hi,
you have a main misunderstanding here because you're mixing up the
identities with the flows.
On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote:
> i am using -current as of 24.02.2006 and made a realese for my other
> machines. i tried the ipsec tutorial which was posted on undeadly.org. i
> have to go with one gateway which has a dynamic ip because it is an
> adsl-connection which is disconnected after 24 hours. when i try to fire
> up the command "ipsecctl -f /etc/ipsec.conf" i get a syntax error for
> each line where i put in the fqdn of the remote host (which is dstid). i
> read the manpage of ipsec.conf(5) where it says
>
> srcid <fqdn>
> This optional parameter defines a FQDN that will be used by
> isakmpd(8) as the identity of the local peer.
>
> dstid <fqdn>
> Similar to srcid, this optional parameter defines a FQDN to
> be used by the remote peer.
>
and
from <src> to <dst> peer <remote>
This rule applies for packets with source address <src> and desti-
nation address <dst>. All addresses are specified in CIDR nota-
tion. The keyword any will match any address (i.e. 0.0.0.0/0).
The peer parameter specifies the address of the remote endpoint of
this particular flow. For host-to-host connections where <dst> is
identical to <remote>, the peer specification can be left out.
the flows are used to determine which traffic should be encrypted and
the peer is the address of your vpn gateway. all addresses are
specified in CIDR notation.
the identity is an additional parameter which is used a simple
authentication string on the remote side, i.e. if you specify a "srcid
blablahblahblahblah" with RSA signatures (default in ipsecctl) the
remote side will lookup the client's RSA public key in
/etc/isakmpd/pubkeys/fqdn/blablahblahblahblah.
> i tried this and get a syntax error.
>
> my /etc/ipsec.conf looks like this:
>
> # cat /etc/ipsec.co
> ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer dstid \
> full-qualified.domain.name
^ this makes no sense
ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 dstid
full-qualified.domain.name
> ike passive esp from XXX.XXX.XX.XXX/25 to XXX.XXX.XX.X/24 peer dstid \
> full-qualified.domain.name
> ike passive esp from XXX.XXX.XXX.XX to XXX.XXX.XX.X/24 peer dstid \
> full-qualified.domain.name
> ike passive esp from XXX.XXX.XXX.XX to dstid full-qualified.domain.name
>
dito
> the output is the following:
>
> # ipsecctl -nf /etc/ipsec.conf
> /etc/ipsec.conf: 1: syntax error
> /etc/ipsec.conf: 2: syntax error
> /etc/ipsec.conf: 3: syntax error
> /etc/ipsec.conf: 4: syntax error
> ipsecctl: Syntax error in config file: ipsec rules not loaded
>
> on the other machine the config is similar and the error-message too
> (everywhere, i put a fqdn as srcid).
>
> /etc/ipsec.conf:
> ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer XXX.XXX.XXX.XX
> ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.XXX/25 peer XXX.XXX.XXX.XX
> ike esp from srcid fully-qualified.domain.name to 192.168.83.0/24 peer \
> XXX.XXX.XXX.XX
^ this is wrong
ike esp from any to 192.168.83.0/24 peer XXX.XXX.XXX.XX srcid
fully-qualified.domain.name
> ike esp from srcid fully-qualified.domain.name to XXX.XXX.XX.XXX/25 \
> peer XXX.XXX.XXX.XX
> ike esp from srcid fully-qualified.domain.name to XXX.XXX.XXX.XX
>
dito
> output:
>
> # ipsecctl -f /etc/ipsec.conf
> /etc/ipsec.conf: 3: syntax error
> /etc/ipsec.conf: 4: syntax error
> /etc/ipsec.conf: 5: syntax error
> ipsecctl: Syntax error in config file: ipsec rules not loaded
>
> can anyone point my in the correct direction, plz?
