Aug 26 13:08:54.512102: FIPS Product: YES Aug 26 13:08:54.512144: FIPS Kernel: NO Aug 26 13:08:54.512146: FIPS Mode: NO Aug 26 13:08:54.512148: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:08:54.512283: Initializing NSS Aug 26 13:08:54.512309: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:08:54.552740: NSS initialized Aug 26 13:08:54.552760: NSS crypto library initialized Aug 26 13:08:54.552763: FIPS HMAC integrity support [enabled] Aug 26 13:08:54.552765: FIPS mode disabled for pluto daemon Aug 26 13:08:54.595121: FIPS HMAC integrity verification self-test FAILED Aug 26 13:08:54.595220: libcap-ng support [enabled] Aug 26 13:08:54.595227: Linux audit support [enabled] Aug 26 13:08:54.595252: Linux audit activated Aug 26 13:08:54.595258: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:16019 Aug 26 13:08:54.595262: core dump dir: /tmp Aug 26 13:08:54.595265: secrets file: /etc/ipsec.secrets Aug 26 13:08:54.595267: leak-detective enabled Aug 26 13:08:54.595269: NSS crypto [enabled] Aug 26 13:08:54.595271: XAUTH PAM support [enabled] Aug 26 13:08:54.595358: | libevent is using pluto's memory allocator Aug 26 13:08:54.595368: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:08:54.595384: | libevent_malloc: new ptr-libevent@0x55f6950a4de8 size 40 Aug 26 13:08:54.595391: | libevent_malloc: new ptr-libevent@0x55f695032cd8 size 40 Aug 26 13:08:54.595395: | libevent_malloc: new ptr-libevent@0x55f695032dd8 size 40 Aug 26 13:08:54.595397: | creating event base Aug 26 13:08:54.595401: | libevent_malloc: new ptr-libevent@0x55f6950b52d8 size 56 Aug 26 13:08:54.595406: | libevent_malloc: new ptr-libevent@0x55f695061db8 size 664 Aug 26 13:08:54.595417: | libevent_malloc: new ptr-libevent@0x55f6950b5348 size 24 Aug 26 13:08:54.595420: | libevent_malloc: new ptr-libevent@0x55f6950b5398 size 384 Aug 26 13:08:54.595429: | libevent_malloc: new ptr-libevent@0x55f6950b5298 size 16 Aug 26 13:08:54.595432: | libevent_malloc: new ptr-libevent@0x55f695032908 size 40 Aug 26 13:08:54.595435: | libevent_malloc: new ptr-libevent@0x55f695032d38 size 48 Aug 26 13:08:54.595440: | libevent_realloc: new ptr-libevent@0x55f695061a48 size 256 Aug 26 13:08:54.595456: | libevent_malloc: new ptr-libevent@0x55f6950b5548 size 16 Aug 26 13:08:54.595461: | libevent_free: release ptr-libevent@0x55f6950b52d8 Aug 26 13:08:54.595465: | libevent initialized Aug 26 13:08:54.595483: | libevent_realloc: new ptr-libevent@0x55f6950b52d8 size 64 Aug 26 13:08:54.595489: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:08:54.595504: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:08:54.595507: NAT-Traversal support [enabled] Aug 26 13:08:54.595510: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:08:54.595516: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:08:54.595520: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:08:54.595553: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:08:54.595556: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:08:54.595560: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:08:54.595610: Encryption algorithms: Aug 26 13:08:54.595617: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:08:54.595621: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:08:54.595625: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:08:54.595628: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:08:54.595632: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:08:54.595642: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:08:54.595646: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:08:54.595650: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:08:54.595654: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:08:54.595657: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:08:54.595661: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:08:54.595665: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:08:54.595669: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:08:54.595673: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:08:54.595676: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:08:54.595679: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:08:54.595683: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:08:54.595692: Hash algorithms: Aug 26 13:08:54.595695: MD5 IKEv1: IKE IKEv2: Aug 26 13:08:54.595698: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:08:54.595702: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:08:54.595705: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:08:54.595708: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:08:54.595721: PRF algorithms: Aug 26 13:08:54.595724: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:08:54.595728: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:08:54.595732: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:08:54.595735: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:08:54.595739: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:08:54.595742: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:08:54.595769: Integrity algorithms: Aug 26 13:08:54.595772: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:08:54.595776: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:08:54.595781: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:08:54.595785: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:08:54.595789: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:08:54.595792: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:08:54.595796: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:08:54.595799: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:08:54.595802: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:08:54.595815: DH algorithms: Aug 26 13:08:54.595819: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:08:54.595822: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:08:54.595825: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:08:54.595830: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:08:54.595833: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:08:54.595836: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:08:54.595839: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:08:54.595843: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:08:54.595846: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:08:54.595849: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:08:54.595852: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:08:54.595855: testing CAMELLIA_CBC: Aug 26 13:08:54.595858: Camellia: 16 bytes with 128-bit key Aug 26 13:08:54.595977: Camellia: 16 bytes with 128-bit key Aug 26 13:08:54.596006: Camellia: 16 bytes with 256-bit key Aug 26 13:08:54.596035: Camellia: 16 bytes with 256-bit key Aug 26 13:08:54.596063: testing AES_GCM_16: Aug 26 13:08:54.596066: empty string Aug 26 13:08:54.596094: one block Aug 26 13:08:54.596119: two blocks Aug 26 13:08:54.596146: two blocks with associated data Aug 26 13:08:54.596172: testing AES_CTR: Aug 26 13:08:54.596175: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:08:54.596202: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:08:54.596230: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:08:54.596258: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:08:54.596285: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:08:54.596317: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:08:54.596350: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:08:54.596376: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:08:54.596404: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:08:54.596433: testing AES_CBC: Aug 26 13:08:54.596436: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:08:54.596466: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:08:54.596495: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:08:54.596524: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:08:54.596558: testing AES_XCBC: Aug 26 13:08:54.596561: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:08:54.596677: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:08:54.596808: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:08:54.596934: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:08:54.597063: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:08:54.597192: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:08:54.597329: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:08:54.597628: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:08:54.597762: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:08:54.597901: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:08:54.598141: testing HMAC_MD5: Aug 26 13:08:54.598145: RFC 2104: MD5_HMAC test 1 Aug 26 13:08:54.598327: RFC 2104: MD5_HMAC test 2 Aug 26 13:08:54.598485: RFC 2104: MD5_HMAC test 3 Aug 26 13:08:54.598676: 8 CPU cores online Aug 26 13:08:54.598681: starting up 7 crypto helpers Aug 26 13:08:54.598715: started thread for crypto helper 0 Aug 26 13:08:54.598722: | starting up helper thread 0 Aug 26 13:08:54.598739: started thread for crypto helper 1 Aug 26 13:08:54.598743: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:08:54.598746: | starting up helper thread 1 Aug 26 13:08:54.598762: started thread for crypto helper 2 Aug 26 13:08:54.598767: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:08:54.598768: | starting up helper thread 2 Aug 26 13:08:54.598747: | crypto helper 0 waiting (nothing to do) Aug 26 13:08:54.598779: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:08:54.598787: started thread for crypto helper 3 Aug 26 13:08:54.598794: | crypto helper 2 waiting (nothing to do) Aug 26 13:08:54.598809: | crypto helper 1 waiting (nothing to do) Aug 26 13:08:54.598816: started thread for crypto helper 4 Aug 26 13:08:54.598818: | starting up helper thread 3 Aug 26 13:08:54.598823: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:08:54.598825: | crypto helper 3 waiting (nothing to do) Aug 26 13:08:54.598829: | starting up helper thread 4 Aug 26 13:08:54.598833: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:08:54.598833: started thread for crypto helper 5 Aug 26 13:08:54.598836: | starting up helper thread 5 Aug 26 13:08:54.598838: | crypto helper 4 waiting (nothing to do) Aug 26 13:08:54.598847: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:08:54.598850: | crypto helper 5 waiting (nothing to do) Aug 26 13:08:54.598856: started thread for crypto helper 6 Aug 26 13:08:54.598858: | starting up helper thread 6 Aug 26 13:08:54.598864: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:08:54.598870: | crypto helper 6 waiting (nothing to do) Aug 26 13:08:54.598864: | checking IKEv1 state table Aug 26 13:08:54.598885: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:08:54.598888: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:08:54.598891: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:08:54.598894: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:08:54.598897: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:08:54.598899: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:08:54.598902: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:08:54.598904: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:08:54.598907: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:08:54.598909: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:08:54.598912: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:08:54.598914: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:08:54.598917: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:08:54.598920: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:08:54.598922: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:08:54.598925: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:08:54.598928: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:08:54.598930: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:08:54.598932: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:08:54.598935: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:08:54.598938: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:08:54.598940: | -> UNDEFINED EVENT_NULL Aug 26 13:08:54.598943: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:08:54.598946: | -> UNDEFINED EVENT_NULL Aug 26 13:08:54.598949: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:08:54.598951: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:08:54.598954: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:08:54.598956: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:08:54.598959: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:08:54.598961: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:08:54.598964: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:08:54.598966: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:08:54.598969: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:08:54.598972: | -> UNDEFINED EVENT_NULL Aug 26 13:08:54.598975: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:08:54.598977: | -> UNDEFINED EVENT_NULL Aug 26 13:08:54.598980: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:08:54.598983: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:08:54.598989: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:08:54.598991: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:08:54.598994: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:08:54.598997: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:08:54.599000: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:08:54.599002: | -> UNDEFINED EVENT_NULL Aug 26 13:08:54.599005: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:08:54.599007: | -> UNDEFINED EVENT_NULL Aug 26 13:08:54.599010: | INFO: category: informational flags: 0: Aug 26 13:08:54.599013: | -> UNDEFINED EVENT_NULL Aug 26 13:08:54.599016: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:08:54.599018: | -> UNDEFINED EVENT_NULL Aug 26 13:08:54.599021: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:08:54.599024: | -> XAUTH_R1 EVENT_NULL Aug 26 13:08:54.599027: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:08:54.599029: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:08:54.599032: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:08:54.599034: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:08:54.599037: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:08:54.599040: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:08:54.599043: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:08:54.599045: | -> UNDEFINED EVENT_NULL Aug 26 13:08:54.599048: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:08:54.599051: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:08:54.599053: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:08:54.599056: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:08:54.599059: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:08:54.599061: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:08:54.599067: | checking IKEv2 state table Aug 26 13:08:54.599073: | PARENT_I0: category: ignore flags: 0: Aug 26 13:08:54.599076: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:08:54.599079: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:08:54.599082: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:08:54.599085: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:08:54.599088: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:08:54.599091: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:08:54.599094: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:08:54.599097: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:08:54.599100: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:08:54.599103: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:08:54.599106: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:08:54.599108: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:08:54.599111: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:08:54.599114: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:08:54.599116: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:08:54.599119: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:08:54.599122: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:08:54.599125: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:08:54.599128: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:08:54.599131: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:08:54.599134: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:08:54.599136: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:08:54.599141: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:08:54.599144: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:08:54.599146: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:08:54.599149: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:08:54.599152: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:08:54.599155: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:08:54.599158: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:08:54.599161: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:08:54.599164: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:08:54.599167: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:08:54.599170: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:08:54.599173: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:08:54.599175: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:08:54.599179: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:08:54.599182: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:08:54.599184: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:08:54.599187: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:08:54.599190: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:08:54.599193: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:08:54.599196: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:08:54.599199: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:08:54.599202: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:08:54.599205: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:08:54.599208: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:08:54.599223: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:08:54.599314: | Hard-wiring algorithms Aug 26 13:08:54.599322: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:08:54.599327: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:08:54.599329: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:08:54.599332: | adding 3DES_CBC to kernel algorithm db Aug 26 13:08:54.599335: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:08:54.599338: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:08:54.599340: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:08:54.599343: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:08:54.599345: | adding AES_CTR to kernel algorithm db Aug 26 13:08:54.599348: | adding AES_CBC to kernel algorithm db Aug 26 13:08:54.599351: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:08:54.599354: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:08:54.599356: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:08:54.599359: | adding NULL to kernel algorithm db Aug 26 13:08:54.599362: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:08:54.599365: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:08:54.599367: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:08:54.599370: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:08:54.599373: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:08:54.599375: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:08:54.599378: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:08:54.599381: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:08:54.599383: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:08:54.599386: | adding NONE to kernel algorithm db Aug 26 13:08:54.599409: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:08:54.599416: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:08:54.599419: | setup kernel fd callback Aug 26 13:08:54.599422: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55f6950bab58 Aug 26 13:08:54.599427: | libevent_malloc: new ptr-libevent@0x55f69509e368 size 128 Aug 26 13:08:54.599431: | libevent_malloc: new ptr-libevent@0x55f6950ba0b8 size 16 Aug 26 13:08:54.599438: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55f6950b9fa8 Aug 26 13:08:54.599442: | libevent_malloc: new ptr-libevent@0x55f695064cb8 size 128 Aug 26 13:08:54.599445: | libevent_malloc: new ptr-libevent@0x55f6950baaa8 size 16 Aug 26 13:08:54.599693: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:08:54.599702: selinux support is enabled. Aug 26 13:08:54.600022: | unbound context created - setting debug level to 5 Aug 26 13:08:54.600051: | /etc/hosts lookups activated Aug 26 13:08:54.600065: | /etc/resolv.conf usage activated Aug 26 13:08:54.600131: | outgoing-port-avoid set 0-65535 Aug 26 13:08:54.600162: | outgoing-port-permit set 32768-60999 Aug 26 13:08:54.600165: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:08:54.600169: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:08:54.600172: | Setting up events, loop start Aug 26 13:08:54.600175: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55f6950baae8 Aug 26 13:08:54.600178: | libevent_malloc: new ptr-libevent@0x55f6950c6da8 size 128 Aug 26 13:08:54.600182: | libevent_malloc: new ptr-libevent@0x55f6950d20b8 size 16 Aug 26 13:08:54.600188: | libevent_realloc: new ptr-libevent@0x55f6950d20f8 size 256 Aug 26 13:08:54.600191: | libevent_malloc: new ptr-libevent@0x55f6950d2228 size 8 Aug 26 13:08:54.600194: | libevent_realloc: new ptr-libevent@0x55f6950646e8 size 144 Aug 26 13:08:54.600197: | libevent_malloc: new ptr-libevent@0x55f695065f98 size 152 Aug 26 13:08:54.600201: | libevent_malloc: new ptr-libevent@0x55f6950d2268 size 16 Aug 26 13:08:54.600205: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:08:54.600207: | libevent_malloc: new ptr-libevent@0x55f6950d22a8 size 8 Aug 26 13:08:54.600210: | libevent_malloc: new ptr-libevent@0x55f6950d22e8 size 152 Aug 26 13:08:54.600213: | signal event handler PLUTO_SIGTERM installed Aug 26 13:08:54.600216: | libevent_malloc: new ptr-libevent@0x55f6950d23b8 size 8 Aug 26 13:08:54.600219: | libevent_malloc: new ptr-libevent@0x55f6950d23f8 size 152 Aug 26 13:08:54.600222: | signal event handler PLUTO_SIGHUP installed Aug 26 13:08:54.600224: | libevent_malloc: new ptr-libevent@0x55f6950d24c8 size 8 Aug 26 13:08:54.600227: | libevent_realloc: release ptr-libevent@0x55f6950646e8 Aug 26 13:08:54.600230: | libevent_realloc: new ptr-libevent@0x55f6950d2508 size 256 Aug 26 13:08:54.600233: | libevent_malloc: new ptr-libevent@0x55f6950d2638 size 152 Aug 26 13:08:54.600236: | signal event handler PLUTO_SIGSYS installed Aug 26 13:08:54.600689: | created addconn helper (pid:16203) using fork+execve Aug 26 13:08:54.600712: | forked child 16203 Aug 26 13:08:54.600762: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:08:54.600780: listening for IKE messages Aug 26 13:08:54.600821: | Inspecting interface lo Aug 26 13:08:54.600829: | found lo with address 127.0.0.1 Aug 26 13:08:54.600832: | Inspecting interface eth0 Aug 26 13:08:54.600837: | found eth0 with address 192.0.2.254 Aug 26 13:08:54.600842: | Inspecting interface eth1 Aug 26 13:08:54.600847: | found eth1 with address 192.1.2.23 Aug 26 13:08:54.600945: Kernel supports NIC esp-hw-offload Aug 26 13:08:54.600957: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:08:54.600979: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:08:54.600985: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:08:54.600989: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:08:54.601021: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:08:54.601042: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:08:54.601047: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:08:54.601051: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:08:54.601077: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:08:54.601098: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:08:54.601103: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:08:54.601107: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:08:54.601192: | no interfaces to sort Aug 26 13:08:54.601197: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:08:54.601207: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2b88 Aug 26 13:08:54.601211: | libevent_malloc: new ptr-libevent@0x55f6950c6cf8 size 128 Aug 26 13:08:54.601215: | libevent_malloc: new ptr-libevent@0x55f6950d2bf8 size 16 Aug 26 13:08:54.601223: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:08:54.601226: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2c38 Aug 26 13:08:54.601232: | libevent_malloc: new ptr-libevent@0x55f695064eb8 size 128 Aug 26 13:08:54.601235: | libevent_malloc: new ptr-libevent@0x55f6950d2ca8 size 16 Aug 26 13:08:54.601241: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:08:54.601244: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2ce8 Aug 26 13:08:54.601247: | libevent_malloc: new ptr-libevent@0x55f695064db8 size 128 Aug 26 13:08:54.601251: | libevent_malloc: new ptr-libevent@0x55f6950d2d58 size 16 Aug 26 13:08:54.601256: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:08:54.601259: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2d98 Aug 26 13:08:54.601262: | libevent_malloc: new ptr-libevent@0x55f6950645e8 size 128 Aug 26 13:08:54.601266: | libevent_malloc: new ptr-libevent@0x55f6950d2e08 size 16 Aug 26 13:08:54.601271: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:08:54.601274: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2e48 Aug 26 13:08:54.601280: | libevent_malloc: new ptr-libevent@0x55f6950334e8 size 128 Aug 26 13:08:54.601283: | libevent_malloc: new ptr-libevent@0x55f6950d2eb8 size 16 Aug 26 13:08:54.601294: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:08:54.601300: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2ef8 Aug 26 13:08:54.601304: | libevent_malloc: new ptr-libevent@0x55f6950331d8 size 128 Aug 26 13:08:54.601307: | libevent_malloc: new ptr-libevent@0x55f6950d2f68 size 16 Aug 26 13:08:54.601313: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:08:54.601319: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:08:54.601323: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:08:54.601345: loading secrets from "/etc/ipsec.secrets" Aug 26 13:08:54.601358: | id type added to secret(0x55f69502ec48) PKK_PSK: @east Aug 26 13:08:54.601363: | id type added to secret(0x55f69502ec48) PKK_PSK: @west Aug 26 13:08:54.601368: | Processing PSK at line 1: passed Aug 26 13:08:54.601371: | certs and keys locked by 'process_secret' Aug 26 13:08:54.601376: | certs and keys unlocked by 'process_secret' Aug 26 13:08:54.601387: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:08:54.601395: | spent 0.64 milliseconds in whack Aug 26 13:08:54.629683: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:08:54.629706: listening for IKE messages Aug 26 13:08:54.629791: | Inspecting interface lo Aug 26 13:08:54.629797: | found lo with address 127.0.0.1 Aug 26 13:08:54.629799: | Inspecting interface eth0 Aug 26 13:08:54.629802: | found eth0 with address 192.0.2.254 Aug 26 13:08:54.629804: | Inspecting interface eth1 Aug 26 13:08:54.629807: | found eth1 with address 192.1.2.23 Aug 26 13:08:54.629851: | no interfaces to sort Aug 26 13:08:54.629863: | libevent_free: release ptr-libevent@0x55f6950c6cf8 Aug 26 13:08:54.629866: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2b88 Aug 26 13:08:54.629868: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2b88 Aug 26 13:08:54.629871: | libevent_malloc: new ptr-libevent@0x55f6950c6cf8 size 128 Aug 26 13:08:54.629877: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:08:54.629879: | libevent_free: release ptr-libevent@0x55f695064eb8 Aug 26 13:08:54.629881: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2c38 Aug 26 13:08:54.629883: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2c38 Aug 26 13:08:54.629885: | libevent_malloc: new ptr-libevent@0x55f695064eb8 size 128 Aug 26 13:08:54.629888: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:08:54.629891: | libevent_free: release ptr-libevent@0x55f695064db8 Aug 26 13:08:54.629893: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2ce8 Aug 26 13:08:54.629894: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2ce8 Aug 26 13:08:54.629896: | libevent_malloc: new ptr-libevent@0x55f695064db8 size 128 Aug 26 13:08:54.629899: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:08:54.629902: | libevent_free: release ptr-libevent@0x55f6950645e8 Aug 26 13:08:54.629904: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2d98 Aug 26 13:08:54.629905: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2d98 Aug 26 13:08:54.629907: | libevent_malloc: new ptr-libevent@0x55f6950645e8 size 128 Aug 26 13:08:54.629910: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:08:54.629913: | libevent_free: release ptr-libevent@0x55f6950334e8 Aug 26 13:08:54.629915: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2e48 Aug 26 13:08:54.629916: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2e48 Aug 26 13:08:54.629918: | libevent_malloc: new ptr-libevent@0x55f6950334e8 size 128 Aug 26 13:08:54.629921: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:08:54.629924: | libevent_free: release ptr-libevent@0x55f6950331d8 Aug 26 13:08:54.629926: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2ef8 Aug 26 13:08:54.629927: | add_fd_read_event_handler: new ethX-pe@0x55f6950d2ef8 Aug 26 13:08:54.629929: | libevent_malloc: new ptr-libevent@0x55f6950331d8 size 128 Aug 26 13:08:54.629932: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:08:54.629934: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:08:54.629936: forgetting secrets Aug 26 13:08:54.629943: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:08:54.629956: loading secrets from "/etc/ipsec.secrets" Aug 26 13:08:54.629963: | id type added to secret(0x55f69502ec48) PKK_PSK: @east Aug 26 13:08:54.629967: | id type added to secret(0x55f69502ec48) PKK_PSK: @west Aug 26 13:08:54.629970: | Processing PSK at line 1: passed Aug 26 13:08:54.629972: | certs and keys locked by 'process_secret' Aug 26 13:08:54.629973: | certs and keys unlocked by 'process_secret' Aug 26 13:08:54.629981: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:08:54.629989: | spent 0.311 milliseconds in whack Aug 26 13:08:54.630559: | processing signal PLUTO_SIGCHLD Aug 26 13:08:54.630572: | waitpid returned pid 16203 (exited with status 0) Aug 26 13:08:54.630575: | reaped addconn helper child (status 0) Aug 26 13:08:54.630579: | waitpid returned ECHILD (no child processes left) Aug 26 13:08:54.630583: | spent 0.0141 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:08:54.686149: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:08:54.686182: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:08:54.686186: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:08:54.686189: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:08:54.686192: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:08:54.686196: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:08:54.686204: | Added new connection westnet-eastnet-ipv4-psk-ikev2 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:08:54.686266: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:08:54.686271: | from whack: got --esp= Aug 26 13:08:54.686318: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 13:08:54.686326: | counting wild cards for @west is 0 Aug 26 13:08:54.686330: | counting wild cards for @east is 0 Aug 26 13:08:54.686340: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Aug 26 13:08:54.686343: | new hp@0x55f6950d5288 Aug 26 13:08:54.686347: added connection description "westnet-eastnet-ipv4-psk-ikev2" Aug 26 13:08:54.686355: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:08:54.686367: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 Aug 26 13:08:54.686374: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:08:54.686380: | spent 0.229 milliseconds in whack Aug 26 13:08:54.753247: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:08:54.753424: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:08:54.753431: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:08:54.753492: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:08:54.753505: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:08:54.753510: | spent 0.268 milliseconds in whack Aug 26 13:08:57.540247: | spent 0.003 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:08:57.540276: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:08:57.540280: | 47 83 ee a4 d1 45 51 22 00 00 00 00 00 00 00 00 Aug 26 13:08:57.540283: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:08:57.540285: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:08:57.540302: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:08:57.540306: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:08:57.540307: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:08:57.540309: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:08:57.540310: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:08:57.540312: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:08:57.540314: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:08:57.540315: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:08:57.540317: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:08:57.540318: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:08:57.540320: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:08:57.540321: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:08:57.540323: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:08:57.540325: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:08:57.540326: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:08:57.540328: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:08:57.540329: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:08:57.540331: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:08:57.540332: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:08:57.540334: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:08:57.540340: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:08:57.540342: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:08:57.540344: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:08:57.540345: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:08:57.540347: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:08:57.540348: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:08:57.540350: | 28 00 01 08 00 0e 00 00 52 20 11 c1 cb 04 5f 66 Aug 26 13:08:57.540351: | 83 9e 3d a2 df 35 1a b2 1b 36 3f bb f4 dd 53 fe Aug 26 13:08:57.540353: | 1a 62 fc 5e 95 b0 d9 9c ad cc 41 06 75 26 29 26 Aug 26 13:08:57.540354: | e1 32 f4 5b 04 24 c1 26 18 d2 ca 8f 6a 30 65 bc Aug 26 13:08:57.540356: | 76 22 a7 24 06 9b f3 af f0 68 56 1e 1b 87 fa a4 Aug 26 13:08:57.540358: | dd e5 fd 10 02 62 bb 21 9e 85 d1 c2 e5 af a7 1e Aug 26 13:08:57.540359: | 5f 75 2f 84 45 ca 49 6e 22 7d 18 b7 d5 f0 12 88 Aug 26 13:08:57.540361: | 23 13 52 91 be 5a 63 74 e6 d8 93 a0 d9 0e d8 81 Aug 26 13:08:57.540362: | ab 84 f5 c0 f2 6e c8 c2 56 15 5a 1b e6 5e f4 4a Aug 26 13:08:57.540364: | 08 15 bd 64 b4 41 62 33 f4 e5 11 11 e0 fe c7 7a Aug 26 13:08:57.540365: | 69 bd f0 35 9d 6d bf dc ea 0f 9f d1 5e 63 0b 4d Aug 26 13:08:57.540367: | ee 3c 1a 65 b6 70 72 1c dd 07 a1 dc 57 43 01 66 Aug 26 13:08:57.540369: | d1 33 41 37 7a b1 d7 7a 93 43 cf 35 29 77 28 01 Aug 26 13:08:57.540370: | 96 3f 08 e8 d9 cd d6 f4 d2 a7 4e 48 c8 55 77 db Aug 26 13:08:57.540372: | 4f 59 98 71 0e 1f 8c 80 b1 2e 64 b4 b2 d0 b9 7d Aug 26 13:08:57.540373: | c9 9c b4 9d 2a 25 f9 d0 fe 8a e8 f0 5e 37 ee dd Aug 26 13:08:57.540375: | 77 e2 cf dc 42 eb 8d 24 29 00 00 24 c1 f3 0c c0 Aug 26 13:08:57.540376: | 66 a5 39 33 ae 6c d9 57 33 89 9f 77 d2 5b 74 1f Aug 26 13:08:57.540378: | 5d 13 cf 47 d4 36 78 7e 6a fa e9 1b 29 00 00 08 Aug 26 13:08:57.540380: | 00 00 40 2e 29 00 00 1c 00 00 40 04 fa c8 36 8e Aug 26 13:08:57.540381: | b4 c5 69 c5 74 f0 98 f9 92 60 87 42 85 e4 d6 e1 Aug 26 13:08:57.540383: | 00 00 00 1c 00 00 40 05 3e 98 43 ea 12 46 4b 0b Aug 26 13:08:57.540384: | d0 a4 13 ab 0b 0c ff 97 6c b7 9f 42 Aug 26 13:08:57.540390: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:08:57.540393: | **parse ISAKMP Message: Aug 26 13:08:57.540395: | initiator cookie: Aug 26 13:08:57.540396: | 47 83 ee a4 d1 45 51 22 Aug 26 13:08:57.540398: | responder cookie: Aug 26 13:08:57.540399: | 00 00 00 00 00 00 00 00 Aug 26 13:08:57.540401: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:08:57.540403: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:08:57.540405: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:08:57.540407: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:08:57.540409: | Message ID: 0 (0x0) Aug 26 13:08:57.540411: | length: 828 (0x33c) Aug 26 13:08:57.540413: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:08:57.540415: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:08:57.540418: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:08:57.540420: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:08:57.540422: | ***parse IKEv2 Security Association Payload: Aug 26 13:08:57.540424: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:08:57.540426: | flags: none (0x0) Aug 26 13:08:57.540427: | length: 436 (0x1b4) Aug 26 13:08:57.540429: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:08:57.540431: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:08:57.540433: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:08:57.540435: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:08:57.540436: | flags: none (0x0) Aug 26 13:08:57.540438: | length: 264 (0x108) Aug 26 13:08:57.540440: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:08:57.540443: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:08:57.540445: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:08:57.540446: | ***parse IKEv2 Nonce Payload: Aug 26 13:08:57.540448: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:08:57.540450: | flags: none (0x0) Aug 26 13:08:57.540451: | length: 36 (0x24) Aug 26 13:08:57.540453: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:08:57.540455: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:08:57.540456: | ***parse IKEv2 Notify Payload: Aug 26 13:08:57.540458: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:08:57.540460: | flags: none (0x0) Aug 26 13:08:57.540461: | length: 8 (0x8) Aug 26 13:08:57.540463: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:08:57.540465: | SPI size: 0 (0x0) Aug 26 13:08:57.540467: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:08:57.540468: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:08:57.540470: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:08:57.540472: | ***parse IKEv2 Notify Payload: Aug 26 13:08:57.540473: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:08:57.540475: | flags: none (0x0) Aug 26 13:08:57.540476: | length: 28 (0x1c) Aug 26 13:08:57.540478: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:08:57.540480: | SPI size: 0 (0x0) Aug 26 13:08:57.540481: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:08:57.540483: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:08:57.540485: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:08:57.540486: | ***parse IKEv2 Notify Payload: Aug 26 13:08:57.540488: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.540490: | flags: none (0x0) Aug 26 13:08:57.540491: | length: 28 (0x1c) Aug 26 13:08:57.540493: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:08:57.540494: | SPI size: 0 (0x0) Aug 26 13:08:57.540496: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:08:57.540498: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:08:57.540499: | DDOS disabled and no cookie sent, continuing Aug 26 13:08:57.540503: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:08:57.540507: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:08:57.540509: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:08:57.540511: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ipv4-psk-ikev2) Aug 26 13:08:57.540513: | find_next_host_connection returns empty Aug 26 13:08:57.540516: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:08:57.540518: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:08:57.540520: | find_next_host_connection returns empty Aug 26 13:08:57.540522: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:08:57.540525: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:08:57.540528: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:08:57.540530: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:08:57.540532: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ipv4-psk-ikev2) Aug 26 13:08:57.540534: | find_next_host_connection returns empty Aug 26 13:08:57.540536: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:08:57.540538: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:08:57.540540: | find_next_host_connection returns empty Aug 26 13:08:57.540542: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:08:57.540547: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:08:57.540550: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:08:57.540551: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:08:57.540553: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-ipv4-psk-ikev2) Aug 26 13:08:57.540555: | find_next_host_connection returns westnet-eastnet-ipv4-psk-ikev2 Aug 26 13:08:57.540557: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:08:57.540559: | find_next_host_connection returns empty Aug 26 13:08:57.540561: | found connection: westnet-eastnet-ipv4-psk-ikev2 with policy PSK+IKEV2_ALLOW Aug 26 13:08:57.540581: | creating state object #1 at 0x55f6950d6f98 Aug 26 13:08:57.540583: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:08:57.540589: | pstats #1 ikev2.ike started Aug 26 13:08:57.540592: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:08:57.540594: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:08:57.540598: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:08:57.540617: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:08:57.540620: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:08:57.540622: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:08:57.540625: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:08:57.540627: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:08:57.540630: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:08:57.540632: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:08:57.540634: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:08:57.540636: | Now let's proceed with state specific processing Aug 26 13:08:57.540638: | calling processor Respond to IKE_SA_INIT Aug 26 13:08:57.540656: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:08:57.540659: | constructing local IKE proposals for westnet-eastnet-ipv4-psk-ikev2 (IKE SA responder matching remote proposals) Aug 26 13:08:57.540665: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:08:57.540670: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:08:57.540673: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:08:57.540676: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:08:57.540679: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:08:57.540683: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:08:57.540685: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:08:57.540688: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:08:57.540697: "westnet-eastnet-ipv4-psk-ikev2": constructed local IKE proposals for westnet-eastnet-ipv4-psk-ikev2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:08:57.540699: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:08:57.540703: | local proposal 1 type ENCR has 1 transforms Aug 26 13:08:57.540705: | local proposal 1 type PRF has 2 transforms Aug 26 13:08:57.540707: | local proposal 1 type INTEG has 1 transforms Aug 26 13:08:57.540708: | local proposal 1 type DH has 8 transforms Aug 26 13:08:57.540710: | local proposal 1 type ESN has 0 transforms Aug 26 13:08:57.540712: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:08:57.540714: | local proposal 2 type ENCR has 1 transforms Aug 26 13:08:57.540716: | local proposal 2 type PRF has 2 transforms Aug 26 13:08:57.540718: | local proposal 2 type INTEG has 1 transforms Aug 26 13:08:57.540719: | local proposal 2 type DH has 8 transforms Aug 26 13:08:57.540721: | local proposal 2 type ESN has 0 transforms Aug 26 13:08:57.540723: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:08:57.540725: | local proposal 3 type ENCR has 1 transforms Aug 26 13:08:57.540726: | local proposal 3 type PRF has 2 transforms Aug 26 13:08:57.540728: | local proposal 3 type INTEG has 2 transforms Aug 26 13:08:57.540730: | local proposal 3 type DH has 8 transforms Aug 26 13:08:57.540731: | local proposal 3 type ESN has 0 transforms Aug 26 13:08:57.540733: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:08:57.540735: | local proposal 4 type ENCR has 1 transforms Aug 26 13:08:57.540736: | local proposal 4 type PRF has 2 transforms Aug 26 13:08:57.540738: | local proposal 4 type INTEG has 2 transforms Aug 26 13:08:57.540740: | local proposal 4 type DH has 8 transforms Aug 26 13:08:57.540742: | local proposal 4 type ESN has 0 transforms Aug 26 13:08:57.540743: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:08:57.540746: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.540747: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:08:57.540749: | length: 100 (0x64) Aug 26 13:08:57.540751: | prop #: 1 (0x1) Aug 26 13:08:57.540753: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:08:57.540754: | spi size: 0 (0x0) Aug 26 13:08:57.540756: | # transforms: 11 (0xb) Aug 26 13:08:57.540758: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:08:57.540760: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540762: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540764: | length: 12 (0xc) Aug 26 13:08:57.540766: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.540767: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:08:57.540769: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.540771: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.540773: | length/value: 256 (0x100) Aug 26 13:08:57.540775: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:08:57.540777: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540781: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540782: | length: 8 (0x8) Aug 26 13:08:57.540784: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:08:57.540786: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:08:57.540788: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:08:57.540790: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:08:57.540792: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:08:57.540794: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:08:57.540796: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540798: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540799: | length: 8 (0x8) Aug 26 13:08:57.540801: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:08:57.540803: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:08:57.540805: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540806: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540808: | length: 8 (0x8) Aug 26 13:08:57.540810: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540811: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:08:57.540813: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:08:57.540816: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:08:57.540818: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:08:57.540820: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:08:57.540821: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540823: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540825: | length: 8 (0x8) Aug 26 13:08:57.540826: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540828: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:08:57.540830: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540832: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540833: | length: 8 (0x8) Aug 26 13:08:57.540835: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540836: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:08:57.540838: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540840: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540841: | length: 8 (0x8) Aug 26 13:08:57.540843: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540845: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:08:57.540847: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540848: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540850: | length: 8 (0x8) Aug 26 13:08:57.540851: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540853: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:08:57.540855: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540857: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540858: | length: 8 (0x8) Aug 26 13:08:57.540860: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540861: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:08:57.540863: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540865: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540867: | length: 8 (0x8) Aug 26 13:08:57.540868: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540870: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:08:57.540872: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540873: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.540876: | length: 8 (0x8) Aug 26 13:08:57.540878: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540879: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:08:57.540882: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:08:57.540885: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:08:57.540887: | remote proposal 1 matches local proposal 1 Aug 26 13:08:57.540889: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.540890: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:08:57.540892: | length: 100 (0x64) Aug 26 13:08:57.540893: | prop #: 2 (0x2) Aug 26 13:08:57.540895: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:08:57.540897: | spi size: 0 (0x0) Aug 26 13:08:57.540898: | # transforms: 11 (0xb) Aug 26 13:08:57.540900: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:08:57.540902: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540904: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540905: | length: 12 (0xc) Aug 26 13:08:57.540907: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.540909: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:08:57.540911: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.540912: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.540914: | length/value: 128 (0x80) Aug 26 13:08:57.540916: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540917: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540919: | length: 8 (0x8) Aug 26 13:08:57.540921: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:08:57.540922: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:08:57.540924: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540926: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540927: | length: 8 (0x8) Aug 26 13:08:57.540929: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:08:57.540931: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:08:57.540933: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540934: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540936: | length: 8 (0x8) Aug 26 13:08:57.540938: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540939: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:08:57.540941: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540943: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540944: | length: 8 (0x8) Aug 26 13:08:57.540946: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540948: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:08:57.540949: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540951: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540953: | length: 8 (0x8) Aug 26 13:08:57.540954: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540956: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:08:57.540958: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540959: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540961: | length: 8 (0x8) Aug 26 13:08:57.540963: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540964: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:08:57.540966: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540968: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540969: | length: 8 (0x8) Aug 26 13:08:57.540971: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540973: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:08:57.540974: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540979: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540981: | length: 8 (0x8) Aug 26 13:08:57.540982: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540984: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:08:57.540986: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540988: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.540989: | length: 8 (0x8) Aug 26 13:08:57.540991: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.540993: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:08:57.540994: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.540996: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.540998: | length: 8 (0x8) Aug 26 13:08:57.540999: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541001: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:08:57.541003: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:08:57.541005: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:08:57.541007: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.541009: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:08:57.541010: | length: 116 (0x74) Aug 26 13:08:57.541012: | prop #: 3 (0x3) Aug 26 13:08:57.541013: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:08:57.541015: | spi size: 0 (0x0) Aug 26 13:08:57.541017: | # transforms: 13 (0xd) Aug 26 13:08:57.541019: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:08:57.541020: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541022: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541037: | length: 12 (0xc) Aug 26 13:08:57.541038: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.541040: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:08:57.541042: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.541043: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.541045: | length/value: 256 (0x100) Aug 26 13:08:57.541047: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541048: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541050: | length: 8 (0x8) Aug 26 13:08:57.541051: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:08:57.541053: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:08:57.541055: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541056: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541058: | length: 8 (0x8) Aug 26 13:08:57.541060: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:08:57.541061: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:08:57.541063: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541064: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541066: | length: 8 (0x8) Aug 26 13:08:57.541068: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:08:57.541069: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:08:57.541071: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541073: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541074: | length: 8 (0x8) Aug 26 