IKE: Invalid Life Duration

KingJ

Hi,

I'm running 2.2-ALPHA (amd64) built on Sat Aug 02 15:24:18 CDT 2014 in a Hyper-V VM and experiencing a problem with establishing an IKEv1 session between my pfSense firewall and a PA-200 firewall. When pfSense tries to initiate an IKEv1 session, it appears to incorrectly set the IKE lifetime to 0, which is rejected as invalid. This is confirmed by both the PA-200's IKE debug log (below, look for the PROTO_ERR lines) and a PCAP (screenshot attached).

2014-08-03 17:22:56 [DEBUG]: ikev1.c:2843:isakmp_parsewoh(): begin.
2014-08-03 17:22:56 [DEBUG]: ikev1.c:2870:isakmp_parsewoh(): seen nptype=2(prop)
2014-08-03 17:22:56 [DEBUG]: ikev1.c:2909:isakmp_parsewoh(): succeed.
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1352:get_proppair(): proposal #0 len=40
2014-08-03 17:22:56 [DEBUG]: ikev1.c:2843:isakmp_parsewoh(): begin.
2014-08-03 17:22:56 [DEBUG]: ikev1.c:2870:isakmp_parsewoh(): seen nptype=3(trns)
2014-08-03 17:22:56 [DEBUG]: ikev1.c:2909:isakmp_parsewoh(): succeed.
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1498:get_transform(): transform #1 len=32
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Encryption Algorithm, flag=0x8000, lorv=3DES
2014-08-03 17:22:56 [DEBUG]: algorithm.c:529:alg_oakley_encdef(): encryption(3des)
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000, lorv=SHA1
2014-08-03 17:22:56 [DEBUG]: algorithm.c:386:alg_oakley_hashdef(): hash(sha1)
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Group Description, flag=0x8000, lorv=DH2
2014-08-03 17:22:56 [DEBUG]: algorithm.c:770:alg_oakley_dhdef(): dh(modp1024)
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Authentication Method, flag=0x8000, lorv=PSK
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Life Type, flag=0x8000, lorv=seconds
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Life Duration, flag=0x8000, lorv=0
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1395:get_proppair(): pair 0:
2014-08-03 17:22:56 [DEBUG]: proposal.c:1124:print_proppair0():  0x10a10568: next=(nil) tnext=(nil)
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1430:get_proppair(): proposal #0: 1 transform
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:361:get_ph1approvalx(): prop#=0, prot-id=ISAKMP, spi-size=0, #trns=1
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:366:get_ph1approvalx(): trns#=1, trns-id=IKE
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA1
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=DH2
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=PSK
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=0
2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:785:t2isakmpsa(): invalid life duration.
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA1
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=DH2
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=PSK
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds
2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=0
2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:785:t2isakmpsa(): invalid life duration.
2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:278:get_ph1approval(): no suitable proposal found.
2014-08-03 17:22:56 [PROTO_ERR]: isakmp_ident.c:1030:ident_r1recv(): 0:? - pf.sense.ip.here[500]:(nil):failed to get valid proposal.
2014-08-03 17:22:56 [PROTO_ERR]: ikev1.c:1415:isakmp_ph1begin_r(): failed to process packet.
2014-08-03 17:22:56 [INFO]: ikev1.c:2483:log_ph1deleted(): ====> PHASE-1 SA DELETED <====
====> Deleted SA: 10.0.0.2[500]-pf.sense.ip.here[500] cookie:f948164f94b8fd96:ae62708e904e7ebb <====

I also experienced this problem with 2.2-ALPHA (amd64) built on Sat Aug 02 00:10:38 CDT 2014. I think I didn't have this problem on a June 28th build, but can't confirm. I notice there's been a few changes recently in the repository to various IKE functions. The generated config at /var/etc/ipsec/ipsec.conf looks all OK and has the configured lifetime value in the file.

Any suggestions? Could there be an issue with my configuration or could this be a bug?

Thanks in advance.

![ike 0 secs.PNG](/public/imported_attachments/1/ike 0 secs.PNG)
![ike 0 secs.PNG_thumb](/public/imported_attachments/1/ike 0 secs.PNG_thumb)

mgsmith

Try manually editing /var/etc/ipsec/ipsec.conf. Change 'rekey = no' to 'rekey = yes' for the configs of the SA's to your PA-200. Then run 'ipsec restart' from a command prompt and see if that fixes the problem. Don't restart ipsec via the GUI for this test because it will just regenerate the same config that isn't working.

I reproduced your issue and verified that the lifetime was sent as 0 with rekey = no and as 28800s with rekey = yes. If you verify that you see the same behavior, we can modify the config generation.

KingJ

Thanks mgsmith - I've just tried setting rekey=yes and restarting ipsec using "ipsec restart" on the command line and I can verify that the correct lifetime is used and IKE is successfully established. Hurrah!

From the PA-200's logs;

2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800)
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0)
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = AES:3DES
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 128:0)
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800)
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0)
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = 3DES:3DES
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 0:0)
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2
2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:283:get_ph1approval(): an acceptable proposal found.

admin@firewall> show vpn ike-sa gateway FirewallVM

phase-1 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V  ST Xt Phase2
--------------- ------------           ------------           ---- ---- ---------          -----------     ----------      -  -- -- ------
              1 pf.sense.ip.address:4500    FirewallVM             Resp Main PSK/DH2/3DES/SHA1 Aug.07 15:03:23 Aug.07 23:03:23 v1 12  2      0