Aug 26 13:09:53.946135: FIPS Product: YES Aug 26 13:09:53.946170: FIPS Kernel: NO Aug 26 13:09:53.946172: FIPS Mode: NO Aug 26 13:09:53.946174: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:09:53.946298: Initializing NSS Aug 26 13:09:53.946306: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:09:53.971921: NSS initialized Aug 26 13:09:53.971936: NSS crypto library initialized Aug 26 13:09:53.971939: FIPS HMAC integrity support [enabled] Aug 26 13:09:53.971940: FIPS mode disabled for pluto daemon Aug 26 13:09:53.996480: FIPS HMAC integrity verification self-test FAILED Aug 26 13:09:53.996584: libcap-ng support [enabled] Aug 26 13:09:53.996592: Linux audit support [enabled] Aug 26 13:09:53.996616: Linux audit activated Aug 26 13:09:53.996620: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:9961 Aug 26 13:09:53.996621: core dump dir: /tmp Aug 26 13:09:53.996623: secrets file: /etc/ipsec.secrets Aug 26 13:09:53.996625: leak-detective disabled Aug 26 13:09:53.996626: NSS crypto [enabled] Aug 26 13:09:53.996627: XAUTH PAM support [enabled] Aug 26 13:09:53.996683: | libevent is using pluto's memory allocator Aug 26 13:09:53.996688: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:09:53.996700: | libevent_malloc: new ptr-libevent@0x55fb063601b0 size 40 Aug 26 13:09:53.996702: | libevent_malloc: new ptr-libevent@0x55fb06361460 size 40 Aug 26 13:09:53.996704: | libevent_malloc: new ptr-libevent@0x55fb06361490 size 40 Aug 26 13:09:53.996706: | creating event base Aug 26 13:09:53.996708: | libevent_malloc: new ptr-libevent@0x55fb06361420 size 56 Aug 26 13:09:53.996710: | libevent_malloc: new ptr-libevent@0x55fb063614c0 size 664 Aug 26 13:09:53.996718: | libevent_malloc: new ptr-libevent@0x55fb06361760 size 24 Aug 26 13:09:53.996722: | libevent_malloc: new ptr-libevent@0x55fb06352eb0 size 384 Aug 26 13:09:53.996729: | libevent_malloc: new ptr-libevent@0x55fb06361780 size 16 Aug 26 13:09:53.996731: | libevent_malloc: new ptr-libevent@0x55fb063617a0 size 40 Aug 26 13:09:53.996733: | libevent_malloc: new ptr-libevent@0x55fb063617d0 size 48 Aug 26 13:09:53.996738: | libevent_realloc: new ptr-libevent@0x55fb062e3370 size 256 Aug 26 13:09:53.996739: | libevent_malloc: new ptr-libevent@0x55fb06361810 size 16 Aug 26 13:09:53.996743: | libevent_free: release ptr-libevent@0x55fb06361420 Aug 26 13:09:53.996746: | libevent initialized Aug 26 13:09:53.996748: | libevent_realloc: new ptr-libevent@0x55fb06361830 size 64 Aug 26 13:09:53.996751: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:09:53.996764: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:09:53.996766: NAT-Traversal support [enabled] Aug 26 13:09:53.996768: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:09:53.996773: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:09:53.996775: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:09:53.996815: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:09:53.996818: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:09:53.996820: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:09:53.996853: Encryption algorithms: Aug 26 13:09:53.996860: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:09:53.996863: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:09:53.996865: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:09:53.996868: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:09:53.996870: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:09:53.996877: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:09:53.996880: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:09:53.996883: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:09:53.996885: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:09:53.996888: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:09:53.996890: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:09:53.996893: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:09:53.996895: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:09:53.996898: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:09:53.996900: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:09:53.996902: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:09:53.996905: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:09:53.996910: Hash algorithms: Aug 26 13:09:53.996912: MD5 IKEv1: IKE IKEv2: Aug 26 13:09:53.996914: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:09:53.996916: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:09:53.996918: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:09:53.996920: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:09:53.996928: PRF algorithms: Aug 26 13:09:53.996931: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:09:53.996933: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:09:53.996935: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:09:53.996937: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:09:53.996939: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:09:53.996942: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:09:53.996957: Integrity algorithms: Aug 26 13:09:53.996960: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:09:53.996979: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:09:53.996982: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:09:53.996984: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:09:53.996987: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:09:53.997002: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:09:53.997004: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:09:53.997006: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:09:53.997009: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:09:53.997016: DH algorithms: Aug 26 13:09:53.997018: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:09:53.997020: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:09:53.997022: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:09:53.997026: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:09:53.997028: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:09:53.997030: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:09:53.997032: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:09:53.997035: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:09:53.997037: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:09:53.997039: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:09:53.997041: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:09:53.997043: testing CAMELLIA_CBC: Aug 26 13:09:53.997045: Camellia: 16 bytes with 128-bit key Aug 26 13:09:53.997126: Camellia: 16 bytes with 128-bit key Aug 