IKE: Invalid Life Duration



  • Hi,

    I'm running 2.2-ALPHA (amd64) built on Sat Aug 02 15:24:18 CDT 2014 in a Hyper-V VM and experiencing a problem with establishing an IKEv1 session between my pfSense firewall and a PA-200 firewall. When pfSense tries to initiate an IKEv1 session, it appears to incorrectly set the IKE lifetime to 0, which is rejected as invalid. This is confirmed by both the PA-200's IKE debug log (below, look for the PROTO_ERR lines) and a PCAP (screenshot attached).

    2014-08-03 17:22:56 [DEBUG]: ikev1.c:2843:isakmp_parsewoh(): begin.
    2014-08-03 17:22:56 [DEBUG]: ikev1.c:2870:isakmp_parsewoh(): seen nptype=2(prop)
    2014-08-03 17:22:56 [DEBUG]: ikev1.c:2909:isakmp_parsewoh(): succeed.
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1352:get_proppair(): proposal #0 len=40
    2014-08-03 17:22:56 [DEBUG]: ikev1.c:2843:isakmp_parsewoh(): begin.
    2014-08-03 17:22:56 [DEBUG]: ikev1.c:2870:isakmp_parsewoh(): seen nptype=3(trns)
    2014-08-03 17:22:56 [DEBUG]: ikev1.c:2909:isakmp_parsewoh(): succeed.
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1498:get_transform(): transform #1 len=32
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Encryption Algorithm, flag=0x8000, lorv=3DES
    2014-08-03 17:22:56 [DEBUG]: algorithm.c:529:alg_oakley_encdef(): encryption(3des)
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000, lorv=SHA1
    2014-08-03 17:22:56 [DEBUG]: algorithm.c:386:alg_oakley_hashdef(): hash(sha1)
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Group Description, flag=0x8000, lorv=DH2
    2014-08-03 17:22:56 [DEBUG]: algorithm.c:770:alg_oakley_dhdef(): dh(modp1024)
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Authentication Method, flag=0x8000, lorv=PSK
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Life Type, flag=0x8000, lorv=seconds
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:2079:check_attr_isakmp(): type=Life Duration, flag=0x8000, lorv=0
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1395:get_proppair(): pair 0:
    2014-08-03 17:22:56 [DEBUG]: proposal.c:1124:print_proppair0():  0x10a10568: next=(nil) tnext=(nil)
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:1430:get_proppair(): proposal #0: 1 transform
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:361:get_ph1approvalx(): prop#=0, prot-id=ISAKMP, spi-size=0, #trns=1
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:366:get_ph1approvalx(): trns#=1, trns-id=IKE
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA1
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=DH2
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=PSK
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=0
    2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:785:t2isakmpsa(): invalid life duration.
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA1
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=DH2
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=PSK
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds
    2014-08-03 17:22:56 [DEBUG]: ipsec_doi.c:660:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=0
    2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:785:t2isakmpsa(): invalid life duration.
    2014-08-03 17:22:56 [PROTO_ERR]: ipsec_doi.c:278:get_ph1approval(): no suitable proposal found.
    2014-08-03 17:22:56 [PROTO_ERR]: isakmp_ident.c:1030:ident_r1recv(): 0:? - pf.sense.ip.here[500]:(nil):failed to get valid proposal.
    2014-08-03 17:22:56 [PROTO_ERR]: ikev1.c:1415:isakmp_ph1begin_r(): failed to process packet.
    2014-08-03 17:22:56 [INFO]: ikev1.c:2483:log_ph1deleted(): ====> PHASE-1 SA DELETED <====
    ====> Deleted SA: 10.0.0.2[500]-pf.sense.ip.here[500] cookie:f948164f94b8fd96:ae62708e904e7ebb <====
    
    

    I also experienced this problem with 2.2-ALPHA (amd64) built on Sat Aug 02 00:10:38 CDT 2014. I think I didn't have this problem on a June 28th build, but can't confirm. I notice there's been a few changes recently in the repository to various IKE functions. The generated config at /var/etc/ipsec/ipsec.conf looks all OK and has the configured lifetime value in the file.

    Any suggestions? Could there be an issue with my configuration or could this be a bug?

    Thanks in advance.

    ![ike 0 secs.PNG](/public/imported_attachments/1/ike 0 secs.PNG)
    ![ike 0 secs.PNG_thumb](/public/imported_attachments/1/ike 0 secs.PNG_thumb)



  • Try manually editing /var/etc/ipsec/ipsec.conf. Change 'rekey = no' to 'rekey = yes' for the configs of the SA's to your PA-200. Then run 'ipsec restart' from a command prompt and see if that fixes the problem. Don't restart ipsec via the GUI for this test because it will just regenerate the same config that isn't working.

    I reproduced your issue and verified that the lifetime was sent as 0 with rekey = no and as 28800s with rekey = yes. If you verify that you see the same behavior, we can modify the config generation.



  • Thanks mgsmith - I've just tried setting rekey=yes and restarting ipsec using "ipsec restart" on the command line and I can verify that the correct lifetime is used and IKE is successfully established. Hurrah!

    From the PA-200's logs;

    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800)
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0)
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = AES:3DES
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 128:0)
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:384:get_ph1approvalx(): Compared: DB:Peer
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:385:get_ph1approvalx(): (lifetime = 28800:28800)
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:387:get_ph1approvalx(): (lifebyte = 0:0)
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:389:get_ph1approvalx(): enctype = 3DES:3DES
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:394:get_ph1approvalx(): (encklen = 0:0)
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:396:get_ph1approvalx(): hashtype = SHA1:SHA1
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:401:get_ph1approvalx(): authmethod = PSK:PSK
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:406:get_ph1approvalx(): dh_group = DH2:DH2
    2014-08-07 15:03:23 [DEBUG]: ipsec_doi.c:283:get_ph1approval(): an acceptable proposal found.
    
    
    admin@firewall> show vpn ike-sa gateway FirewallVM
    
    phase-1 SAs
    GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V  ST Xt Phase2
    --------------- ------------           ------------           ---- ---- ---------          -----------     ----------      -  -- -- ------
                  1 pf.sense.ip.address:4500    FirewallVM             Resp Main PSK/DH2/3DES/SHA1 Aug.07 15:03:23 Aug.07 23:03:23 v1 12  2      0
    

Log in to reply