Hot!Peer SA information

Author
Deftone
Silver Member
  • Total Posts : 61
  • Scores: 0
  • Reward points: 0
  • Joined: 2011/10/25 09:55:21
  • Status: offline
2020/07/14 04:52:17 (permalink)
0

Peer SA information

Hi,
 
I'm just wondering... Is it possible to see which key life-time is set on the peer router/fortigate under the selectors while debugging ike -1?
 
When I debug ipsec with diag debug app ike -1 I can see quite much information except the key lifetime that has been set on the remote router... Is there a way to get that information?
 
ike 0:TEST:67:208083: peer proposal:
ike 0:TEST:67:208083: TSi_0 0:0.0.0.0-255.255.255.255:0
ike 0:TEST:67:208083: TSr_0 0:0.0.0.0-255.255.255.255:0
ike 0:TEST:67:TEST:208083: comparing selectors
ike 0:TEST:67:TEST:208083: matched by rfc-rule-2
ike 0:TEST:67:TEST:208083: phase2 matched by subset
ike 0:TEST:67:TEST:208083: accepted proposal:
ike 0:TEST:67:TEST:208083: TSi_0 0:0.0.0.0-255.255.255.255:0
ike 0:TEST:67:TEST:208083: TSr_0 0:0.0.0.0-255.255.255.255:0
ike 0:TEST:67:TEST:208083: autokey
ike 0:TEST:67:TEST:208083: incoming child SA proposal:
ike 0:TEST:67:TEST:208083: proposal id = 1:
ike 0:TEST:67:TEST:208083: protocol = ESP:
ike 0:TEST:67:TEST:208083: encapsulation = TUNNEL
ike 0:TEST:67:TEST:208083: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:TEST:67:TEST:208083: type=INTEGR, val=SHA256
ike 0:TEST:67:TEST:208083: type=DH_GROUP, val=MODP2048
ike 0:TEST:67:TEST:208083: type=ESN, val=NO
ike 0:TEST:67:TEST:208083: matched proposal id 1
ike 0:TEST:67:TEST:208083: proposal id = 1:
ike 0:TEST:67:TEST:208083: protocol = ESP:
ike 0:TEST:67:TEST:208083: encapsulation = TUNNEL
ike 0:TEST:67:TEST:208083: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:TEST:67:TEST:208083: type=INTEGR, val=SHA256
ike 0:TEST:67:TEST:208083: type=DH_GROUP, val=MODP2048
ike 0:TEST:67:TEST:208083: type=ESN, val=NO
ike 0:TEST:67:TEST:208083: lifetime=3600
ike 0:TEST:67:TEST:208083: PFS enabled, group=14
ike 0:TEST: schedule auto-negotiate

 
In the above output I can see my key lifetime but not the key lifetime set on the my opponent router 
#1

4 Replies Related Threads

    Deftone
    Silver Member
    • Total Posts : 61
    • Scores: 0
    • Reward points: 0
    • Joined: 2011/10/25 09:55:21
    • Status: offline
    Re: Peer SA information 2020/07/14 05:08:02 (permalink)
    0
    What I expect when using 


    diag vpn ike log-filter src-addr4 x.x.x.x 
    diag debug app ike -1
     
    is that I will see incoming proposal and my proposal with all the information... 
     
    #2
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Peer SA information 2020/07/14 07:20:38 (permalink)
    0
    You will never see the  peer lifetime value , it's never sent to the local-gateway and does not need to match for IPSEC ESP SAs to be established.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #3
    Deftone
    Silver Member
    • Total Posts : 61
    • Scores: 0
    • Reward points: 0
    • Joined: 2011/10/25 09:55:21
    • Status: offline
    Re: Peer SA information 2020/07/14 07:40:11 (permalink)
    0
    Hi Ken,
     
    HMh ok... I had to dig in my text files and came across this...
     
      
    ike 0:FGT01:18000:FGT01:56760: my proposal:
    ike 0:FGT01:18000:FGT01:56760: proposal id = 1:
    ike 0:FGT01:18000:FGT01:56760: protocol id = IPSEC_ESP:
    ike 0:FGT01:18000:FGT01:56760: PFS DH group = 5
    ike 0:FGT01:18000:FGT01:56760: trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:FGT01:18000:FGT01:56760: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL
    ike 0:FGT01:18000:FGT01:56760: type = AUTH_ALG, val=SHA2_256
     
    ike 0:FGT01:18000:FGT01:56760: incoming proposal:
    ike 0:FGT01:18000:FGT01:56760: proposal id = 1:
    ike 0:FGT01:18000:FGT01:56760: protocol id = IPSEC_ESP:
    ike 0:FGT01:18000:FGT01:56760: PFS DH group = 5
    ike 0:FGT01:18000:FGT01:56760: trans_id = ESP_AES_CBC (key_len = 256)
    ike 0:FGT01:18000:FGT01:56760: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL
    ike 0:FGT01:18000:FGT01:56760: type = AUTH_ALG, val=SHA2_256
    ike 0:FGT01:18000:FGT01:56760: RESPONDER-LIFETIME payload found, ESP life time is changed to 3600s.

     
    As I can see there is an respnder life time in de output of the debug.
    Maybe because this is an debug between Fortigate and an another vendor.. I don't know 
     
    ESPONDER-LIFETIME payload found, ESP life time is changed to 3600s
     
    #4
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Peer SA information 2020/07/14 08:42:46 (permalink)
    0
    I'm skeptical of those notification and they are typically sent as that;  a NOTIFICATION. If you want to see what happens adjust  one side to a weird lifetime value and monitor that same debug. You not going to a show command that shows the remote-lifetime value for a established IPSEC or IKE SA, fwiw
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5