13:08:57.541076: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:08:57.541077: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:08:57.541079: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541081: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541082: | length: 8 (0x8) Aug 26 13:08:57.541084: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541086: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:08:57.541087: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541089: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541090: | length: 8 (0x8) Aug 26 13:08:57.541093: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541095: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:08:57.541096: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541098: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541100: | length: 8 (0x8) Aug 26 13:08:57.541101: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541103: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:08:57.541104: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541106: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541108: | length: 8 (0x8) Aug 26 13:08:57.541109: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541111: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:08:57.541112: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541114: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541116: | length: 8 (0x8) Aug 26 13:08:57.541117: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541119: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:08:57.541121: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541122: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541124: | length: 8 (0x8) Aug 26 13:08:57.541125: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541127: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:08:57.541129: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541130: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541132: | length: 8 (0x8) Aug 26 13:08:57.541133: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541135: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:08:57.541137: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541138: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.541140: | length: 8 (0x8) Aug 26 13:08:57.541141: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541143: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:08:57.541145: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:08:57.541147: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:08:57.541149: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.541151: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:08:57.541152: | length: 116 (0x74) Aug 26 13:08:57.541154: | prop #: 4 (0x4) Aug 26 13:08:57.541155: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:08:57.541157: | spi size: 0 (0x0) Aug 26 13:08:57.541158: | # transforms: 13 (0xd) Aug 26 13:08:57.541160: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:08:57.541162: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541164: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541165: | length: 12 (0xc) Aug 26 13:08:57.541167: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.541168: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:08:57.541170: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.541172: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.541173: | length/value: 128 (0x80) Aug 26 13:08:57.541175: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541177: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541178: | length: 8 (0x8) Aug 26 13:08:57.541180: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:08:57.541181: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:08:57.541183: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541185: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541186: | length: 8 (0x8) Aug 26 13:08:57.541188: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:08:57.541190: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:08:57.541192: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541194: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541195: | length: 8 (0x8) Aug 26 13:08:57.541197: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:08:57.541199: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:08:57.541200: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541202: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541203: | length: 8 (0x8) Aug 26 13:08:57.541205: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:08:57.541207: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:08:57.541208: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541210: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541212: | length: 8 (0x8) Aug 26 13:08:57.541213: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541215: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:08:57.541216: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541218: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541220: | length: 8 (0x8) Aug 26 13:08:57.541221: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541223: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:08:57.541225: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541226: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541228: | length: 8 (0x8) Aug 26 13:08:57.541229: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541231: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:08:57.541233: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541234: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541236: | length: 8 (0x8) Aug 26 13:08:57.541237: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541239: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:08:57.541241: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541242: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541244: | length: 8 (0x8) Aug 26 13:08:57.541245: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541247: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:08:57.541249: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541250: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541252: | length: 8 (0x8) Aug 26 13:08:57.541253: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541255: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:08:57.541257: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541258: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.541260: | length: 8 (0x8) Aug 26 13:08:57.541262: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541263: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:08:57.541265: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.541266: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.541268: | length: 8 (0x8) Aug 26 13:08:57.541270: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.541284: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:08:57.541287: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:08:57.541295: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:08:57.541299: "westnet-eastnet-ipv4-psk-ikev2" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:08:57.541306: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:08:57.541308: | converting proposal to internal trans attrs Aug 26 13:08:57.541311: | natd_hash: rcookie is zero Aug 26 13:08:57.541334: | natd_hash: hasher=0x55f694ed5800(20) Aug 26 13:08:57.541336: | natd_hash: icookie= 47 83 ee a4 d1 45 51 22 Aug 26 13:08:57.541338: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:08:57.541339: | natd_hash: ip= c0 01 02 17 Aug 26 13:08:57.541341: | natd_hash: port=500 Aug 26 13:08:57.541343: | natd_hash: hash= 3e 98 43 ea 12 46 4b 0b d0 a4 13 ab 0b 0c ff 97 Aug 26 13:08:57.541344: | natd_hash: hash= 6c b7 9f 42 Aug 26 13:08:57.541346: | natd_hash: rcookie is zero Aug 26 13:08:57.541349: | natd_hash: hasher=0x55f694ed5800(20) Aug 26 13:08:57.541351: | natd_hash: icookie= 47 83 ee a4 d1 45 51 22 Aug 26 13:08:57.541353: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:08:57.541354: | natd_hash: ip= c0 01 02 2d Aug 26 13:08:57.541356: | natd_hash: port=500 Aug 26 13:08:57.541357: | natd_hash: hash= fa c8 36 8e b4 c5 69 c5 74 f0 98 f9 92 60 87 42 Aug 26 13:08:57.541359: | natd_hash: hash= 85 e4 d6 e1 Aug 26 13:08:57.541360: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:08:57.541362: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:08:57.541364: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:08:57.541366: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Aug 26 13:08:57.541368: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:08:57.541370: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55f6950d6b78 Aug 26 13:08:57.541373: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:08:57.541375: | libevent_malloc: new ptr-libevent@0x55f6950d92f8 size 128 Aug 26 13:08:57.541382: | #1 spent 0.739 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:08:57.541400: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:08:57.541403: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:08:57.541405: | suspending state #1 and saving MD Aug 26 13:08:57.541405: | crypto helper 0 resuming Aug 26 13:08:57.541421: | crypto helper 0 starting work-order 1 for state #1 Aug 26 13:08:57.541442: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:08:57.541407: | #1 is busy; has a suspended MD Aug 26 13:08:57.541453: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:08:57.541456: | "westnet-eastnet-ipv4-psk-ikev2" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:08:57.541459: | stop processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:08:57.541463: | #1 spent 1.18 milliseconds in ikev2_process_packet() Aug 26 13:08:57.541465: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:08:57.541467: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:08:57.541469: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:08:57.541472: | spent 1.19 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:08:57.542098: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.00067 seconds Aug 26 13:08:57.542108: | (#1) spent 0.679 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:08:57.542110: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 13:08:57.542113: | scheduling resume sending helper answer for #1 Aug 26 13:08:57.542115: | libevent_malloc: new ptr-libevent@0x7ff058002888 size 128 Aug 26 13:08:57.542121: | crypto helper 0 waiting (nothing to do) Aug 26 13:08:57.542158: | processing resume sending helper answer for #1 Aug 26 13:08:57.542168: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:08:57.542172: | crypto helper 0 replies to request ID 1 Aug 26 13:08:57.542174: | calling continuation function 0x55f694e00b50 Aug 26 13:08:57.542176: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:08:57.542202: | **emit ISAKMP Message: Aug 26 13:08:57.542204: | initiator cookie: Aug 26 13:08:57.542206: | 47 83 ee a4 d1 45 51 22 Aug 26 13:08:57.542207: | responder cookie: Aug 26 13:08:57.542209: | 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:57.542211: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:08:57.542213: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:08:57.542215: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:08:57.542216: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:08:57.542218: | Message ID: 0 (0x0) Aug 26 13:08:57.542220: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:08:57.542222: | Emitting ikev2_proposal ... Aug 26 13:08:57.542224: | ***emit IKEv2 Security Association Payload: Aug 26 13:08:57.542226: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.542227: | flags: none (0x0) Aug 26 13:08:57.542230: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:08:57.542232: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.542234: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.542236: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:08:57.542237: | prop #: 1 (0x1) Aug 26 13:08:57.542239: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:08:57.542241: | spi size: 0 (0x0) Aug 26 13:08:57.542242: | # transforms: 3 (0x3) Aug 26 13:08:57.542244: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:08:57.542246: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:08:57.542248: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.542249: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.542251: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:08:57.542253: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:08:57.542255: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.542257: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.542259: | length/value: 256 (0x100) Aug 26 13:08:57.542261: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:08:57.542262: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:08:57.542264: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.542265: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:08:57.542267: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:08:57.542269: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.542271: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:08:57.542275: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:08:57.542277: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:08:57.542278: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.542280: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:08:57.542282: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:08:57.542284: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.542285: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:08:57.542287: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:08:57.542332: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:08:57.542334: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:08:57.542336: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:08:57.542338: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:08:57.542340: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:08:57.542342: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.542343: | flags: none (0x0) Aug 26 13:08:57.542345: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:08:57.542347: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:08:57.542349: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.542351: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:08:57.542353: | ikev2 g^x e8 ff f5 1c 9f 3e 5e c9 28 a2 f0 d1 e7 59 a7 15 Aug 26 13:08:57.542355: | ikev2 g^x 5d ff de 56 d1 21 b9 21 58 27 0f 76 93 79 14 7b Aug 26 13:08:57.542357: | ikev2 g^x 6d 0d ad e1 c5 87 bd 49 a7 3d 9e e7 09 93 8d 8e Aug 26 13:08:57.542358: | ikev2 g^x b2 e1 00 78 01 c3 7c 5c d2 9f 4c 53 6b d1 36 b2 Aug 26 13:08:57.542360: | ikev2 g^x c7 85 12 91 4f b7 bd 05 af cd fc 6b fc 56 7b dd Aug 26 13:08:57.542361: | ikev2 g^x f2 07 8b 5a 99 96 8e 13 e5 92 da 28 a2 c2 f4 3d Aug 26 13:08:57.542363: | ikev2 g^x f2 d7 db ff 00 4d ed a1 c7 d9 99 d2 3c 63 5e ee Aug 26 13:08:57.542364: | ikev2 g^x 03 ae a8 3c e3 1b b5 15 2f f0 a2 06 97 b8 6b f6 Aug 26 13:08:57.542366: | ikev2 g^x be 2f 41 6b 93 b9 0d e0 83 a1 27 b0 35 32 10 14 Aug 26 13:08:57.542367: | ikev2 g^x 1c 31 b7 08 5c c7 f4 6a 57 9d 18 57 bb 06 58 d8 Aug 26 13:08:57.542369: | ikev2 g^x 91 12 cf ff 27 9e 84 d2 32 54 14 d2 e4 8b e2 1f Aug 26 13:08:57.542370: | ikev2 g^x b7 cc 90 ef 7b a2 73 4b 9e 89 6f 03 b6 b8 2c 37 Aug 26 13:08:57.542372: | ikev2 g^x 1f 64 17 bc 48 c7 cc 9c 79 85 8d b5 ba 11 29 32 Aug 26 13:08:57.542374: | ikev2 g^x e0 2b a0 b4 85 c1 9b 88 db 3c 5d 76 bf 26 ee 42 Aug 26 13:08:57.542375: | ikev2 g^x ee 55 0b 06 b6 8c f7 1c e7 81 9b 96 d2 73 91 6f Aug 26 13:08:57.542377: | ikev2 g^x e4 ef fd 69 3e c4 b0 a0 32 3b 96 b6 f1 d0 c3 1f Aug 26 13:08:57.542378: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:08:57.542380: | ***emit IKEv2 Nonce Payload: Aug 26 13:08:57.542382: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:08:57.542383: | flags: none (0x0) Aug 26 13:08:57.542385: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:08:57.542387: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:08:57.542389: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.542391: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:08:57.542396: | IKEv2 nonce a8 5f 8b 87 67 fc 8c d2 34 b0 08 a1 67 29 e4 0a Aug 26 13:08:57.542397: | IKEv2 nonce 9a d8 a9 5f 75 40 51 3a 2f ab 62 5e a3 5d 06 4d Aug 26 13:08:57.542399: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:08:57.542401: | Adding a v2N Payload Aug 26 13:08:57.542403: | ***emit IKEv2 Notify Payload: Aug 26 13:08:57.542404: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.542406: | flags: none (0x0) Aug 26 13:08:57.542407: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:08:57.542409: | SPI size: 0 (0x0) Aug 26 13:08:57.542411: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:08:57.542413: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:08:57.542415: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.542417: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:08:57.542419: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:08:57.542426: | natd_hash: hasher=0x55f694ed5800(20) Aug 26 13:08:57.542428: | natd_hash: icookie= 47 83 ee a4 d1 45 51 22 Aug 26 13:08:57.542430: | natd_hash: rcookie= 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:57.542431: | natd_hash: ip= c0 01 02 17 Aug 26 13:08:57.542433: | natd_hash: port=500 Aug 26 13:08:57.542435: | natd_hash: hash= fe 82 d8 81 e3 31 f3 b1 87 f0 55 58 f2 f4 af 68 Aug 26 13:08:57.542436: | natd_hash: hash= 1f 4a 2a 28 Aug 26 13:08:57.542438: | Adding a v2N Payload Aug 26 13:08:57.542439: | ***emit IKEv2 Notify Payload: Aug 26 13:08:57.542441: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.542443: | flags: none (0x0) Aug 26 13:08:57.542444: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:08:57.542446: | SPI size: 0 (0x0) Aug 26 13:08:57.542447: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:08:57.542449: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:08:57.542451: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.542453: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:08:57.542455: | Notify data fe 82 d8 81 e3 31 f3 b1 87 f0 55 58 f2 f4 af 68 Aug 26 13:08:57.542456: | Notify data 1f 4a 2a 28 Aug 26 13:08:57.542458: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:08:57.542462: | natd_hash: hasher=0x55f694ed5800(20) Aug 26 13:08:57.542464: | natd_hash: icookie= 47 83 ee a4 d1 45 51 22 Aug 26 13:08:57.542465: | natd_hash: rcookie= 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:57.542467: | natd_hash: ip= c0 01 02 2d Aug 26 13:08:57.542468: | natd_hash: port=500 Aug 26 13:08:57.542470: | natd_hash: hash= c8 07 96 12 d7 0a 6a 5f 9a b5 d1 f5 d2 3f 44 1a Aug 