[strongSwan] syntax error, unexpected $end, expecting NAME or NEWLINE or '}' [`]

Nicolas Göddel nicolas at freakscorner.de
Thu Mar 3 12:23:55 CET 2016 

Hi @ all,

I just upgraded my strongswan installation to version 5.3.5. Before I used
strongswan version 5.1.2 directly from the ubuntu repository.

After "make" and "make install" it all works, but only for a day. Now I get this
error:

syntax error, unexpected $end, expecting NAME or NEWLINE or '}' [`]
invalid config file '/etc/strongswan.conf'

The content of '/etc/strongswan.conf' is:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
}

include strongswan.d/*.conf

The desired connection is established but normally there also should be a
connected tunnel. This is the output of 'ipsec statusall':

syntax error, unexpected $end, expecting NAME or NEWLINE or '}' [`]
invalid config file '/etc/strongswan.conf'
Status of IKE charon daemon (strongSwan 5.3.5, Linux 3.16.0-59-generic, x86_64):
  uptime: 4 minutes, since Mar 03 11:00:33 2016
  malloc: sbrk 2297856, mmap 0, used 249232, free 2048624
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp
xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown
xauth-generic
Listening IP addresses:
  192.168.1.152
  10.100.1.2
  176.94.x.y
  176.94.x.y
  10.100.2.1
Connections:
       union:  176.94.x.y...83.136.x.y  IKEv1
       union:   local:  [176.94.x.y] uses pre-shared key authentication
       union:   remote: [83.136.x.y] uses pre-shared key authentication
       union:   child:  10.100.1.0/24 === 10.251.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
       union[1]: ESTABLISHED 4 minutes ago,
176.94.x.y[176.94.x.y]...83.136.x.y[83.136.x.y]
       union[1]: IKEv1 SPIs: 8cxxxxxxxx4c1f1c_i* 09xxxxxxxx4d11fb_r, rekeying in
23 hours
       union[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

If I do a 'ipsec up union' I get the following additional lines:

       union{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: caxxxxxx_i ebxxxxxx_o
       union{2}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying
in 45 minutes
       union{2}:   10.100.1.0/24 === 10.251.0.0/16

But this does not always works. This time I had to restart ipsec before I was
able to 'up' the connection. And now while the tunnel is installed it seems that
I can not connect to machines on the other side of the tunnel.
Unfortunately I have no access to the other side. This is an other company which
gave us access through an IPSec tunnel to their machines.

This is my ipsec.conf:

config setup
        charondebug="cfg 1, esp 2, ike 1, net 1"

conn %default

conn union
        left=176.94.x.y
        leftsubnet=10.100.1.0/24
        leftfirewall=yes
        right=83.136.x.y
        rightsubnet=10.251.0.0/16
        auto=start
        ikelifetime=86400s
        lifetime=3600s
        type=tunnel
        lifebytes=4608000000
        ike=aes256-sha256-modp2048
        esp=aes256-sha256-modp2048
        authby=psk
        keyexchange=ikev1
        lefthostaccess=yes
        reauth=no

I did not change anything since upgrading to version 5.3.5.

btw: Can anyone please explain to me how to set up log files correctly? I want
to have an separate log file for strongswan in /var/log/strongswan.log or similar.

Thank you!

-- 
——————————————————————————————————————————————
Homepage: http://freakscorner.de
Facebook: http://www.facebook.com/Bastelkeller
Twitter: http://twitter.com/freaks_corner
Youtube: http://youtube.com/tubenic86


-- 
——————————————————————————————————————————————
Homepage: http://freakscorner.de
Facebook: http://www.facebook.com/Bastelkeller
Twitter: http://twitter.com/freaks_corner
Youtube: http://youtube.com/tubenic86

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4254 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160303/7dda8591/attachment.bin>

More information about the Users mailing list