26 13:09:53.997145: Camellia: 16 bytes with 256-bit key Aug 26 13:09:53.997162: Camellia: 16 bytes with 256-bit key Aug 26 13:09:53.997180: testing AES_GCM_16: Aug 26 13:09:53.997182: empty string Aug 26 13:09:53.997200: one block Aug 26 13:09:53.997216: two blocks Aug 26 13:09:53.997231: two blocks with associated data Aug 26 13:09:53.997247: testing AES_CTR: Aug 26 13:09:53.997248: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:09:53.997264: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:09:53.997280: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:09:53.997317: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:09:53.997337: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:09:53.997366: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:09:53.997382: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:09:53.997398: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:09:53.997415: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:09:53.997447: testing AES_CBC: Aug 26 13:09:53.997449: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:09:53.997465: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:09:53.997498: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:09:53.997516: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:09:53.997537: testing AES_XCBC: Aug 26 13:09:53.997540: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:09:53.997635: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:09:53.997783: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:09:53.997880: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:09:53.997957: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:09:53.998035: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:09:53.998112: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:09:53.998283: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:09:53.998373: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:09:53.998458: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:09:53.998601: testing HMAC_MD5: Aug 26 13:09:53.998604: RFC 2104: MD5_HMAC test 1 Aug 26 13:09:53.998711: RFC 2104: MD5_HMAC test 2 Aug 26 13:09:53.998816: RFC 2104: MD5_HMAC test 3 Aug 26 13:09:53.998936: 8 CPU cores online Aug 26 13:09:53.998939: starting up 7 crypto helpers Aug 26 13:09:53.998965: started thread for crypto helper 0 Aug 26 13:09:53.998992: | starting up helper thread 0 Aug 26 13:09:53.999000: started thread for crypto helper 1 Aug 26 13:09:53.999007: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:09:53.999010: | starting up helper thread 1 Aug 26 13:09:53.999033: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:09:53.999040: started thread for crypto helper 2 Aug 26 13:09:53.999043: | starting up helper thread 2 Aug 26 13:09:53.999024: | crypto helper 0 waiting (nothing to do) Aug 26 13:09:53.999112: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:09:53.999121: | crypto helper 2 waiting (nothing to do) Aug 26 13:09:53.999123: started thread for crypto helper 3 Aug 26 13:09:53.999126: | starting up helper thread 3 Aug 26 13:09:53.999136: | crypto helper 1 waiting (nothing to do) Aug 26 13:09:53.999139: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:09:53.999147: started thread for crypto helper 4 Aug 26 13:09:53.999149: | starting up helper thread 4 Aug 26 13:09:53.999147: | crypto helper 3 waiting (nothing to do) Aug 26 13:09:53.999160: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:09:53.999163: | crypto helper 4 waiting (nothing to do) Aug 26 13:09:53.999170: started thread for crypto helper 5 Aug 26 13:09:53.999175: | starting up helper thread 5 Aug 26 13:09:53.999203: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:09:53.999208: | starting up helper thread 6 Aug 26 13:09:53.999204: started thread for crypto helper 6 Aug 26 13:09:53.999213: | crypto helper 5 waiting (nothing to do) Aug 26 13:09:53.999220: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:09:53.999225: | checking IKEv1 state table Aug 26 13:09:53.999236: | crypto helper 6 waiting (nothing to do) Aug 26 13:09:53.999246: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:09:53.999251: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:09:53.999254: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:09:53.999257: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:09:53.999260: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:09:53.999262: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:09:53.999265: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:09:53.999267: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:09:53.999270: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:09:53.999273: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:09:53.999274: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:09:53.999276: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:09:53.999278: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:09:53.999280: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:09:53.999281: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:09:53.999283: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:09:53.999285: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:09:53.999286: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:09:53.999296: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:09:53.999302: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:09:53.999304: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:09:53.999306: | -> UNDEFINED EVENT_NULL Aug 26 13:09:53.999307: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:09:53.999309: | -> UNDEFINED EVENT_NULL Aug 26 13:09:53.999311: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:09:53.999313: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:09:53.999315: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:09:53.999329: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:09:53.999331: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:09:53.999333: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:09:53.999334: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:09:53.999336: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:09:53.999338: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:09:53.999339: | -> UNDEFINED EVENT_NULL Aug 26 13:09:53.999341: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:09:53.999343: | -> UNDEFINED EVENT_NULL Aug 26 