26 13:08:57.542471: | natd_hash: hash= fd 13 2c 7f Aug 26 13:08:57.542473: | Adding a v2N Payload Aug 26 13:08:57.542474: | ***emit IKEv2 Notify Payload: Aug 26 13:08:57.542476: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.542477: | flags: none (0x0) Aug 26 13:08:57.542479: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:08:57.542481: | SPI size: 0 (0x0) Aug 26 13:08:57.542482: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:08:57.542484: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:08:57.542486: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.542488: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:08:57.542489: | Notify data c8 07 96 12 d7 0a 6a 5f 9a b5 d1 f5 d2 3f 44 1a Aug 26 13:08:57.542491: | Notify data fd 13 2c 7f Aug 26 13:08:57.542493: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:08:57.542494: | emitting length of ISAKMP Message: 432 Aug 26 13:08:57.542500: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:08:57.542502: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:08:57.542504: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:08:57.542507: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:08:57.542509: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:08:57.542512: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:08:57.542515: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:08:57.542518: "westnet-eastnet-ipv4-psk-ikev2" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:08:57.542521: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:08:57.542525: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:08:57.542529: | 47 83 ee a4 d1 45 51 22 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:57.542531: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:08:57.542532: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:08:57.542534: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:08:57.542535: | 04 00 00 0e 28 00 01 08 00 0e 00 00 e8 ff f5 1c Aug 26 13:08:57.542537: | 9f 3e 5e c9 28 a2 f0 d1 e7 59 a7 15 5d ff de 56 Aug 26 13:08:57.542538: | d1 21 b9 21 58 27 0f 76 93 79 14 7b 6d 0d ad e1 Aug 26 13:08:57.542540: | c5 87 bd 49 a7 3d 9e e7 09 93 8d 8e b2 e1 00 78 Aug 26 13:08:57.542541: | 01 c3 7c 5c d2 9f 4c 53 6b d1 36 b2 c7 85 12 91 Aug 26 13:08:57.542543: | 4f b7 bd 05 af cd fc 6b fc 56 7b dd f2 07 8b 5a Aug 26 13:08:57.542544: | 99 96 8e 13 e5 92 da 28 a2 c2 f4 3d f2 d7 db ff Aug 26 13:08:57.542546: | 00 4d ed a1 c7 d9 99 d2 3c 63 5e ee 03 ae a8 3c Aug 26 13:08:57.542548: | e3 1b b5 15 2f f0 a2 06 97 b8 6b f6 be 2f 41 6b Aug 26 13:08:57.542549: | 93 b9 0d e0 83 a1 27 b0 35 32 10 14 1c 31 b7 08 Aug 26 13:08:57.542551: | 5c c7 f4 6a 57 9d 18 57 bb 06 58 d8 91 12 cf ff Aug 26 13:08:57.542552: | 27 9e 84 d2 32 54 14 d2 e4 8b e2 1f b7 cc 90 ef Aug 26 13:08:57.542554: | 7b a2 73 4b 9e 89 6f 03 b6 b8 2c 37 1f 64 17 bc Aug 26 13:08:57.542555: | 48 c7 cc 9c 79 85 8d b5 ba 11 29 32 e0 2b a0 b4 Aug 26 13:08:57.542557: | 85 c1 9b 88 db 3c 5d 76 bf 26 ee 42 ee 55 0b 06 Aug 26 13:08:57.542558: | b6 8c f7 1c e7 81 9b 96 d2 73 91 6f e4 ef fd 69 Aug 26 13:08:57.542560: | 3e c4 b0 a0 32 3b 96 b6 f1 d0 c3 1f 29 00 00 24 Aug 26 13:08:57.542561: | a8 5f 8b 87 67 fc 8c d2 34 b0 08 a1 67 29 e4 0a Aug 26 13:08:57.542563: | 9a d8 a9 5f 75 40 51 3a 2f ab 62 5e a3 5d 06 4d Aug 26 13:08:57.542564: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:08:57.542566: | fe 82 d8 81 e3 31 f3 b1 87 f0 55 58 f2 f4 af 68 Aug 26 13:08:57.542567: | 1f 4a 2a 28 00 00 00 1c 00 00 40 05 c8 07 96 12 Aug 26 13:08:57.542569: | d7 0a 6a 5f 9a b5 d1 f5 d2 3f 44 1a fd 13 2c 7f Aug 26 13:08:57.542595: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:08:57.542600: | libevent_free: release ptr-libevent@0x55f6950d92f8 Aug 26 13:08:57.542604: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55f6950d6b78 Aug 26 13:08:57.542607: | event_schedule: new EVENT_SO_DISCARD-pe@0x55f6950d6b78 Aug 26 13:08:57.542610: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:08:57.542613: | libevent_malloc: new ptr-libevent@0x55f6950da408 size 128 Aug 26 13:08:57.542617: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:08:57.542623: | #1 spent 0.412 milliseconds in resume sending helper answer Aug 26 13:08:57.542629: | stop processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:08:57.542633: | libevent_free: release ptr-libevent@0x7ff058002888 Aug 26 13:08:57.545180: | spent 0.00211 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:08:57.545198: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:08:57.545201: | 47 83 ee a4 d1 45 51 22 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:57.545203: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Aug 26 13:08:57.545205: | f5 e2 4d 0b 5e 56 26 dc 64 0f 0a 91 b9 29 95 c8 Aug 26 13:08:57.545206: | b5 cf 3b ff cb 1b f9 fd b9 9d 86 f4 a1 e4 1b bb Aug 26 13:08:57.545208: | 4c 13 95 bd c8 2d a0 1a 40 6e eb ff c5 6e 62 bb Aug 26 13:08:57.545209: | 24 d3 c2 43 03 45 c5 03 58 3c 16 4c 5b e6 1d 17 Aug 26 13:08:57.545211: | df 14 0f 70 88 9f 7f 44 20 f8 87 9d 5a 3e a5 0d Aug 26 13:08:57.545212: | 26 7a 42 70 b9 f4 ab 8a 6a 55 3f c1 7b c9 6e 65 Aug 26 13:08:57.545214: | c7 e9 81 c8 cd 74 b9 ee 12 e7 11 bf e1 03 68 a0 Aug 26 13:08:57.545216: | 58 a0 4c 80 8f cb 29 2a fa 2a 2a 73 3f fd c7 a3 Aug 26 13:08:57.545217: | 40 23 cf 8c 63 19 8b 1c 8b c4 c5 d3 30 e0 2f fe Aug 26 13:08:57.545219: | e6 8d f2 21 7f 21 64 df a9 ee 6f cb 94 81 a3 b1 Aug 26 13:08:57.545220: | 0b 61 52 21 df 59 85 d2 f5 e1 8d 25 ff 83 3d 55 Aug 26 13:08:57.545222: | b9 30 70 df 12 36 3b 44 30 04 5d 28 57 9d b4 f0 Aug 26 13:08:57.545224: | be 98 c7 7a b0 74 5f 52 30 7c b0 6f ce 87 7b d5 Aug 26 13:08:57.545225: | d7 2b b6 87 1b 01 58 47 64 34 69 3a f1 4c ba f3 Aug 26 13:08:57.545227: | 8b dd 1f ae ae 1a e2 ad e5 01 4f 56 58 7c 43 8c Aug 26 13:08:57.545228: | 11 19 dd 8a ad 84 ba 48 ea 14 11 2e 9c 66 db 9e Aug 26 13:08:57.545230: | 1e ce ec 83 00 62 fb 7d f1 71 28 4c c1 a9 ed d9 Aug 26 13:08:57.545231: | da 57 49 f6 2c 65 0e be cd 0c 01 d8 db d8 48 f3 Aug 26 13:08:57.545233: | 86 15 82 14 e7 12 d8 07 10 6a 9d 13 5d fd ce f7 Aug 26 13:08:57.545235: | b4 78 ae eb 45 d4 bc 42 85 98 46 1d 0d 06 05 e1 Aug 26 13:08:57.545236: | 4e a9 02 5d f6 f1 5b 33 02 c1 44 d1 6d Aug 26 13:08:57.545239: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:08:57.545242: | **parse ISAKMP Message: Aug 26 13:08:57.545244: | initiator cookie: Aug 26 13:08:57.545245: | 47 83 ee a4 d1 45 51 22 Aug 26 13:08:57.545247: | responder cookie: Aug 26 13:08:57.545248: | 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:57.545250: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:08:57.545252: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:08:57.545254: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:08:57.545256: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:08:57.545258: | Message ID: 1 (0x1) Aug 26 13:08:57.545259: | length: 365 (0x16d) Aug 26 13:08:57.545261: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:08:57.545264: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:08:57.545266: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:08:57.545270: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:08:57.545273: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:08:57.545276: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:08:57.545278: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:08:57.545281: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:08:57.545282: | unpacking clear payload Aug 26 13:08:57.545284: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:08:57.545286: | ***parse IKEv2 Encryption Payload: Aug 26 13:08:57.545295: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:08:57.545300: | flags: none (0x0) Aug 26 13:08:57.545303: | length: 337 (0x151) Aug 26 13:08:57.545305: | processing payload: ISAKMP_NEXT_v2SK (len=333) Aug 26 13:08:57.545308: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:08:57.545310: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:08:57.545312: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:08:57.545314: | Now let's proceed with state specific processing Aug 26 13:08:57.545316: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:08:57.545318: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:08:57.545321: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:08:57.545323: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:08:57.545325: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:08:57.545328: | libevent_free: release ptr-libevent@0x55f6950da408 Aug 26 13:08:57.545343: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55f6950d6b78 Aug 26 13:08:57.545345: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55f6950d6b78 Aug 26 13:08:57.545348: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:08:57.545350: | libevent_malloc: new ptr-libevent@0x7ff058002888 size 128 Aug 26 13:08:57.545357: | #1 spent 0.0378 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:08:57.545375: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:08:57.545378: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:08:57.545380: | suspending state #1 and saving MD Aug 26 13:08:57.545381: | #1 is busy; has a suspended MD Aug 26 13:08:57.545383: | crypto helper 2 resuming Aug 26 13:08:57.545384: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:08:57.545395: | crypto helper 2 starting work-order 2 for state #1 Aug 26 13:08:57.545402: | "westnet-eastnet-ipv4-psk-ikev2" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:08:57.545406: | crypto helper 2 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:08:57.545412: | stop processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:08:57.545421: | #1 spent 0.223 milliseconds in ikev2_process_packet() Aug 26 13:08:57.545424: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:08:57.545426: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:08:57.545428: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:08:57.545431: | spent 0.234 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:08:57.545973: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:08:57.546253: | crypto helper 2 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000847 seconds Aug 26 13:08:57.546260: | (#1) spent 0.851 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:08:57.546262: | crypto helper 2 sending results from work-order 2 for state #1 to event queue Aug 26 13:08:57.546265: | scheduling resume sending helper answer for #1 Aug 26 13:08:57.546267: | libevent_malloc: new ptr-libevent@0x7ff050000f48 size 128 Aug 26 13:08:57.546272: | crypto helper 2 waiting (nothing to do) Aug 26 13:08:57.546312: | processing resume sending helper answer for #1 Aug 26 13:08:57.546337: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:08:57.546343: | crypto helper 2 replies to request ID 2 Aug 26 13:08:57.546345: | calling continuation function 0x55f694e00b50 Aug 26 13:08:57.546347: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:08:57.546349: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:08:57.546360: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:08:57.546362: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:08:57.546365: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:08:57.546367: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:08:57.546369: | flags: none (0x0) Aug 26 13:08:57.546371: | length: 12 (0xc) Aug 26 13:08:57.546372: | ID type: ID_FQDN (0x2) Aug 26 13:08:57.546374: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:08:57.546376: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:08:57.546378: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:08:57.546379: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:08:57.546396: | flags: none (0x0) Aug 26 13:08:57.546398: | length: 12 (0xc) Aug 26 13:08:57.546399: | ID type: ID_FQDN (0x2) Aug 26 13:08:57.546401: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 13:08:57.546403: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:08:57.546404: | **parse IKEv2 Authentication Payload: Aug 26 13:08:57.546406: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:08:57.546408: | flags: none (0x0) Aug 26 13:08:57.546409: | length: 72 (0x48) Aug 26 13:08:57.546411: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:08:57.546413: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:08:57.546414: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:08:57.546416: | **parse IKEv2 Security Association Payload: Aug 26 13:08:57.546418: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:08:57.546420: | flags: none (0x0) Aug 26 13:08:57.546421: | length: 164 (0xa4) Aug 26 13:08:57.546423: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 13:08:57.546425: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:08:57.546439: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:08:57.546441: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:08:57.546443: | flags: none (0x0) Aug 26 13:08:57.546444: | length: 24 (0x18) Aug 26 13:08:57.546446: | number of TS: 1 (0x1) Aug 26 13:08:57.546447: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:08:57.546464: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:08:57.546466: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:08:57.546468: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.546469: | flags: none (0x0) Aug 26 13:08:57.546471: | length: 24 (0x18) Aug 26 13:08:57.546472: | number of TS: 1 (0x1) Aug 26 13:08:57.546474: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:08:57.546476: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:08:57.546478: | Now let's proceed with state specific processing Aug 26 13:08:57.546479: | calling processor Responder: process IKE_AUTH request Aug 26 13:08:57.546483: "westnet-eastnet-ipv4-psk-ikev2" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 13:08:57.546500: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:08:57.546503: | received IDr payload - extracting our alleged ID Aug 26 13:08:57.546506: | refine_host_connection for IKEv2: starting with "westnet-eastnet-ipv4-psk-ikev2" Aug 26 13:08:57.546524: | match_id a=@west Aug 26 13:08:57.546525: | b=@west Aug 26 13:08:57.546527: | results matched Aug 26 13:08:57.546530: | refine_host_connection: checking "westnet-eastnet-ipv4-psk-ikev2" against "westnet-eastnet-ipv4-psk-ikev2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:08:57.546533: | Warning: not switching back to template of current instance Aug 26 13:08:57.546535: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 13:08:57.546537: | This connection's local id is @east (ID_FQDN) Aug 26 13:08:57.546540: | refine_host_connection: checked westnet-eastnet-ipv4-psk-ikev2 against westnet-eastnet-ipv4-psk-ikev2, now for see if best Aug 26 13:08:57.546542: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:08:57.546544: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:08:57.546559: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:08:57.546562: | 1: compared key @west to @east / @west -> 004 Aug 26 13:08:57.546564: | 2: compared key @east to @east / @west -> 014 Aug 26 13:08:57.546565: | line 1: match=014 Aug 26 13:08:57.546568: | match 014 beats previous best_match 000 match=0x55f69502ec48 (line=1) Aug 26 13:08:57.546584: | concluding with best_match=014 best=0x55f69502ec48 (lineno=1) Aug 26 13:08:57.546586: | returning because exact peer id match Aug 26 13:08:57.546588: | offered CA: '%none' Aug 26 13:08:57.546590: "westnet-eastnet-ipv4-psk-ikev2" #1: IKEv2 mode peer ID is ID_FQDN: '@west' Aug 26 13:08:57.546604: | verifying AUTH payload Aug 26 13:08:57.546607: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:08:57.546609: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:08:57.546611: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:08:57.546613: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:08:57.546615: | 1: compared key @west to @east / @west -> 004 Aug 26 13:08:57.546617: | 2: compared key @east to @east / @west -> 014 Aug 26 13:08:57.546618: | line 1: match=014 Aug 26 13:08:57.546620: | match 014 beats previous best_match 000 match=0x55f69502ec48 (line=1) Aug 26 13:08:57.546622: | concluding with best_match=014 best=0x55f69502ec48 (lineno=1) Aug 26 13:08:57.546662: "westnet-eastnet-ipv4-psk-ikev2" #1: Authenticated using authby=secret Aug 26 13:08:57.546666: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:08:57.546669: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:08:57.546671: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:08:57.546674: | libevent_free: release ptr-libevent@0x7ff058002888 Aug 26 13:08:57.546676: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55f6950d6b78 Aug 26 13:08:57.546678: | event_schedule: new EVENT_SA_REKEY-pe@0x55f6950d6b78 Aug 26 13:08:57.546680: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 13:08:57.546682: | libevent_malloc: new ptr-libevent@0x55f6950da408 size 128 Aug 26 13:08:57.547004: | pstats #1 ikev2.ike established Aug 26 13:08:57.547011: | **emit ISAKMP Message: Aug 26 13:08:57.547013: | initiator cookie: Aug 26 13:08:57.547015: | 47 83 ee a4 d1 45 51 22 Aug 26 13:08:57.547017: | responder cookie: Aug 26 13:08:57.547018: | 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:57.547020: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:08:57.547022: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:08:57.547024: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:08:57.547026: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:08:57.547028: | Message ID: 1 (0x1) Aug 26 13:08:57.547030: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:08:57.547032: | IKEv2 CERT: send a certificate? Aug 26 13:08:57.547034: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:08:57.547036: | ***emit IKEv2 Encryption Payload: Aug 26 13:08:57.547038: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.547040: | flags: none (0x0) Aug 26 13:08:57.547042: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:08:57.547046: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.547048: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:08:57.547056: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:08:57.547070: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:08:57.547074: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.547077: | flags: none (0x0) Aug 26 13:08:57.547080: | ID type: ID_FQDN (0x2) Aug 26 13:08:57.547084: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:08:57.547087: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.547091: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:08:57.547094: | my identity 65 61 73 74 Aug 26 13:08:57.547097: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:08:57.547105: | assembled