IKE: Invalid Life Duration
-
Hi,
I'm running 2.2-ALPHA (amd64) built on Sat Aug 02 15:24:18 CDT 2014 in a Hyper-V VM and experiencing a problem with establishing an IKEv1 session between my pfSense firewall and a PA-200 firewall. When pfSense tries to initiate an IKEv1 session, it appears to incorrectly set the IKE lifetime to 0, which is rejected as invalid. This is confirmed by both the PA-200's IKE debug log (below, look for the PROTO_ERR lines) and a PCAP (screenshot attached).
2014-08-03 17:22:56 [DEBUG]: ikev1.c:2843:isakmp_parsewoh(): begin. 2014-08-03 17:22:56 [DEBUG]: ikev1.c:2870:isakmp_parsewoh(): seen nptype=2(prop) 2014-08-03 17:22:56 [DEBUG]: ikev1.c:2909:isakmp_parsewoh(): succeed. 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1352:get_proppair(): proposal #0 len=40 2014-08-03 17:22:56 [DEBUG]: ikev1.c:2843:isakmp_parsewoh(): begin. 2014-08-03 17:22:56 [DEBUG]: ikev1.c:2870:isakmp_parsewoh(): seen nptype=3(trns) 2014-08-03 17:22:56 [DEBUG]: ikev1.c:2909:isakmp_parsewoh(): succeed. 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1498:get_transform(): transform #1 len=32 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Encryption Algorithm, flag=0x8000, lorv=3DES 2014-08-03 17:22:56 [DEBUG]: algorithm.c:529:alg_oakley_encdef(): encryption(3des) 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000, lorv=SHA1 2014-08-03 17:22:56 [DEBUG]: algorithm.c:386:alg_oakley_hashdef(): hash(sha1) 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Group Description, flag=0x8000, lorv=DH2 2014-08-03 17:22:56 [DEBUG]: algorithm.c:770:alg_oakley_dhdef(): dh(modp1024) 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Authentication Method, flag=0x8000, lorv=PSK 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Life Type, flag=0x8000, lorv=seconds 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Life Duration, flag=0x8000, lorv=0 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1395:get_proppair(): pair 0: 2014-08-03 17:22:56 [DEBUG]: proposal.c:1124:print_proppair0(): 0x10a10568: next=(nil) tnext=(nil) 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1430:get_proppair(): proposal #0: 1 transform 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:361:get_ph1approvalx(): prop#=0, prot-id=ISAKMP, spi-size=0, #trns=1 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:366:get_ph1approvalx(): trns#=1, trns-id=IKE 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA1 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=DH2 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=PSK 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=0 2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:785:t2isakmpsa(): invalid life duration. 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA1 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=DH2 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=PSK 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds 2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=0 2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:785:t2isakmpsa(): invalid life duration. 2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:278:get_ph1approval(): no suitable proposal found. 2014-08-03 17:22:56 [PROTO_ERR]: isakmp_ident.c:1030:ident_r1recv(): 0:? - pf.sense.ip.here[500]:(nil):failed to get valid proposal. 2014-08-03 17:22:56 [PROTO_ERR]: ikev1.c:1415:isakmp_ph1begin_r(): failed to process packet. 2014-08-03 17:22:56 [INFO]: ikev1.c:2483:log_ph1deleted(): ====> PHASE-1 SA DELETED <==== ====> Deleted SA: 10.0.0.2[500]-pf.sense.ip.here[500] cookie:f948164f94b8fd96:ae62708e904e7ebb <====I also experienced this problem with 2.2-ALPHA (amd64) built on Sat Aug 02 00:10:38 CDT 2014. I think I didn't have this problem on a June 28th build, but can't confirm. I notice there's been a few changes recently in the repository to various IKE functions. The generated config at /var/etc/ipsec/ipsec.conf looks all OK and has the configured lifetime value in the file.
Any suggestions? Could there be an issue with my configuration or could this be a bug?
Thanks in advance.
-
Try manually editing /var/etc/ipsec/ipsec.conf. Change 'rekey = no' to 'rekey = yes' for the configs of the SA's to your PA-200. Then run 'ipsec restart' from a command prompt and see if that fixes the problem. Don't restart ipsec via the GUI for this test because it will just regenerate the same config that isn't working.
I reproduced your issue and verified that the lifetime was sent as 0 with rekey = no and as 28800s with rekey = yes. If you verify that you see the same behavior, we can modify the config generation.
-
Thanks mgsmith - I've just tried setting rekey=yes and restarting ipsec using "ipsec restart" on the command line and I can verify that the correct lifetime is used and IKE is successfully established. Hurrah!
From the PA-200's logs;
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = AES:3DES 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 128:0) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = 3DES:3DES 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 0:0) 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2 2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:283:get_ph1approval(): an acceptable proposal found.admin@firewall> show vpn ike-sa gateway FirewallVM phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 --------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 1 pf.sense.ip.address:4500 FirewallVM Resp Main PSK/DH2/3DES/SHA1 Aug.07 15:03:23 Aug.07 23:03:23 v1 12 2 0