13:09:53.999345: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:09:53.999346: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:09:53.999351: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:09:53.999353: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:09:53.999355: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:09:53.999356: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:09:53.999358: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:09:53.999360: | -> UNDEFINED EVENT_NULL Aug 26 13:09:53.999362: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:09:53.999363: | -> UNDEFINED EVENT_NULL Aug 26 13:09:53.999365: | INFO: category: informational flags: 0: Aug 26 13:09:53.999367: | -> UNDEFINED EVENT_NULL Aug 26 13:09:53.999369: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:09:53.999370: | -> UNDEFINED EVENT_NULL Aug 26 13:09:53.999372: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:09:53.999374: | -> XAUTH_R1 EVENT_NULL Aug 26 13:09:53.999376: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:09:53.999377: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:09:53.999379: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:09:53.999381: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:09:53.999383: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:09:53.999384: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:09:53.999386: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:09:53.999388: | -> UNDEFINED EVENT_NULL Aug 26 13:09:53.999390: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:09:53.999392: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:09:53.999393: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:09:53.999395: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:09:53.999397: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:09:53.999399: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:09:53.999403: | checking IKEv2 state table Aug 26 13:09:53.999408: | PARENT_I0: category: ignore flags: 0: Aug 26 13:09:53.999410: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:09:53.999412: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:09:53.999414: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:09:53.999416: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:09:53.999418: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:09:53.999420: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:09:53.999422: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:09:53.999424: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:09:53.999426: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:09:53.999428: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:09:53.999430: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:09:53.999431: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:09:53.999433: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:09:53.999435: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:09:53.999437: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:09:53.999439: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:09:53.999440: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:09:53.999442: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:09:53.999444: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:09:53.999446: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:09:53.999448: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:09:53.999450: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:09:53.999453: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:09:53.999455: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:09:53.999457: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:09:53.999459: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:09:53.999461: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:09:53.999463: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:09:53.999464: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:09:53.999466: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:09:53.999468: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:09:53.999470: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:09:53.999472: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:09:53.999474: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:09:53.999476: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:09:53.999478: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:09:53.999480: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:09:53.999482: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:09:53.999484: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:09:53.999486: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:09:53.999488: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:09:53.999490: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:09:53.999492: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:09:53.999494: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:09:53.999495: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:09:53.999497: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:09:53.999530: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:09:53.999832: | Hard-wiring algorithms Aug 26 13:09:53.999835: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:09:53.999838: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:09:53.999840: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:09:53.999842: | adding 3DES_CBC to kernel algorithm db Aug 26 13:09:53.999844: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:09:53.999845: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:09:53.999847: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:09:53.999849: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:09:53.999851: | adding AES_CTR to kernel algorithm db Aug 26 13:09:53.999852: | adding AES_CBC to kernel algorithm db Aug 26 13:09:53.999854: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:09:53.999856: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:09:53.999858: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:09:53.999860: | adding NULL to kernel algorithm db Aug 26 13:09:53.999861: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:09:53.999863: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:09:53.999865: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:09:53.999867: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:09:53.999868: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:09:53.999870: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:09:53.999872: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:09:53.999874: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:09:53.999875: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:09:53.999877: | adding NONE to kernel algorithm db Aug 26 