IDr payload Aug 26 13:08:57.547108: | CHILD SA proposals received Aug 26 13:08:57.547111: | going to assemble AUTH payload Aug 26 13:08:57.547114: | ****emit IKEv2 Authentication Payload: Aug 26 13:08:57.547117: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:08:57.547119: | flags: none (0x0) Aug 26 13:08:57.547121: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:08:57.547123: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:08:57.547126: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:08:57.547128: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.547130: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:08:57.547132: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:08:57.547134: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:08:57.547136: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:08:57.547138: | 1: compared key @west to @east / @west -> 004 Aug 26 13:08:57.547140: | 2: compared key @east to @east / @west -> 014 Aug 26 13:08:57.547142: | line 1: match=014 Aug 26 13:08:57.547144: | match 014 beats previous best_match 000 match=0x55f69502ec48 (line=1) Aug 26 13:08:57.547146: | concluding with best_match=014 best=0x55f69502ec48 (lineno=1) Aug 26 13:08:57.547182: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:08:57.547185: | PSK auth fe eb 5f 2d 93 a6 d3 c7 66 37 81 98 cd 94 a5 f4 Aug 26 13:08:57.547187: | PSK auth df 13 da 27 1c fc e4 bd 68 64 84 ef bb a2 e3 83 Aug 26 13:08:57.547188: | PSK auth 0a ca ac cb 64 22 41 ab b9 c2 db d2 48 08 3b 44 Aug 26 13:08:57.547190: | PSK auth db 20 fb fb e5 4f 3a a3 58 a0 cf c4 f4 a0 ce 8d Aug 26 13:08:57.547192: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:08:57.547195: | creating state object #2 at 0x55f6950daf68 Aug 26 13:08:57.547197: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:08:57.547200: | pstats #2 ikev2.child started Aug 26 13:08:57.547202: | duplicating state object #1 "westnet-eastnet-ipv4-psk-ikev2" as #2 for IPSEC SA Aug 26 13:08:57.547205: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:08:57.547210: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:08:57.547213: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:08:57.547217: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:08:57.547221: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:08:57.547224: | TSi: parsing 1 traffic selectors Aug 26 13:08:57.547226: | ***parse IKEv2 Traffic Selector: Aug 26 13:08:57.547229: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:08:57.547231: | IP Protocol ID: 0 (0x0) Aug 26 13:08:57.547234: | length: 16 (0x10) Aug 26 13:08:57.547236: | start port: 0 (0x0) Aug 26 13:08:57.547239: | end port: 65535 (0xffff) Aug 26 13:08:57.547242: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:08:57.547245: | TS low c0 00 01 00 Aug 26 13:08:57.547247: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:08:57.547249: | TS high c0 00 01 ff Aug 26 13:08:57.547252: | TSi: parsed 1 traffic selectors Aug 26 13:08:57.547254: | TSr: parsing 1 traffic selectors Aug 26 13:08:57.547256: | ***parse IKEv2 Traffic Selector: Aug 26 13:08:57.547259: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:08:57.547262: | IP Protocol ID: 0 (0x0) Aug 26 13:08:57.547264: | length: 16 (0x10) Aug 26 13:08:57.547266: | start port: 0 (0x0) Aug 26 13:08:57.547269: | end port: 65535 (0xffff) Aug 26 13:08:57.547272: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:08:57.547274: | TS low c0 00 02 00 Aug 26 13:08:57.547277: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:08:57.547280: | TS high c0 00 02 ff Aug 26 13:08:57.547282: | TSr: parsed 1 traffic selectors Aug 26 13:08:57.547284: | looking for best SPD in current connection Aug 26 13:08:57.547306: | evaluating our conn="westnet-eastnet-ipv4-psk-ikev2" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:08:57.547315: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:08:57.547322: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:08:57.547325: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:08:57.547328: | TSi[0] port match: YES fitness 65536 Aug 26 13:08:57.547332: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:08:57.547335: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:08:57.547339: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:08:57.547345: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:08:57.547348: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:08:57.547363: | TSr[0] port match: YES fitness 65536 Aug 26 13:08:57.547366: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:08:57.547369: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:08:57.547371: | best fit so far: TSi[0] TSr[0] Aug 26 13:08:57.547374: | found better spd route for TSi[0],TSr[0] Aug 26 13:08:57.547377: | looking for better host pair Aug 26 13:08:57.547382: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:08:57.547386: | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found Aug 26 13:08:57.547388: | investigating connection "westnet-eastnet-ipv4-psk-ikev2" as a better match Aug 26 13:08:57.547391: | match_id a=@west Aug 26 13:08:57.547393: | b=@west Aug 26 13:08:57.547395: | results matched Aug 26 13:08:57.547401: | evaluating our conn="westnet-eastnet-ipv4-psk-ikev2" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:08:57.547406: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:08:57.547413: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:08:57.547416: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:08:57.547419: | TSi[0] port match: YES fitness 65536 Aug 26 13:08:57.547424: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:08:57.547428: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:08:57.547432: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:08:57.547439: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:08:57.547456: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:08:57.547459: | TSr[0] port match: YES fitness 65536 Aug 26 13:08:57.547462: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:08:57.547465: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:08:57.547468: | best fit so far: TSi[0] TSr[0] Aug 26 13:08:57.547471: | did not find a better connection using host pair Aug 26 13:08:57.547474: | printing contents struct traffic_selector Aug 26 13:08:57.547476: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:08:57.547479: | ipprotoid: 0 Aug 26 13:08:57.547481: | port range: 0-65535 Aug 26 13:08:57.547486: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:08:57.547488: | printing contents struct traffic_selector Aug 26 13:08:57.547491: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:08:57.547493: | ipprotoid: 0 Aug 26 13:08:57.547496: | port range: 0-65535 Aug 26 13:08:57.547501: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:08:57.547506: | constructing ESP/AH proposals with all DH removed for westnet-eastnet-ipv4-psk-ikev2 (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:08:57.547515: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:08:57.547523: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:08:57.547527: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:08:57.547532: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:08:57.547536: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:08:57.547541: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:08:57.547544: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:08:57.547549: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:08:57.547558: "westnet-eastnet-ipv4-psk-ikev2": constructed local ESP/AH proposals for westnet-eastnet-ipv4-psk-ikev2 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:08:57.547561: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:08:57.547565: | local proposal 1 type ENCR has 1 transforms Aug 26 13:08:57.547568: | local proposal 1 type PRF has 0 transforms Aug 26 13:08:57.547572: | local proposal 1 type INTEG has 1 transforms Aug 26 13:08:57.547575: | local proposal 1 type DH has 1 transforms Aug 26 13:08:57.547578: | local proposal 1 type ESN has 1 transforms Aug 26 13:08:57.547583: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:08:57.547586: | local proposal 2 type ENCR has 1 transforms Aug 26 13:08:57.547589: | local proposal 2 type PRF has 0 transforms Aug 26 13:08:57.547605: | local proposal 2 type INTEG has 1 transforms Aug 26 13:08:57.547608: | local proposal 2 type DH has 1 transforms Aug 26 13:08:57.547611: | local proposal 2 type ESN has 1 transforms Aug 26 13:08:57.547615: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:08:57.547618: | local proposal 3 type ENCR has 1 transforms Aug 26 13:08:57.547621: | local proposal 3 type PRF has 0 transforms Aug 26 13:08:57.547624: | local proposal 3 type INTEG has 2 transforms Aug 26 13:08:57.547628: | local proposal 3 type DH has 1 transforms Aug 26 13:08:57.547631: | local proposal 3 type ESN has 1 transforms Aug 26 13:08:57.547634: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:08:57.547637: | local proposal 4 type ENCR has 1 transforms Aug 26 13:08:57.547640: | local proposal 4 type PRF has 0 transforms Aug 26 13:08:57.547642: | local proposal 4 type INTEG has 2 transforms Aug 26 13:08:57.547645: | local proposal 4 type DH has 1 transforms Aug 26 13:08:57.547647: | local proposal 4 type ESN has 1 transforms Aug 26 13:08:57.547651: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:08:57.547668: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.547671: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:08:57.547674: | length: 32 (0x20) Aug 26 13:08:57.547676: | prop #: 1 (0x1) Aug 26 13:08:57.547679: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:08:57.547681: | spi size: 4 (0x4) Aug 26 13:08:57.547683: | # transforms: 2 (0x2) Aug 26 13:08:57.547686: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:08:57.547689: | remote SPI 30 f1 bd 82 Aug 26 13:08:57.547692: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:08:57.547695: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.547697: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.547699: | length: 12 (0xc) Aug 26 13:08:57.547702: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.547704: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:08:57.547707: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.547710: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.547712: | length/value: 256 (0x100) Aug 26 13:08:57.547716: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:08:57.547720: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.547722: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.547725: | length: 8 (0x8) Aug 26 13:08:57.547727: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:08:57.547730: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:08:57.547734: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:08:57.547737: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:08:57.547740: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:08:57.547743: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:08:57.547747: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 13:08:57.547751: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 13:08:57.547754: | remote proposal 1 matches local proposal 1 Aug 26 13:08:57.547769: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.547772: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:08:57.547774: | length: 32 (0x20) Aug 26 13:08:57.547777: | prop #: 2 (0x2) Aug 26 13:08:57.547779: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:08:57.547782: | spi size: 4 (0x4) Aug 26 13:08:57.547785: | # transforms: 2 (0x2) Aug 26 13:08:57.547789: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:08:57.547792: | remote SPI 30 f1 bd 82 Aug 26 13:08:57.547796: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:08:57.547799: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.547802: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.547805: | length: 12 (0xc) Aug 26 13:08:57.547809: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.547815: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:08:57.547818: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.547821: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.547824: | length/value: 128 (0x80) Aug 26 13:08:57.547828: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.547830: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.547833: | length: 8 (0x8) Aug 26 13:08:57.547850: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:08:57.547852: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:08:57.547856: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 13:08:57.547859: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 13:08:57.547862: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.547865: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:08:57.547867: | length: 48 (0x30) Aug 26 13:08:57.547870: | prop #: 3 (0x3) Aug 26 13:08:57.547872: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:08:57.547875: | spi size: 4 (0x4) Aug 26 13:08:57.547891: | # transforms: 4 (0x4) Aug 26 13:08:57.547895: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:08:57.547898: | remote SPI 30 f1 bd 82 Aug 26 13:08:57.547914: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:08:57.547918: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.547921: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.547924: | length: 12 (0xc) Aug 26 13:08:57.547927: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.547930: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:08:57.547934: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.547937: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.547940: | length/value: 256 (0x100) Aug 26 13:08:57.547944: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.547947: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.547949: | length: 8 (0x8) Aug 26 13:08:57.547952: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:08:57.547968: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:08:57.547971: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.547973: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.547976: | length: 8 (0x8) Aug 26 13:08:57.547978: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:08:57.547981: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:08:57.547984: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.547986: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.547989: | length: 8 (0x8) Aug 26 13:08:57.547992: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:08:57.547995: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:08:57.548000: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:08:57.548004: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:08:57.548007: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.548023: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:08:57.548026: | length: 48 (0x30) Aug 26 13:08:57.548029: | prop #: 4 (0x4) Aug 26 13:08:57.548032: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:08:57.548035: | spi size: 4 (0x4) Aug 26 13:08:57.548038: | # transforms: 4 (0x4) Aug 26 13:08:57.548042: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:08:57.548045: | remote SPI 30 f1 bd 82 Aug 26 13:08:57.548048: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:08:57.548051: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.548054: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.548058: | length: 12 (0xc) Aug 26 13:08:57.548061: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.548064: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:08:57.548067: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.548070: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.548072: | length/value: 128 (0x80) Aug 26 13:08:57.548075: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.548079: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.548082: | length: 8 (0x8) Aug 26 13:08:57.548085: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:08:57.548088: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:08:57.548092: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.548095: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.548098: | length: 8 (0x8) Aug 26 13:08:57.548101: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:08:57.548104: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:08:57.548108: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:08:57.548111: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.548114: | length: 8 (0x8) Aug 26 13:08:57.548117: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:08:57.548120: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:08:57.548124: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:08:57.548127: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:08:57.548132: "westnet-eastnet-ipv4-psk-ikev2" #1: proposal 1:ESP:SPI=30f1bd82;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 13:08:57.548139: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=30f1bd82;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 13:08:57.548142: | converting proposal to internal trans attrs Aug 26 13:08:57.548165: | netlink_get_spi: allocated 0xefc8c273 for esp.0@192.1.2.23 Aug 26 13:08:57.548169: | Emitting ikev2_proposal ... Aug 26 13:08:57.548173: | ****emit IKEv2 Security Association Payload: Aug 26 13:08:57.548176: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.548179: | flags: none (0x0) Aug 26 13:08:57.548183: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:08:57.548186: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.548189: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:08:57.548192: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:08:57.548195: | prop #: 1 (0x1) Aug 26 13:08:57.548198: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:08:57.548200: | spi size: 4 (0x4) Aug 26 13:08:57.548203: | # transforms: 2 (0x2) Aug 26 13:08:57.548206: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:08:57.548211: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:08:57.548214: | our spi ef c8 c2 73 Aug 26 13:08:57.548218: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:08:57.548221: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.548224: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:08:57.548227: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:08:57.548231: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:08:57.548235: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:08:57.548238: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:08:57.548244: | length/value: 256 (0x100) Aug 26 