Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IKE: Invalid Life Duration

    2.2 Snapshot Feedback and Problems - RETIRED
    2
    3
    2466
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KingJ last edited by

      Hi,

      I'm running 2.2-ALPHA (amd64) built on Sat Aug 02 15:24:18 CDT 2014 in a Hyper-V VM and experiencing a problem with establishing an IKEv1 session between my pfSense firewall and a PA-200 firewall. When pfSense tries to initiate an IKEv1 session, it appears to incorrectly set the IKE lifetime to 0, which is rejected as invalid. This is confirmed by both the PA-200's IKE debug log (below, look for the PROTO_ERR lines) and a PCAP (screenshot attached).

      2014-08-03 17:22:56 [DEBUG]: ikev1.c:2843:isakmp_parsewoh(): begin.
      2014-08-03 17:22:56 [DEBUG]: ikev1.c:2870:isakmp_parsewoh(): seen nptype=2(prop)
      2014-08-03 17:22:56 [DEBUG]: ikev1.c:2909:isakmp_parsewoh(): succeed.
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1352:get_proppair(): proposal #0 len=40
      2014-08-03 17:22:56 [DEBUG]: ikev1.c:2843:isakmp_parsewoh(): begin.
      2014-08-03 17:22:56 [DEBUG]: ikev1.c:2870:isakmp_parsewoh(): seen nptype=3(trns)
      2014-08-03 17:22:56 [DEBUG]: ikev1.c:2909:isakmp_parsewoh(): succeed.
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1498:get_transform(): transform #1 len=32
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Encryption Algorithm, flag=0x8000, lorv=3DES
      2014-08-03 17:22:56 [DEBUG]: algorithm.c:529:alg_oakley_encdef(): encryption(3des)
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000, lorv=SHA1
      2014-08-03 17:22:56 [DEBUG]: algorithm.c:386:alg_oakley_hashdef(): hash(sha1)
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Group Description, flag=0x8000, lorv=DH2
      2014-08-03 17:22:56 [DEBUG]: algorithm.c:770:alg_oakley_dhdef(): dh(modp1024)
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Authentication Method, flag=0x8000, lorv=PSK
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Life Type, flag=0x8000, lorv=seconds
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Life Duration, flag=0x8000, lorv=0
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1395:get_proppair(): pair 0:
      2014-08-03 17:22:56 [DEBUG]: proposal.c:1124:print_proppair0():  0x10a10568: next=(nil) tnext=(nil)
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1430:get_proppair(): proposal #0: 1 transform
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:361:get_ph1approvalx(): prop#=0, prot-id=ISAKMP, spi-size=0, #trns=1
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:366:get_ph1approvalx(): trns#=1, trns-id=IKE
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA1
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=DH2
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=PSK
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=0
      2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:785:t2isakmpsa(): invalid life duration.
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA1
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=DH2
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=PSK
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds
      2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=0
      2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:785:t2isakmpsa(): invalid life duration.
      2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:278:get_ph1approval(): no suitable proposal found.
      2014-08-03 17:22:56 [PROTO_ERR]: isakmp_ident.c:1030:ident_r1recv(): 0:? - pf.sense.ip.here[500]:(nil):failed to get valid proposal.
      2014-08-03 17:22:56 [PROTO_ERR]: ikev1.c:1415:isakmp_ph1begin_r(): failed to process packet.
      2014-08-03 17:22:56 [INFO]: ikev1.c:2483:log_ph1deleted(): ====> PHASE-1 SA DELETED <====
      ====> Deleted SA: 10.0.0.2[500]-pf.sense.ip.here[500] cookie:f948164f94b8fd96:ae62708e904e7ebb <====
      
      

      I also experienced this problem with 2.2-ALPHA (amd64) built on Sat Aug 02 00:10:38 CDT 2014. I think I didn't have this problem on a June 28th build, but can't confirm. I notice there's been a few changes recently in the repository to various IKE functions. The generated config at /var/etc/ipsec/ipsec.conf looks all OK and has the configured lifetime value in the file.

      Any suggestions? Could there be an issue with my configuration or could this be a bug?

      Thanks in advance.

      ![ike 0 secs.PNG](/public/imported_attachments/1/ike 0 secs.PNG)
      ![ike 0 secs.PNG_thumb](/public/imported_attachments/1/ike 0 secs.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • M
        mgsmith last edited by

        Try manually editing /var/etc/ipsec/ipsec.conf. Change 'rekey = no' to 'rekey = yes' for the configs of the SA's to your PA-200. Then run 'ipsec restart' from a command prompt and see if that fixes the problem. Don't restart ipsec via the GUI for this test because it will just regenerate the same config that isn't working.

        I reproduced your issue and verified that the lifetime was sent as 0 with rekey = no and as 28800s with rekey = yes. If you verify that you see the same behavior, we can modify the config generation.

        1 Reply Last reply Reply Quote 0
        • K
          KingJ last edited by

          Thanks mgsmith - I've just tried setting rekey=yes and restarting ipsec using "ipsec restart" on the command line and I can verify that the correct lifetime is used and IKE is successfully established. Hurrah!

          From the PA-200's logs;

          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800)
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0)
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = AES:3DES
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 128:0)
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800)
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0)
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = 3DES:3DES
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 0:0)
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2
          2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:283:get_ph1approval(): an acceptable proposal found.
          
          
          admin@firewall> show vpn ike-sa gateway FirewallVM
          
          phase-1 SAs
          GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V  ST Xt Phase2
          --------------- ------------           ------------           ---- ---- ---------          -----------     ----------      -  -- -- ------
                        1 pf.sense.ip.address:4500    FirewallVM             Resp Main PSK/DH2/3DES/SHA1 Aug.07 15:03:23 Aug.07 23:03:23 v1 12  2      0
          
          1 Reply Last reply Reply Quote 0
          • First post
            Last post