13:09:53.999895: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:09:53.999900: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:09:53.999902: | setup kernel fd callback Aug 26 13:09:53.999904: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55fb06366e40 Aug 26 13:09:53.999906: | libevent_malloc: new ptr-libevent@0x55fb06372ef0 size 128 Aug 26 13:09:53.999909: | libevent_malloc: new ptr-libevent@0x55fb06366120 size 16 Aug 26 13:09:53.999914: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55fb06366e00 Aug 26 13:09:53.999918: | libevent_malloc: new ptr-libevent@0x55fb06372f80 size 128 Aug 26 13:09:53.999919: | libevent_malloc: new ptr-libevent@0x55fb06366140 size 16 Aug 26 13:09:54.000053: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:09:54.000059: selinux support is enabled. Aug 26 13:09:54.000589: | unbound context created - setting debug level to 5 Aug 26 13:09:54.000612: | /etc/hosts lookups activated Aug 26 13:09:54.000624: | /etc/resolv.conf usage activated Aug 26 13:09:54.000660: | outgoing-port-avoid set 0-65535 Aug 26 13:09:54.000677: | outgoing-port-permit set 32768-60999 Aug 26 13:09:54.000679: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:09:54.000681: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:09:54.000684: | Setting up events, loop start Aug 26 13:09:54.000686: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55fb06361420 Aug 26 13:09:54.000688: | libevent_malloc: new ptr-libevent@0x55fb0637d4a0 size 128 Aug 26 13:09:54.000691: | libevent_malloc: new ptr-libevent@0x55fb0637d530 size 16 Aug 26 13:09:54.000697: | libevent_realloc: new ptr-libevent@0x55fb062e15b0 size 256 Aug 26 13:09:54.000699: | libevent_malloc: new ptr-libevent@0x55fb0637d550 size 8 Aug 26 13:09:54.000702: | libevent_realloc: new ptr-libevent@0x55fb06372360 size 144 Aug 26 13:09:54.000703: | libevent_malloc: new ptr-libevent@0x55fb0637d570 size 152 Aug 26 13:09:54.000706: | libevent_malloc: new ptr-libevent@0x55fb0637d610 size 16 Aug 26 13:09:54.000709: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:09:54.000711: | libevent_malloc: new ptr-libevent@0x55fb0637d630 size 8 Aug 26 13:09:54.000713: | libevent_malloc: new ptr-libevent@0x55fb0637d650 size 152 Aug 26 13:09:54.000715: | signal event handler PLUTO_SIGTERM installed Aug 26 13:09:54.000716: | libevent_malloc: new ptr-libevent@0x55fb0637d6f0 size 8 Aug 26 13:09:54.000718: | libevent_malloc: new ptr-libevent@0x55fb0637d710 size 152 Aug 26 13:09:54.000720: | signal event handler PLUTO_SIGHUP installed Aug 26 13:09:54.000722: | libevent_malloc: new ptr-libevent@0x55fb0637d7b0 size 8 Aug 26 13:09:54.000724: | libevent_realloc: release ptr-libevent@0x55fb06372360 Aug 26 13:09:54.000726: | libevent_realloc: new ptr-libevent@0x55fb0637d7d0 size 256 Aug 26 13:09:54.000728: | libevent_malloc: new ptr-libevent@0x55fb06372360 size 152 Aug 26 13:09:54.000730: | signal event handler PLUTO_SIGSYS installed Aug 26 13:09:54.000982: | created addconn helper (pid:9985) using fork+execve Aug 26 13:09:54.000998: | forked child 9985 Aug 26 13:09:54.002648: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:09:54.002669: listening for IKE messages Aug 26 13:09:54.003168: | Inspecting interface lo Aug 26 13:09:54.003178: | found lo with address 127.0.0.1 Aug 26 13:09:54.003182: | Inspecting interface eth0 Aug 26 13:09:54.003188: | found eth0 with address 192.0.3.254 Aug 26 13:09:54.003191: | Inspecting interface eth1 Aug 26 13:09:54.003196: | found eth1 with address 192.1.3.33 Aug 26 13:09:54.003304: Kernel supports NIC esp-hw-offload Aug 26 13:09:54.003324: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.3.33:500 Aug 26 13:09:54.003396: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:09:54.003402: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:09:54.003420: adding interface eth1/eth1 192.1.3.33:4500 Aug 26 13:09:54.003454: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.3.254:500 Aug 26 13:09:54.003476: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:09:54.003481: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:09:54.003484: adding interface eth0/eth0 192.0.3.254:4500 Aug 26 13:09:54.003525: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:09:54.003559: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:09:54.003564: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:09:54.003568: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:09:54.003624: | no interfaces to sort Aug 26 13:09:54.003629: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:09:54.003638: | add_fd_read_event_handler: new ethX-pe@0x55fb0637db40 Aug 26 13:09:54.003642: | libevent_malloc: new ptr-libevent@0x55fb0637db80 size 128 Aug 26 13:09:54.003646: | libevent_malloc: new ptr-libevent@0x55fb0637dc10 size 16 Aug 26 13:09:54.003655: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:09:54.003659: | add_fd_read_event_handler: new ethX-pe@0x55fb0637dc30 Aug 26 13:09:54.003662: | libevent_malloc: new ptr-libevent@0x55fb0637dc70 size 128 Aug 26 13:09:54.003665: | libevent_malloc: new ptr-libevent@0x55fb0637dd00 size 16 Aug 26 13:09:54.003670: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:09:54.003673: | add_fd_read_event_handler: new ethX-pe@0x55fb0637dd20 Aug 26 13:09:54.003676: | libevent_malloc: new ptr-libevent@0x55fb0637dd60 size 128 Aug 26 13:09:54.003679: | libevent_malloc: new ptr-libevent@0x55fb0637ddf0 size 16 Aug 26 13:09:54.003684: | setup callback for interface eth0 192.0.3.254:4500 fd 20 Aug 26 13:09:54.003687: | add_fd_read_event_handler: new ethX-pe@0x55fb0637de10 Aug 26 13:09:54.003690: | libevent_malloc: new ptr-libevent@0x55fb0637de50 size 128 Aug 26 13:09:54.003693: | libevent_malloc: new ptr-libevent@0x55fb0637dee0 size 16 Aug 26 13:09:54.003698: | setup callback for interface eth0 192.0.3.254:500 fd 19 Aug 26 13:09:54.003702: | add_fd_read_event_handler: new ethX-pe@0x55fb0637df00 Aug 26 13:09:54.003705: | libevent_malloc: new ptr-libevent@0x55fb0637df40 size 128 Aug 26 13:09:54.003708: | libevent_malloc: new ptr-libevent@0x55fb0637dfd0 size 16 Aug 26 13:09:54.003713: | setup callback for interface eth1 192.1.3.33:4500 fd 18 Aug 26 13:09:54.003715: | add_fd_read_event_handler: new ethX-pe@0x55fb0637dff0 Aug 26 13:09:54.003718: | libevent_malloc: new ptr-libevent@0x55fb0637e030 size 128 Aug 26 13:09:54.003721: | libevent_malloc: new ptr-libevent@0x55fb0637e0c0 size 16 Aug 26 13:09:54.003726: | setup callback for interface eth1 192.1.3.33:500 fd 17 Aug 26 13:09:54.003746: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:09:54.003749: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:09:54.003770: loading secrets from "/etc/ipsec.secrets" Aug 26 