13:08:57.548247: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:08:57.548250: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:08:57.548253: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:08:57.548256: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:08:57.548258: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:08:57.548262: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:08:57.548265: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:08:57.548269: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:08:57.548273: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:08:57.548276: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:08:57.548280: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 13:08:57.548283: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:08:57.548287: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:08:57.548322: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.548326: | flags: none (0x0) Aug 26 13:08:57.548328: | number of TS: 1 (0x1) Aug 26 13:08:57.548333: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:08:57.548337: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.548340: | *****emit IKEv2 Traffic Selector: Aug 26 13:08:57.548344: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:08:57.548347: | IP Protocol ID: 0 (0x0) Aug 26 13:08:57.548350: | start port: 0 (0x0) Aug 26 13:08:57.548353: | end port: 65535 (0xffff) Aug 26 13:08:57.548370: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:08:57.548373: | ipv4 start c0 00 01 00 Aug 26 13:08:57.548377: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:08:57.548380: | ipv4 end c0 00 01 ff Aug 26 13:08:57.548383: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:08:57.548386: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:08:57.548388: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:08:57.548391: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:57.548394: | flags: none (0x0) Aug 26 13:08:57.548396: | number of TS: 1 (0x1) Aug 26 13:08:57.548416: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:08:57.548420: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:08:57.548423: | *****emit IKEv2 Traffic Selector: Aug 26 13:08:57.548427: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:08:57.548430: | IP Protocol ID: 0 (0x0) Aug 26 13:08:57.548433: | start port: 0 (0x0) Aug 26 13:08:57.548436: | end port: 65535 (0xffff) Aug 26 13:08:57.548440: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:08:57.548443: | ipv4 start c0 00 02 00 Aug 26 13:08:57.548446: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:08:57.548449: | ipv4 end c0 00 02 ff Aug 26 13:08:57.548452: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:08:57.548456: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:08:57.548459: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:08:57.548464: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:08:57.548672: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:08:57.548685: | #1 spent 2.15 milliseconds Aug 26 13:08:57.548689: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:08:57.548705: | could_route called for westnet-eastnet-ipv4-psk-ikev2 (kind=CK_PERMANENT) Aug 26 13:08:57.548708: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:08:57.548711: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 vs Aug 26 13:08:57.548727: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 Aug 26 13:08:57.548731: | route owner of "westnet-eastnet-ipv4-psk-ikev2" unrouted: NULL; eroute owner: NULL Aug 26 13:08:57.548735: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:08:57.548738: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:08:57.548741: | AES_GCM_16 requires 4 salt bytes Aug 26 13:08:57.548744: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:08:57.548749: | setting IPsec SA replay-window to 32 Aug 26 13:08:57.548765: | NIC esp-hw-offload not for connection 'westnet-eastnet-ipv4-psk-ikev2' not available on interface eth1 Aug 26 13:08:57.548769: | netlink: enabling tunnel mode Aug 26 13:08:57.548773: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:08:57.548789: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:08:57.548870: | netlink response for Add SA esp.30f1bd82@192.1.2.45 included non-error error Aug 26 13:08:57.548877: | set up outgoing SA, ref=0/0 Aug 26 13:08:57.548882: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:08:57.548886: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:08:57.548889: | AES_GCM_16 requires 4 salt bytes Aug 26 13:08:57.548893: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:08:57.548897: | setting IPsec SA replay-window to 32 Aug 26 13:08:57.548901: | NIC esp-hw-offload not for connection 'westnet-eastnet-ipv4-psk-ikev2' not available on interface eth1 Aug 26 13:08:57.548903: | netlink: enabling tunnel mode Aug 26 13:08:57.548907: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:08:57.548909: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:08:57.548948: | netlink response for Add SA esp.efc8c273@192.1.2.23 included non-error error Aug 26 13:08:57.548955: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Aug 26 13:08:57.548964: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:08:57.548968: | IPsec Sa SPD priority set to 1042407 Aug 26 13:08:57.548993: | raw_eroute result=success Aug 26 13:08:57.548997: | set up incoming SA, ref=0/0 Aug 26 13:08:57.549000: | sr for #2: unrouted Aug 26 13:08:57.549003: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:08:57.549007: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:08:57.549011: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 vs Aug 26 13:08:57.549015: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 Aug 26 13:08:57.549020: | route owner of "westnet-eastnet-ipv4-psk-ikev2" unrouted: NULL; eroute owner: NULL Aug 26 13:08:57.549024: | route_and_eroute with c: westnet-eastnet-ipv4-psk-ikev2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:08:57.549028: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Aug 26 13:08:57.549038: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Aug 26 13:08:57.549042: | IPsec Sa SPD priority set to 1042407 Aug 26 13:08:57.549057: | raw_eroute result=success Aug 26 13:08:57.549061: | running updown command "ipsec _updown" for verb up Aug 26 13:08:57.549064: | command executing up-client Aug 26 13:08:57.549094: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_I Aug 26 13:08:57.549103: | popen cmd is 1046 chars long Aug 26 13:08:57.549107: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv: Aug 26 13:08:57.549110: | cmd( 80):4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.: Aug 26 13:08:57.549114: | cmd( 160):2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='19: Aug 26 13:08:57.549117: | cmd( 240):2.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCO: Aug 26 13:08:57.549120: | cmd( 320):L='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_P: Aug 26 13:08:57.549123: | cmd( 400):EER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0: Aug 26 13:08:57.549126: | cmd( 480):' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL: Aug 26 13:08:57.549129: | cmd( 560):='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=': Aug 26 13:08:57.549132: | cmd( 640):PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Aug 26 13:08:57.549135: | cmd( 720):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_C: Aug 26 13:08:57.549138: | cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P: Aug 26 13:08:57.549141: | cmd( 880):LUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VT: Aug 26 13:08:57.549144: | cmd( 960):I_ROUTING='no' VTI_SHARED='no' SPI_IN=0x30f1bd82 SPI_OUT=0xefc8c273 ipsec _updow: Aug 26 13:08:57.549146: | cmd(1040):n 2>&1: Aug 26 13:08:57.557452: | route_and_eroute: firewall_notified: true Aug 26 13:08:57.557483: | running updown command "ipsec _updown" for verb prepare Aug 26 13:08:57.557486: | command executing prepare-client Aug 26 13:08:57.557509: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED= Aug 26 13:08:57.557513: | popen cmd is 1051 chars long Aug 26 13:08:57.557515: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: Aug 26 13:08:57.557517: | cmd( 80):t-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='1: Aug 26 13:08:57.557521: | cmd( 160):92.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NE: Aug 26 13:08:57.557523: | cmd( 240):T='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PR: Aug 26 13:08:57.557525: | cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PL: Aug 26 13:08:57.557526: | cmd( 400):UTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.: Aug 26 13:08:57.557528: | cmd( 480):0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PRO: Aug 26 13:08:57.557530: | cmd( 560):TOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POL: Aug 26 13:08:57.557532: | cmd( 640):ICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO: Aug 26 13:08:57.557533: | cmd( 720):_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Aug 26 13:08:57.557535: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Aug 26 13:08:57.557537: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Aug 26 13:08:57.557539: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x30f1bd82 SPI_OUT=0xefc8c273 ipsec _: Aug 26 13:08:57.557540: | cmd(1040):updown 2>&1: Aug 26 13:08:57.565522: | running updown command "ipsec _updown" for verb route Aug 26 13:08:57.565540: | command executing route-client Aug 26 13:08:57.565565: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Aug 26 13:08:57.565568: | popen cmd is 1049 chars long Aug 26 13:08:57.565571: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-: Aug 26 13:08:57.565573: | cmd( 80):ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192: Aug 26 13:08:57.565574: | cmd( 160):.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET=: Aug 26 13:08:57.565576: | cmd( 240):'192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROT: Aug 26 13:08:57.565578: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUT: Aug 26 13:08:57.565580: | cmd( 400):O_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: Aug 26 13:08:57.565581: | cmd( 480):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: Aug 26 13:08:57.565583: | cmd( 560):COL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLIC: Aug 26 13:08:57.565585: | cmd( 640):Y='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_C: Aug 26 13:08:57.565587: | cmd( 720):ONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEE: Aug 26 13:08:57.565588: | cmd( 800):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': Aug 26 13:08:57.565590: | cmd( 880):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='': Aug 26 13:08:57.565595: | cmd( 960): VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x30f1bd82 SPI_OUT=0xefc8c273 ipsec _up: Aug 26 13:08:57.565596: | cmd(1040):down 2>&1: Aug 26 13:08:57.576657: | route_and_eroute: instance "westnet-eastnet-ipv4-psk-ikev2", setting eroute_owner {spd=0x55f6950d3628,sr=0x55f6950d3628} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:08:57.576731: | #1 spent 2.9 milliseconds in install_ipsec_sa() Aug 26 13:08:57.576737: | ISAKMP_v2_IKE_AUTH: instance westnet-eastnet-ipv4-psk-ikev2[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:08:57.576739: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:08:57.576742: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:08:57.576746: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:08:57.576747: | emitting length of IKEv2 Encryption Payload: 197 Aug 26 13:08:57.576749: | emitting length of ISAKMP Message: 225 Aug 26 13:08:57.576777: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:08:57.576781: | #1 spent 5.1 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:08:57.576787: | suspend processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:08:57.576791: | start processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:08:57.576794: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:08:57.576797: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:08:57.576799: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:08:57.576802: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:08:57.576806: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:08:57.576809: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:08:57.576811: | pstats #2 ikev2.child established Aug 26 13:08:57.576817: "westnet-eastnet-ipv4-psk-ikev2" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:08:57.576820: | NAT-T: encaps is 'auto' Aug 26 13:08:57.576824: "westnet-eastnet-ipv4-psk-ikev2" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x30f1bd82 <0xefc8c273 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 13:08:57.576827: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:08:57.576833: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:08:57.576835: | 47 83 ee a4 d1 45 51 22 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:57.576836: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Aug 26 13:08:57.576838: | 2c 37 8a cf f9 15 f7 16 a7 5c ed ff 8b b5 3e ac Aug 26 13:08:57.576839: | 8f d9 57 26 74 ab 32 ae 3a c3 d2 1c e0 42 b3 1e Aug 26 13:08:57.576841: | 06 de af d3 b0 93 ad 8b 8d 4f 7e 10 3a 37 14 45 Aug 26 13:08:57.576843: | ba bf 1c 13 79 3e c8 d7 9a 41 d4 1f 1c 25 44 87 Aug 26 13:08:57.576844: | ce 18 5e 4e e4 5f fb 8a 53 02 0f fa 6d 2a ce 64 Aug 26 13:08:57.576846: | 7c c6 c5 a6 31 a2 24 43 af c8 61 7d f5 8b c4 66 Aug 26 13:08:57.576847: | c2 c8 ad 6a ee a8 3d f9 76 41 3a 99 9d 43 3b ca Aug 26 13:08:57.576849: | 1b 18 6e 29 fe 23 99 02 23 76 b6 b6 c8 93 d7 2a Aug 26 13:08:57.576850: | ca 58 39 ee cf 7e ab 28 70 f2 de c5 7d a3 87 82 Aug 26 13:08:57.576852: | 51 9e c0 12 6a b3 4d 8d 3d 34 31 da fc c0 79 be Aug 26 13:08:57.576853: | fc b3 6c db b3 4c a4 77 ed aa cb 44 ba 5a 1e 5e Aug 26 13:08:57.576857: | 2a 75 52 40 4e cb f3 ae 48 ed ea d4 43 6c 54 89 Aug 26 13:08:57.576858: | f4 Aug 26 13:08:57.576889: | releasing whack for #2 (sock=fd@-1) Aug 26 13:08:57.576892: | releasing whack and unpending for parent #1 Aug 26 13:08:57.576895: | unpending state #1 connection "westnet-eastnet-ipv4-psk-ikev2" Aug 26 13:08:57.576898: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:08:57.576900: | event_schedule: new EVENT_SA_REKEY-pe@0x7ff058002b78 Aug 26 13:08:57.576903: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 13:08:57.576905: | libevent_malloc: new ptr-libevent@0x55f6950daeb8 size 128 Aug 26 13:08:57.576917: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:08:57.576921: | #1 spent 5.36 milliseconds in resume sending helper answer Aug 26 13:08:57.576924: | stop processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:08:57.576928: | libevent_free: release ptr-libevent@0x7ff050000f48 Aug 26 13:08:57.576939: | processing signal PLUTO_SIGCHLD Aug 26 13:08:57.576943: | waitpid returned ECHILD (no child processes left) Aug 26 13:08:57.576947: | spent 0.00443 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:08:57.576948: | processing signal PLUTO_SIGCHLD Aug 26 13:08:57.576951: | waitpid returned ECHILD (no child processes left) Aug 26 13:08:57.576954: | spent 0.0026 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:08:57.576955: | processing signal PLUTO_SIGCHLD Aug 26 13:08:57.576958: | waitpid returned ECHILD (no child processes left) Aug 26 13:08:57.576960: | spent 0.00253 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:08:59.139087: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:08:59.139469: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:08:59.139479: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:08:59.139546: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:08:59.139554: | FOR_EACH_STATE_... in sort_states Aug 26 13:08:59.139567: | get_sa_info esp.efc8c273@192.1.2.23 Aug 26 13:08:59.139587: | get_sa_info esp.30f1bd82@192.1.2.45 Aug 26 13:08:59.139612: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:08:59.139620: | spent 0.535 milliseconds in whack Aug 26 13:08:59.953088: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:08:59.953111: shutting down Aug 26 13:08:59.953122: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:08:59.953128: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:08:59.953130: forgetting secrets Aug 26 13:08:59.953137: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:08:59.953141: | start processing: connection "westnet-eastnet-ipv4-psk-ikev2" (in delete_connection() at connections.c:189) Aug 26 13:08:59.953143: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:08:59.953145: | pass 0 Aug 26 13:08:59.953147: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:08:59.953149: | state #2 Aug 26 13:08:59.953151: | suspend processing: connection "westnet-eastnet-ipv4-psk-ikev2" (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:08:59.953156: | start processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:08:59.953158: | pstats #2 ikev2.child deleted completed Aug 26 13:08:59.953161: | [RE]START processing: state #2 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:08:59.953164: "westnet-eastnet-ipv4-psk-ikev2" #2: deleting state (STATE_V2_IPSEC_R) aged 2.405s and sending notification Aug 26 13:08:59.953167: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:08:59.953173: | get_sa_info esp.30f1bd82@192.1.2.45 Aug 26 13:08:59.953186: | get_sa_info esp.efc8c273@192.1.2.23 Aug 26 13:08:59.953192: "westnet-eastnet-ipv4-psk-ikev2" #2: ESP traffic information: in=168B out=168B Aug 26 13:08:59.953195: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:08:59.953197: | Opening output PBS informational exchange delete request Aug 26 13:08:59.953199: | **emit ISAKMP Message: Aug 26 13:08:59.953201: | initiator cookie: Aug 26 13:08:59.953203: | 47 83 ee a4 d1 45 51 22 Aug 26 13:08:59.953205: | responder cookie: Aug 26 13:08:59.953206: | 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:59.953208: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:08:59.953210: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:08:59.953212: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:08:59.953214: | flags: none (0x0) Aug 26 13:08:59.953216: | Message ID: 0 (0x0) Aug 26 13:08:59.953218: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:08:59.953221: | ***emit IKEv2 Encryption Payload: Aug 26 13:08:59.953222: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:59.953224: | flags: none (0x0) Aug 26 13:08:59.953226: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:08:59.953228: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:08:59.953231: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:08:59.953243: | ****emit IKEv2 Delete Payload: Aug 26 13:08:59.953245: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:59.953247: | flags: none (0x0) Aug 26 