be caused as the "conn" section is not 
>> compliant with prescribed format. There should be at least one whitespace 
>> at the beginning of each line within the section. Only sections can and 
>> shall start at the first character of the line.
>>
>> Supposed correction:
>> *conn VPN-OFFICE-COM*
>> *   keyexchange=ikev1*
>>    *type=transport*
>>    *authby=secret*
>>    *ike=3des-sha1-modp1024*
>>    *rekey=no*
>>    *left=%defaultroute*
>>    *leftprotoport=udp/l2tp*
>>    *right=vpn.office.com <http://vpn.office.com>*
>>    *rightprotoport=udp/l2tp*
>>    *rightid=17.11.7.5*
>>    *auto=add*
>>
>> Regards,
>> Miroslav
>>
>> Message: 3
>> Date: Fri, 17 Apr 2015 14:08:57 +0100
>> From: "Stephen Feyrer" <stephen... at btinternet.com>
>> To: us... at lists.strongswan.org
>> Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error,
>>         unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
>> Message-ID: <op.xw8ms... at sveta.home.org>
>> Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
>>
>> Hi Neol,
>>
>> Thank you.  I have removed the file /etc/strongswan.d/VPN.conf
>>
>> In /etc/ipsec.conf I have the same configuration.  At least there is
>> progress, unfortunately I am still baffled.  This is the previously
>> working configuration.
>>
>> code:
>>
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>>          # strictcrlpolicy=yes
>>          # uniqueids = no
>>
>> conn VPN-OFFICE-COM
>> keyexchange=ikev1
>> type=transport
>> authby=secret
>> ike=3des-sha1-modp1024
>> rekey=no
>> left=%defaultroute
>> leftprotoport=udp/l2tp
>> right=vpn.office.com
>> rightprotoport=udp/l2tp
>> rightid=17.11.7.5
>> auto=add
>>
>>
>> Having restarted ipsec, I get the following result
>>
>> code:
>>
>> # ipsec up VPN-OFFICE-COM
>> initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
>> generating ID_PROT request 0 [ SA V V V V ]
>> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
>> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
>> parsed ID_PROT response 0 [ SA V V ]
>> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> received FRAGMENTATION vendor ID
>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
>> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
>> received Cisco Unity vendor ID
>> received XAuth vendor ID
>> received unknown vendor ID: [Available On Request]
>> received unknown vendor ID: [Available On Request]
>> local host is behind NAT, sending keep alives
>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
>> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
>> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
>> parsed ID_PROT response 0 [ ID HASH V ]
>> received DPD vendor ID
>> IKE_SA VPN-OFFICE-COM[1] established between
>> 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
>> generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID
>> NAT-OA NAT-OA ]
>> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
>> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
>> parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID
>> N((24576)) NAT-OA ]
>> received 28800s lifetime, configured 0s
>> no acceptable traffic selectors found
>> establishing connection 'VPN-OFFICE-COM' failed
>>
>>
>>
>> --
>> Kind regards
>>
>>
>> Stephen Feyrer
>>
>>
>
>
> -- 
> Kind regards
>
>
> Stephen Feyrer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150419/160831cc/attachment-0001.html>

More information about the Users mailing list