13:09:54.003790: | saving Modulus Aug 26 13:09:54.003794: | saving PublicExponent Aug 26 13:09:54.003798: | ignoring PrivateExponent Aug 26 13:09:54.003801: | ignoring Prime1 Aug 26 13:09:54.003805: | ignoring Prime2 Aug 26 13:09:54.003822: | ignoring Exponent1 Aug 26 13:09:54.003825: | ignoring Exponent2 Aug 26 13:09:54.003829: | ignoring Coefficient Aug 26 13:09:54.003832: | ignoring CKAIDNSS Aug 26 13:09:54.003870: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 13:09:54.003874: | computed rsa CKAID 88 aa 7c 5d Aug 26 13:09:54.003878: loaded private key for keyid: PKK_RSA:AQPl33O2P Aug 26 13:09:54.003885: | certs and keys locked by 'process_secret' Aug 26 13:09:54.003889: | certs and keys unlocked by 'process_secret' Aug 26 13:09:54.003900: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:09:54.003907: | spent 1.26 milliseconds in whack Aug 26 13:09:54.021537: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:09:54.021560: listening for IKE messages Aug 26 13:09:54.027625: | Inspecting interface lo Aug 26 13:09:54.027639: | found lo with address 127.0.0.1 Aug 26 13:09:54.027642: | Inspecting interface eth0 Aug 26 13:09:54.027645: | found eth0 with address 192.0.3.254 Aug 26 13:09:54.027647: | Inspecting interface eth1 Aug 26 13:09:54.027650: | found eth1 with address 192.1.3.33 Aug 26 13:09:54.027713: | no interfaces to sort Aug 26 13:09:54.027720: | libevent_free: release ptr-libevent@0x55fb0637db80 Aug 26 13:09:54.027722: | free_event_entry: release EVENT_NULL-pe@0x55fb0637db40 Aug 26 13:09:54.027725: | add_fd_read_event_handler: new ethX-pe@0x55fb0637db40 Aug 26 13:09:54.027727: | libevent_malloc: new ptr-libevent@0x55fb0637db80 size 128 Aug 26 13:09:54.027733: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:09:54.027736: | libevent_free: release ptr-libevent@0x55fb0637dc70 Aug 26 13:09:54.027737: | free_event_entry: release EVENT_NULL-pe@0x55fb0637dc30 Aug 26 13:09:54.027739: | add_fd_read_event_handler: new ethX-pe@0x55fb0637dc30 Aug 26 13:09:54.027741: | libevent_malloc: new ptr-libevent@0x55fb0637dc70 size 128 Aug 26 13:09:54.027745: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:09:54.027747: | libevent_free: release ptr-libevent@0x55fb0637dd60 Aug 26 13:09:54.027749: | free_event_entry: release EVENT_NULL-pe@0x55fb0637dd20 Aug 26 13:09:54.027751: | add_fd_read_event_handler: new ethX-pe@0x55fb0637dd20 Aug 26 13:09:54.027752: | libevent_malloc: new ptr-libevent@0x55fb0637dd60 size 128 Aug 26 13:09:54.027756: | setup callback for interface eth0 192.0.3.254:4500 fd 20 Aug 26 13:09:54.027758: | libevent_free: release ptr-libevent@0x55fb0637de50 Aug 26 13:09:54.027760: | free_event_entry: release EVENT_NULL-pe@0x55fb0637de10 Aug 26 13:09:54.027762: | add_fd_read_event_handler: new ethX-pe@0x55fb0637de10 Aug 26 13:09:54.027763: | libevent_malloc: new ptr-libevent@0x55fb0637de50 size 128 Aug 26 13:09:54.027767: | setup callback for interface eth0 192.0.3.254:500 fd 19 Aug 26 13:09:54.027770: | libevent_free: release ptr-libevent@0x55fb0637df40 Aug 26 13:09:54.027771: | free_event_entry: release EVENT_NULL-pe@0x55fb0637df00 Aug 26 13:09:54.027773: | add_fd_read_event_handler: new ethX-pe@0x55fb0637df00 Aug 26 13:09:54.027775: | libevent_malloc: new ptr-libevent@0x55fb0637df40 size 128 Aug 26 13:09:54.027778: | setup callback for interface eth1 192.1.3.33:4500 fd 18 Aug 26 13:09:54.027780: | libevent_free: release ptr-libevent@0x55fb0637e030 Aug 26 13:09:54.027782: | free_event_entry: release EVENT_NULL-pe@0x55fb0637dff0 Aug 26 13:09:54.027784: | add_fd_read_event_handler: new ethX-pe@0x55fb0637dff0 Aug 26 13:09:54.027786: | libevent_malloc: new ptr-libevent@0x55fb0637e030 size 128 Aug 26 13:09:54.027789: | setup callback for interface eth1 192.1.3.33:500 fd 17 Aug 26 13:09:54.027791: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:09:54.027793: forgetting secrets Aug 26 13:09:54.027802: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:09:54.027817: loading secrets from "/etc/ipsec.secrets" Aug 26 13:09:54.027827: | saving Modulus Aug 26 13:09:54.027829: | saving PublicExponent Aug 26 13:09:54.027832: | ignoring PrivateExponent Aug 26 13:09:54.027834: | ignoring Prime1 Aug 26 13:09:54.027836: | ignoring Prime2 Aug 26 13:09:54.027838: | ignoring Exponent1 Aug 26 13:09:54.027840: | ignoring Exponent2 Aug 26 13:09:54.027842: | ignoring Coefficient Aug 26 13:09:54.027845: | ignoring CKAIDNSS Aug 26 13:09:54.027863: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 13:09:54.027866: | computed rsa CKAID 88 aa 7c 5d Aug 26 13:09:54.027868: loaded private key for keyid: PKK_RSA:AQPl33O2P Aug 26 13:09:54.027873: | certs and keys locked by 'process_secret' Aug 26 13:09:54.027875: | certs and keys unlocked by 'process_secret' Aug 26 13:09:54.027881: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:09:54.027887: | spent 0.379 milliseconds in whack Aug 26 13:09:54.028331: | processing signal PLUTO_SIGCHLD Aug 26 13:09:54.028347: | waitpid returned pid 9985 (exited with status 0) Aug 26 13:09:54.028353: | reaped addconn helper child (status 0) Aug 26 13:09:54.028357: | waitpid returned ECHILD (no child processes left) Aug 26 13:09:54.028374: | spent 0.0185 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:09:54.358575: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:09:54.358607: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:09:54.358613: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:09:54.358617: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:09:54.358621: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:09:54.358627: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:09:54.358637: | Added new connection north-eastnets/0x1 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:09:54.358643: | No AUTH policy was set - defaulting to RSASIG Aug 26 13:09:54.358681: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Aug 26 13:09:54.358686: | from whack: got --esp=aes128-sha2_512;modp3072 Aug 26 13:09:54.358714: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Aug 26 13:09:54.358721: | counting wild cards for @north is 0 Aug 26 13:09:54.358726: | counting wild cards for @east is 0 Aug 26 13:09:54.358739: | connect_to_host_pair: 192.1.3.33:500 192.1.2.23:500 -> hp@(nil): none Aug 26 13:09:54.358746: | new hp@0x55fb0634a510 Aug 26 13:09:54.358752: added connection description "north-eastnets/0x1" Aug 26 13:09:54.358767: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:09:54.358783: | 192.0.3.0/24===192.1.3.33<192.1.3.33>[@north]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24 Aug 26 13:09:54.358792: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:09:54.358802: | spent 0.237 milliseconds in whack Aug 26 13:09:54.358855: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:09:54.358867: add keyid @north Aug 26 13:09:54.358873: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Aug 26 13:09:54.358878: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Aug 26 13:09:54.358882: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Aug 26 13:09:54.358886: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Aug 26 13:09:54.358890: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Aug 26 13:09:54.358894: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Aug 26 13:09:54.358899: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Aug 26 13:09:54.358903: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Aug 26 13:09:54.358907: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Aug 26 13:09:54.358911: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Aug 26 13:09:54.358915: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Aug 26 13:09:54.358919: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Aug 26 13:09:54.358924: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Aug 26 13:09:54.358928: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Aug 26 13:09:54.358932: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Aug 26 13:09:54.358936: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Aug 26 13:09:54.358940: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Aug 26 13:09:54.358944: | add pubkey c7 5e a5 99 Aug 26 13:09:54.358973: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 13:09:54.358977: | computed rsa CKAID 88 aa 7c 5d Aug 26 13:09:54.358992: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:09:54.358998: | spent 0.149 milliseconds in whack Aug 26 13:09:54.359034: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:09:54.359046: add keyid @east Aug 26 13:09:54.359051: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 13:09:54.359056: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 13:09:54.359060: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 13:09:54.359064: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 13:09:54.359068: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 13:09:54.359072: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 13:09:54.359077: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 13:09:54.359081: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 13:09:54.359085: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 13:09:54.359089: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 13:09:54.359093: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 13:09:54.359098: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 13:09:54.359102: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 13:09:54.359106: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 13:09:54.359110: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 13:09:54.359114: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 13:09:54.359118: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 13:09:54.359122: | add pubkey 51 51 48 ef Aug 26 13:09:54.359134: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 13:09:54.359138: | computed rsa CKAID 8a 82 25 f1 Aug 26 13:09:54.359150: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:09:54.359157: | spent 0.128 milliseconds in whack Aug 26 13:09:54.359177: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:09:54.359188: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:09:54.359192: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:09:54.359197: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:09:54.359201: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:09:54.359206: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:09:54.359213: | Added new connection north-eastnets/0x2 with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:09:54.359218: | No AUTH policy was set - defaulting to RSASIG Aug 26 13:09:54.359247: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Aug 26 13:09:54.359252: | from whack: got --esp=aes128-sha2_512;modp3072 Aug 26 13:09:54.359277: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Aug 26 13:09:54.359283: | counting wild cards for @north is 0 Aug 26 13:09:54.359297: | counting wild cards for @east is 0 Aug 26 13:09:54.359312: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Aug 26 13:09:54.359320: | connect_to_host_pair: 192.1.3.33:500 192.1.2.23:500 -> hp@0x55fb0634a510: north-eastnets/0x1 Aug 26 13:09:54.359324: added connection description "north-eastnets/0x2" Aug 26 13:09:54.359337: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:09:54.359352: | 192.0.3.0/24===192.1.3.33<192.1.3.33>[@north]...192.1.2.23<192.1.2.23>[@east]===192.0.22.0/24 Aug 26 13:09:54.359359: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:09:54.359366: | spent 0.185 milliseconds in whack Aug 26 13:09:54.359415: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:09:54.359426: add keyid @north Aug 26 13:09:54.359440: | unreference key: 0x55fb063065d0 @north cnt 1-- Aug 26 13:09:54.359446: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Aug 26 13:09:54.359451: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Aug 26 13:09:54.359455: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Aug 26 13:09:54.359459: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Aug 26 13:09:54.359463: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Aug 26 13:09:54.359467: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Aug 26 13:09:54.359472: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Aug 26 13:09:54.359476: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Aug 26 13:09:54.359480: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Aug 26 13:09:54.359484: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Aug 26 13:09:54.359488: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Aug 26 13:09:54.359493: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Aug 26 13:09:54.359497: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Aug 26 13:09:54.359501: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Aug 26 13:09:54.359505: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Aug 26 13:09:54.359509: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Aug 26 13:09:54.359514: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Aug 26 13:09:54.359518: | add pubkey c7 5e a5 99 Aug 26 13:09:54.359529: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 13:09:54.359534: | computed rsa CKAID 88 aa 7c 5d Aug 26 13:09:54.359545: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:09:54.359551: | spent 0.141 milliseconds in whack Aug 26 13:09:54.359617: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:09:54.359628: add keyid @east Aug 26 13:09:54.359634: | unreference key: 0x55fb06309390 @east cnt 1-- Aug 26 13:09:54.359640: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 13:09:54.359644: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 13:09:54.359648: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 13:09:54.359652: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 13:09:54.359657: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 13:09:54.359661: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 13:09:54.359665: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 13:09:54.359669: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 13:09:54.359673: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 13:09:54.359677: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 13:09:54.359681: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 13:09:54.359686: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 13:09:54.359690: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 13:09:54.359694: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 13:09:54.359698: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 13:09:54.359702: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 13:09:54.359706: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 13:09:54.359710: | add pubkey 51 51 48 ef Aug 26 13:09:54.359721: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 13:09:54.359725: | computed rsa CKAID 8a 82 25 f1 Aug 26 13:09:54.359736: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:09:54.359742: | spent 0.13 milliseconds in whack Aug 26 13:09:54.419910: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:09:54.419934: | dup_any(fd@16) -> fd@23 (in whack_process() at rcv_whack.c:590) Aug 26 13:09:54.419938: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:09:54.419941: initiating all conns with alias='north-eastnets' Aug 26 13:09:54.419946: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:09:54.419950: | start processing: connection "north-eastnets/0x2" (in initiate_a_connection() at initiate.c:186) Aug 26 13:09:54.419952: | connection 'north-eastnets/0x2' +POLICY_UP Aug 26 13:09:54.419955: | dup_any(fd@23) -> fd@24 (in initiate_a_connection() at initiate.c:342) Aug 26 13:09:54.419957: | FOR_EACH_STATE_... in find_phase1_state Aug 26 13:09:54.419978: | creating state object #1 at 0x55fb0637fb40 Aug 26 13:09:54.419981: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:09:54.419988: | pstats #1 ikev2.ike started Aug 26 13:09:54.419990: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:09:54.419993: | parent state #1: UNDEFINED(ignore) => PARENT_I0(ignore) Aug 26 13:09:54.419997: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:09:54.420002: | suspend processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:535) Aug 26 13:09:54.420006: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:535) Aug 26 13:09:54.420009: | dup_any(fd@24) -> fd@25 (in ikev2_parent_outI1() at ikev2_parent.c:551) Aug 26 13:09:54.420012: | Queuing pending IPsec SA negotiating with 192.1.2.23 "north-eastnets/0x2" IKE SA #1 "north-eastnets/0x2" Aug 26 13:09:54.420015: "north-eastnets/0x2" #1: initiating v2 parent SA Aug 26 13:09:54.420023: | constructing local IKE proposals for north-eastnets/0x2 (IKE SA initiator selecting KE) Aug 26 13:09:54.420027: | converting ike_info AES_CBC_256-HMAC_SHA2_256-MODP2048 to ikev2 ... Aug 26 13:09:54.420032: | ... ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 13:09:54.420035: "north-eastnets/0x2": constructed local IKE proposals for north-eastnets/0x2 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 13:09:54.420041: | adding ikev2_outI1 KE work-order 1 for state #1 Aug 26 13:09:54.420044: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb06381860 Aug 26 13:09:54.420047: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:09:54.420050: | libevent_malloc: new ptr-libevent@0x55fb063818a0 size 128 Aug 26 13:09:54.420063: | #1 spent 0.111 milliseconds in ikev2_parent_outI1() Aug 26 13:09:54.420066: | processing: RESET whack log_fd (was fd@16) (in ikev2_parent_outI1() at ikev2_parent.c:610) Aug 26 13:09:54.420066: | crypto helper 0 resuming Aug 26 13:09:54.420078: | crypto helper 0 starting work-order 1 for state #1 Aug 26 13:09:54.420082: | crypto helper 0 doing build KE and nonce (ikev2_outI1 KE); request ID 1 Aug 26 13:09:54.420084: | crypto helper is pausing for 1 seconds Aug 26 13:09:54.420069: | RESET processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:610) Aug 26 13:09:54.420115: | RESET processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:610) Aug 26 13:09:54.420118: | processing: STOP connection NULL (in initiate_a_connection() at initiate.c:349) Aug 26 13:09:54.420122: | start processing: connection "north-eastnets/0x1" (in initiate_a_connection() at initiate.c:186) Aug 26 13:09:54.420124: | connection 'north-eastnets/0x1' +POLICY_UP Aug 26 13:09:54.420126: | dup_any(fd@23) -> fd@26 (in initiate_a_connection() at initiate.c:342) Aug 26 13:09:54.420128: | FOR_EACH_STATE_... in find_phase1_state Aug 26 13:09:54.420132: | Queuing pending IPsec SA negotiating with 192.1.2.23 "north-eastnets/0x1" IKE SA #1 "north-eastnets/0x2" Aug 26 13:09:54.420138: | stop processing: connection "north-eastnets/0x1" (in initiate_a_connection() at initiate.c:349) Aug 26 13:09:54.420141: | close_any(fd@23) (in initiate_connection() at initiate.c:384) Aug 26 13:09:54.420144: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:09:54.420147: | spent 0.243 milliseconds in whack Aug 26 13:09:54.774555: | spent 0.00253 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:54.774582: | *received 440 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:54.774585: | a9 6d 2c db 22 7f 10 cd 00 00 00 00 00 00 00 00 Aug 26 13:09:54.774587: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Aug 26 13:09:54.774589: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Aug 26 13:09:54.774590: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:09:54.774592: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Aug 26 13:09:54.774594: | 00 0e 00 00 18 4e f9 94 02 d2 39 1e 4b f3 ec 76 Aug 26 13:09:54.774595: | 27 bc b8 e1 b7 21 94 f2 ee 3b e2 88 9d fe 56 16 Aug 26 13:09:54.774597: | 9f 2b a1 64 fd 3e 70 a6 69 b3 25 64 44 ba 83 25 Aug 26 13:09:54.774599: | 51 37 e4 f8 61 3a d8 c3 91 6b 43 bd 0f 44 a7 28 Aug 26 13:09:54.774600: | 1b b8 6a 51 98 65 29 8c 2b cf 94 e4 a9 69 aa 12 Aug 26 13:09:54.774602: | 4c 29 41 94 b5 b8 4f 4e 1c 3c 