>
> thx a lot
>
> marc
>
> dmesg:
> OpenBSD 3.9-beta (GENERIC) #1: Wed Mar 8 10:23:11 CET 2006
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel Pentium III ("GenuineIntel" 686-class) 1.01 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
> real mem = 535318528 (522772K)
> avail mem = 481447936 (470164K)
> using 4278 buffers containing 26869760 bytes (26240K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(64) BIOS, date 12/14/00, BIOS32 rev. 0 @ 0xf0b90
> apm0 at bios0: Power Management spec V1.2
> apm0: AC on, battery charge unknown
> apm0: flags 30102 dobusy 0 doidle 1
> pcibios0 at bios0: rev 2.1 @ 0xf0000/0x13d2
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1300/208 (11 entries)
> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #1 is the last bus
> bios0: ROM list: 0xc0000/0xc000 0xcc000/0x5400
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82815 Hub" rev 0x02: rng active,
> 398Kb/sec
> vga1 at pci0 dev 2 function 0 "Intel 82815 Graphics" rev 0x02: aperture
> at 0xf8000000, size 0x4000000
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> ppb0 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x02
> pci1 at ppb0 bus 1
> xl0 at pci1 dev 9 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 11,
> address 00:04:76:9e:42:2a
> exphy0 at xl0 phy 24: 3Com internal media interface
> xl1 at pci1 dev 10 function 0 "3Com 3c905 100Base-TX" rev 0x00: irq 10,
> address 00:60:08:2d:35:8d
> nsphy0 at xl1 phy 24: DP83840 10/100 PHY, rev. 1
> ahc0 at pci1 dev 13 function 0 "Adaptec AIC-7899 U160" rev 0x01: irq 11
> scsibus0 at ahc0: 16 targets
> sd0 at scsibus0 targ 0 lun 0: <QUANTUM, ATLAS10K2-TY092L, DDD6> SCSI3
> 0/direct fixed
> sd0: 8759MB, 17338 cyl, 3 head, 344 sec, 512 bytes/sec, 17938985 sec total
> ahc1 at pci1 dev 13 function 1 "Adaptec AIC-7899 U160" rev 0x01: irq 10
> scsibus1 at ahc1: 16 targets
> xl2 at pci1 dev 15 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 9,
> address 00:e0:18:05:10:1a
> exphy1 at xl2 phy 24: 3Com internal media interface
> ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x02
> pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x02: DMA,
> channel 0 wired to compatibility, channel 1 wired to compatibility
> atapiscsi0 at pciide0 channel 0 drive 0
> scsibus2 at atapiscsi0: 2 targets
> cd0 at scsibus2 targ 0 lun 0: <PIONEER, DVD-ROM DVD-115, 1.11> SCSI0
> 5/cdrom removable
> cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 ignored (disabled)
> uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x02: irq 7
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0
> uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> ichiic0 at pci0 dev 31 function 3 "Intel 82801BA SMBus" rev 0x02: irq 15
> iic0 at ichiic0
> lm1 at iic0 addr 0x2d: AS99127F
> uhci1 at pci0 dev 31 function 4 "Intel 82801BA USB" rev 0x02: irq 9
> usb1 at uhci1: USB revision 1.0
> uhub1 at usb1
> uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
> uhub1: 2 ports with 2 removable, self powered
> isa0 at ichpcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: <PC speaker>
> spkr0 at pcppi0
> npx0 at isa0 port 0xf0/16: using exception 16
> pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> biomask ffe5 netmask ffe5 ttymask ffe7
> pctr: 686-class user-level performance counters enabled
> mtrr: Pentium Pro MTRR support
> uhub2 at uhub1 port 2
> uhub2: ALCOR Generic USB Hub, rev 1.10/1.00, addr 2
> uhub2: 4 ports with 4 removable, self powered
> ahc0: target 0 using 16bit transfers
> ahc0: target 0 synchronous at 80.0MHz DT, offset = 0x7f
> dkcsum: sd0 matches BIOS drive 0x80
> root on sd0a
> rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
>
--
/* .vantronix|secure systems - (research & development)
* reyk floeter - friendly known free software engineer
* [EMAIL PROTECTED] - http://team.vantronix.net/reyk/
*/