13:08:59.953249: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:08:59.953251: | SPI size: 4 (0x4) Aug 26 13:08:59.953252: | number of SPIs: 1 (0x1) Aug 26 13:08:59.953255: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:08:59.953257: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:08:59.953259: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:08:59.953260: | local spis ef c8 c2 73 Aug 26 13:08:59.953262: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:08:59.953264: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:08:59.953266: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:08:59.953268: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:08:59.953270: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:08:59.953272: | emitting length of ISAKMP Message: 69 Aug 26 13:08:59.953299: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) Aug 26 13:08:59.953305: | 47 83 ee a4 d1 45 51 22 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:59.953308: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:08:59.953311: | a2 7b f5 cd 66 7b 39 8b 2a c2 7f 1e e5 57 10 cc Aug 26 13:08:59.953312: | b0 da 6e a0 45 cb 1a 41 18 d1 38 68 f6 87 58 27 Aug 26 13:08:59.953314: | 92 5d 34 f9 61 Aug 26 13:08:59.953350: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 13:08:59.953353: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 13:08:59.953356: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:08:59.953359: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:08:59.953362: | libevent_free: release ptr-libevent@0x55f6950daeb8 Aug 26 13:08:59.953365: | free_event_entry: release EVENT_SA_REKEY-pe@0x7ff058002b78 Aug 26 13:08:59.953406: | running updown command "ipsec _updown" for verb down Aug 26 13:08:59.953410: | command executing down-client Aug 26 13:08:59.953428: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566824937' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR Aug 26 13:08:59.953432: | popen cmd is 1057 chars long Aug 26 13:08:59.953434: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-i: Aug 26 13:08:59.953436: | cmd( 80):pv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.: Aug 26 13:08:59.953443: | cmd( 160):1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET=': Aug 26 13:08:59.953447: | cmd( 240):192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTO: Aug 26 13:08:59.953450: | cmd( 320):COL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO: Aug 26 13:08:59.953454: | cmd( 400):_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1: Aug 26 13:08:59.953457: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Aug 26 13:08:59.953460: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566824937' PLUTO_CO: Aug 26 13:08:59.953464: | cmd( 640):NN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO': Aug 26 13:08:59.953467: | cmd( 720): PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUT: Aug 26 13:08:59.953470: | cmd( 800):O_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_: Aug 26 13:08:59.953473: | cmd( 880):BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_: Aug 26 13:08:59.953476: | cmd( 960):IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x30f1bd82 SPI_OUT=0xefc8c273 i: Aug 26 13:08:59.953479: | cmd(1040):psec _updown 2>&1: Aug 26 13:08:59.962673: | shunt_eroute() called for connection 'westnet-eastnet-ipv4-psk-ikev2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:08:59.962691: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:08:59.962694: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Aug 26 13:08:59.962698: | IPsec Sa SPD priority set to 1042407 Aug 26 13:08:59.962734: | delete esp.30f1bd82@192.1.2.45 Aug 26 13:08:59.962755: | netlink response for Del SA esp.30f1bd82@192.1.2.45 included non-error error Aug 26 13:08:59.962763: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Aug 26 13:08:59.962771: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:08:59.962794: | raw_eroute result=success Aug 26 13:08:59.962800: | delete esp.efc8c273@192.1.2.23 Aug 26 13:08:59.962813: | netlink response for Del SA esp.efc8c273@192.1.2.23 included non-error error Aug 26 13:08:59.962828: | stop processing: connection "westnet-eastnet-ipv4-psk-ikev2" (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:08:59.962834: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:08:59.962841: | in connection_discard for connection westnet-eastnet-ipv4-psk-ikev2 Aug 26 13:08:59.962845: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 13:08:59.962854: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:08:59.962864: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:08:59.962877: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:08:59.962879: | state #1 Aug 26 13:08:59.962881: | pass 1 Aug 26 13:08:59.962882: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:08:59.962884: | state #1 Aug 26 13:08:59.962887: | start processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:08:59.962890: | pstats #1 ikev2.ike deleted completed Aug 26 13:08:59.962895: | #1 spent 8.71 milliseconds in total Aug 26 13:08:59.962898: | [RE]START processing: state #1 connection "westnet-eastnet-ipv4-psk-ikev2" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:08:59.962901: "westnet-eastnet-ipv4-psk-ikev2" #1: deleting state (STATE_PARENT_R2) aged 2.422s and sending notification Aug 26 13:08:59.962904: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 13:08:59.962950: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 13:08:59.962958: | Opening output PBS informational exchange delete request Aug 26 13:08:59.962962: | **emit ISAKMP Message: Aug 26 13:08:59.962966: | initiator cookie: Aug 26 13:08:59.962969: | 47 83 ee a4 d1 45 51 22 Aug 26 13:08:59.962972: | responder cookie: Aug 26 13:08:59.962974: | 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:59.962978: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:08:59.962982: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:08:59.962985: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:08:59.962989: | flags: none (0x0) Aug 26 13:08:59.962991: | Message ID: 1 (0x1) Aug 26 13:08:59.962993: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:08:59.962996: | ***emit IKEv2 Encryption Payload: Aug 26 13:08:59.962998: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:59.962999: | flags: none (0x0) Aug 26 13:08:59.963002: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:08:59.963004: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:08:59.963006: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:08:59.963019: | ****emit IKEv2 Delete Payload: Aug 26 13:08:59.963021: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:08:59.963022: | flags: none (0x0) Aug 26 13:08:59.963024: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:08:59.963026: | SPI size: 0 (0x0) Aug 26 13:08:59.963028: | number of SPIs: 0 (0x0) Aug 26 13:08:59.963030: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:08:59.963032: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:08:59.963034: | emitting length of IKEv2 Delete Payload: 8 Aug 26 13:08:59.963036: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:08:59.963038: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:08:59.963040: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:08:59.963042: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 13:08:59.963044: | emitting length of ISAKMP Message: 65 Aug 26 13:08:59.963066: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:08:59.963070: | 47 83 ee a4 d1 45 51 22 1e 77 e6 9f ca a9 9c 6a Aug 26 13:08:59.963072: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 13:08:59.963073: | 72 de d9 5b 82 11 2d db 08 0d 95 79 70 65 b9 20 Aug 26 13:08:59.963075: | 16 12 0b 58 e1 3f e3 a8 00 8e a1 9e 03 04 00 13 Aug 26 13:08:59.963076: | 2a Aug 26 13:08:59.963114: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 13:08:59.963121: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 13:08:59.963127: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Aug 26 13:08:59.963133: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Aug 26 13:08:59.963137: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:08:59.963146: | libevent_free: release ptr-libevent@0x55f6950da408 Aug 26 13:08:59.963149: | free_event_entry: release EVENT_SA_REKEY-pe@0x55f6950d6b78 Aug 26 13:08:59.963155: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:08:59.963158: | in connection_discard for connection westnet-eastnet-ipv4-psk-ikev2 Aug 26 13:08:59.963162: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 13:08:59.963165: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 13:08:59.963199: | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:08:59.963229: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:08:59.963234: | shunt_eroute() called for connection 'westnet-eastnet-ipv4-psk-ikev2' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:08:59.963236: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:08:59.963239: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Aug 26 13:08:59.963253: | priority calculation of connection "westnet-eastnet-ipv4-psk-ikev2" is 0xfe7e7 Aug 26 13:08:59.963266: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:08:59.963273: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 vs Aug 26 13:08:59.963278: | conn westnet-eastnet-ipv4-psk-ikev2 mark 0/00000000, 0/00000000 Aug 26 13:08:59.963282: | route owner of "westnet-eastnet-ipv4-psk-ikev2" unrouted: NULL Aug 26 13:08:59.963286: | running updown command "ipsec _updown" for verb unroute Aug 26 13:08:59.963296: | command executing unroute-client Aug 26 13:08:59.963320: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED Aug 26 13:08:59.963323: | popen cmd is 1038 chars long Aug 26 13:08:59.963325: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: Aug 26 13:08:59.963327: | cmd( 80):t-ipv4-psk-ikev2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='1: Aug 26 13:08:59.963337: | cmd( 160):92.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NE: Aug 26 13:08:59.963343: | cmd( 240):T='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PR: Aug 26 13:08:59.963347: | cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' P: Aug 26 13:08:59.963351: | cmd( 400):LUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192: Aug 26 13:08:59.963354: | cmd( 480):.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: Aug 26 13:08:59.963357: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_PO: Aug 26 13:08:59.963360: | cmd( 640):LICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: Aug 26 13:08:59.963363: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: Aug 26 13:08:59.963365: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: Aug 26 13:08:59.963368: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: Aug 26 13:08:59.963372: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:08:59.975379: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975399: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975401: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975404: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975406: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975407: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975458: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975465: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975467: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975470: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975617: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975628: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975639: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975648: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975658: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975666: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975677: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975686: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975695: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975705: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975715: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975725: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975736: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975746: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975754: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975764: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975775: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975784: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975794: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975804: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975814: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975824: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975833: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.975842: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:08:59.980347: | free hp@0x55f6950d5288 Aug 26 13:08:59.980369: | flush revival: connection 'westnet-eastnet-ipv4-psk-ikev2' wasn't on the list Aug 26 13:08:59.980374: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:08:59.980394: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:08:59.980398: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:08:59.980408: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:08:59.980413: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:08:59.980417: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 13:08:59.980420: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 13:08:59.980424: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 13:08:59.980427: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 13:08:59.980431: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:08:59.980441: | libevent_free: release ptr-libevent@0x55f6950c6cf8 Aug 26 13:08:59.980444: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2b88 Aug 26 13:08:59.980453: | libevent_free: release ptr-libevent@0x55f695064eb8 Aug 26 13:08:59.980455: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2c38 Aug 26 13:08:59.980460: | libevent_free: release ptr-libevent@0x55f695064db8 Aug 26 13:08:59.980462: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2ce8 Aug 26 13:08:59.980466: | libevent_free: release ptr-libevent@0x55f6950645e8 Aug 26 13:08:59.980468: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2d98 Aug 26 13:08:59.980473: | libevent_free: release ptr-libevent@0x55f6950334e8 Aug 26 13:08:59.980475: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2e48 Aug 26 13:08:59.980479: | libevent_free: release ptr-libevent@0x55f6950331d8 Aug 26 13:08:59.980481: | free_event_entry: release EVENT_NULL-pe@0x55f6950d2ef8 Aug 26 13:08:59.980485: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:08:59.980916: | libevent_free: release ptr-libevent@0x55f6950c6da8 Aug 26 13:08:59.980924: | free_event_entry: release EVENT_NULL-pe@0x55f6950baae8 Aug 26 13:08:59.980928: | libevent_free: release ptr-libevent@0x55f695064cb8 Aug 26 13:08:59.980931: | free_event_entry: release EVENT_NULL-pe@0x55f6950b9fa8 Aug 26 13:08:59.980934: | libevent_free: release ptr-libevent@0x55f69509e368 Aug 26 13:08:59.980936: | free_event_entry: release EVENT_NULL-pe@0x55f6950bab58 Aug 26 13:08:59.980939: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:08:59.980941: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:08:59.980943: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:08:59.980945: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:08:59.980946: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:08:59.980948: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:08:59.980950: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:08:59.980951: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:08:59.980953: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:08:59.980957: | libevent_free: release ptr-libevent@0x55f695065f98 Aug 26 13:08:59.980959: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:08:59.980961: | libevent_free: release ptr-libevent@0x55f6950d22e8 Aug 26 13:08:59.980963: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:08:59.980965: | libevent_free: release ptr-libevent@0x55f6950d23f8 Aug 26 13:08:59.980966: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:08:59.980969: | libevent_free: release ptr-libevent@0x55f6950d2638 Aug 26 13:08:59.980970: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:08:59.980972: | releasing event base Aug 26 13:08:59.980981: | libevent_free: release ptr-libevent@0x55f6950d2508 Aug 26 13:08:59.980983: | libevent_free: release ptr-libevent@0x55f6950b5398 Aug 26 13:08:59.980989: | libevent_free: release ptr-libevent@0x55f6950b5348 Aug 26 13:08:59.980991: | libevent_free: release ptr-libevent@0x55f6950b52d8 Aug 26 13:08:59.980992: | libevent_free: release ptr-libevent@0x55f6950b5298 Aug 26 13:08:59.980994: | libevent_free: release ptr-libevent@0x55f6950d20b8 Aug 26 13:08:59.980996: | libevent_free: release ptr-libevent@0x55f6950d2268 Aug 26 13:08:59.980998: | libevent_free: release ptr-libevent@0x55f6950b5548 Aug 26 13:08:59.980999: | libevent_free: release ptr-libevent@0x55f6950ba0b8 Aug 26 13:08:59.981001: | libevent_free: release ptr-libevent@0x55f6950baaa8 Aug 26 13:08:59.981003: | libevent_free: release ptr-libevent@0x55f6950d2f68 Aug 26 13:08:59.981004: | libevent_free: release ptr-libevent@0x55f6950d2eb8 Aug 26 13:08:59.981006: | libevent_free: release ptr-libevent@0x55f6950d2e08 Aug 26 13:08:59.981008: | libevent_free: release ptr-libevent@0x55f6950d2d58 Aug 26 13:08:59.981011: | libevent_free: release ptr-libevent@0x55f6950d2ca8 Aug 26 13:08:59.981013: | libevent_free: release ptr-libevent@0x55f6950d2bf8 Aug 26 13:08:59.981016: | libevent_free: release ptr-libevent@0x55f695061a48 Aug 26 13:08:59.981019: | libevent_free: release ptr-libevent@0x55f6950d23b8 Aug 26 13:08:59.981022: | libevent_free: release ptr-libevent@0x55f6950d22a8 Aug 26 13:08:59.981024: | libevent_free: release ptr-libevent@0x55f6950d2228 Aug 26 13:08:59.981026: | libevent_free: release ptr-libevent@0x55f6950d24c8 Aug 26 13:08:59.981027: | libevent_free: release ptr-libevent@0x55f6950d20f8 Aug 26 13:08:59.981029: | libevent_free: release ptr-libevent@0x55f695032908 Aug 26 13:08:59.981031: | libevent_free: release ptr-libevent@0x55f695032d38 Aug 26 13:08:59.981033: | libevent_free: release ptr-libevent@0x55f695061db8 Aug 26 13:08:59.981034: | releasing global libevent data Aug 26 13:08:59.981037: | libevent_free: release ptr-libevent@0x55f6950a4de8 Aug 26 13:08:59.981038: | libevent_free: release ptr-libevent@0x55f695032cd8 Aug 26 13:08:59.981040: | libevent_free: release ptr-libevent@0x55f695032dd8 Aug 26 13:08:59.981066: leak detective found no leaks