83 72 b1 75 01 e6 Aug 26 13:09:54.774603: | 28 23 6d 24 e9 0b a7 96 21 fd 6a 51 a3 90 88 97 Aug 26 13:09:54.774605: | 17 e6 95 b7 c0 43 a3 ea e4 50 8b 86 35 2e f7 cc Aug 26 13:09:54.774607: | c1 e9 11 c7 52 dd ce d4 87 c7 9e 76 c2 f3 8c 93 Aug 26 13:09:54.774608: | 2b 33 a4 b8 ba a0 a4 4a 5d a8 b1 ae 3e 8b 23 2e Aug 26 13:09:54.774610: | 54 90 23 13 1d c8 2a ac b9 32 ac aa bd 65 14 02 Aug 26 13:09:54.774611: | fa 67 01 a2 8a ee 5d 37 50 ad 60 ab 8a 6d b6 e8 Aug 26 13:09:54.774613: | c1 6e 0a 74 f7 ba 6f c7 c5 16 d4 3c 21 f4 ad 7a Aug 26 13:09:54.774615: | 77 9c 92 6a 76 61 28 32 ba c6 83 1d 32 6c 72 fa Aug 26 13:09:54.774616: | 36 a2 b8 c4 a1 e1 a3 27 7f 9f e0 d9 77 3c f8 94 Aug 26 13:09:54.774618: | fa f6 78 80 66 e5 50 95 cf 2f 3e 2d 66 4d 2e cd Aug 26 13:09:54.774620: | f1 30 31 94 29 00 00 24 79 a8 44 0e 5f b9 b0 23 Aug 26 13:09:54.774621: | 5a ff 5c c9 48 94 fa 0a d2 c6 05 1f a6 d7 e0 a3 Aug 26 13:09:54.774623: | 9a 57 03 f2 20 58 3a 29 29 00 00 08 00 00 40 2e Aug 26 13:09:54.774624: | 29 00 00 1c 00 00 40 04 c4 62 89 64 0a 54 50 39 Aug 26 13:09:54.774626: | dd 9a e2 ef e5 83 c8 53 4c e2 69 61 00 00 00 1c Aug 26 13:09:54.774628: | 00 00 40 05 0c 44 21 8c 70 e1 be 77 02 67 87 8e Aug 26 13:09:54.774629: | a8 87 7e d8 45 e3 32 03 Aug 26 13:09:54.774632: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:54.774636: | **parse ISAKMP Message: Aug 26 13:09:54.774638: | initiator cookie: Aug 26 13:09:54.774640: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:54.774642: | responder cookie: Aug 26 13:09:54.774643: | 00 00 00 00 00 00 00 00 Aug 26 13:09:54.774645: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:09:54.774647: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:54.774649: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:09:54.774651: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:54.774653: | Message ID: 0 (0x0) Aug 26 13:09:54.774655: | length: 440 (0x1b8) Aug 26 13:09:54.774657: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:09:54.774659: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:09:54.774662: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:09:54.774665: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:09:54.774667: | ***parse IKEv2 Security Association Payload: Aug 26 13:09:54.774669: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:09:54.774671: | flags: none (0x0) Aug 26 13:09:54.774672: | length: 48 (0x30) Aug 26 13:09:54.774677: | processing payload: ISAKMP_NEXT_v2SA (len=44) Aug 26 13:09:54.774679: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:09:54.774681: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:09:54.774683: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:09:54.774684: | flags: none (0x0) Aug 26 13:09:54.774686: | length: 264 (0x108) Aug 26 13:09:54.774688: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:09:54.774690: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:09:54.774691: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:09:54.774693: | ***parse IKEv2 Nonce Payload: Aug 26 13:09:54.774695: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:09:54.774696: | flags: none (0x0) Aug 26 13:09:54.774698: | length: 36 (0x24) Aug 26 13:09:54.774700: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:09:54.774701: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:09:54.774703: | ***parse IKEv2 Notify Payload: Aug 26 13:09:54.774705: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:09:54.774706: | flags: none (0x0) Aug 26 13:09:54.774708: | length: 8 (0x8) Aug 26 13:09:54.774710: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:54.774712: | SPI size: 0 (0x0) Aug 26 13:09:54.774714: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:09:54.774716: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:09:54.774717: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:09:54.774719: | ***parse IKEv2 Notify Payload: Aug 26 13:09:54.774721: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:09:54.774722: | flags: none (0x0) Aug 26 13:09:54.774724: | length: 28 (0x1c) Aug 26 13:09:54.774726: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:54.774727: | SPI size: 0 (0x0) Aug 26 13:09:54.774729: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:09:54.774731: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:09:54.774732: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:09:54.774734: | ***parse IKEv2 Notify Payload: Aug 26 13:09:54.774736: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:54.774737: | flags: none (0x0) Aug 26 13:09:54.774739: | length: 28 (0x1c) Aug 26 13:09:54.774741: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:54.774742: | SPI size: 0 (0x0) Aug 26 13:09:54.774744: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:09:54.774746: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:09:54.774747: | DDOS disabled and no cookie sent, continuing Aug 26 13:09:54.774751: | find_host_connection local=192.1.3.33:500 remote=192.1.2.23:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:09:54.774755: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Aug 26 13:09:54.774758: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:09:54.774761: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Aug 26 13:09:54.774763: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x1) Aug 26 13:09:54.774765: | find_next_host_connection returns empty Aug 26 13:09:54.774768: | find_host_connection local=192.1.3.33:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:09:54.774770: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:09:54.774771: | find_next_host_connection returns empty Aug 26 13:09:54.774774: | initial parent SA message received on 192.1.3.33:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:09:54.774777: | find_host_connection local=192.1.3.33:500 remote=192.1.2.23:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:09:54.774780: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Aug 26 13:09:54.774782: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:09:54.774786: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x2) Aug 26 13:09:54.774788: | find_next_host_connection returns north-eastnets/0x2 Aug 26 13:09:54.774790: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:09:54.774792: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-eastnets/0x1) Aug 26 13:09:54.774793: | find_next_host_connection returns north-eastnets/0x1 Aug 26 13:09:54.774795: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:09:54.774797: | find_next_host_connection returns empty Aug 26 13:09:54.774799: | found connection: north-eastnets/0x2 with policy RSASIG+IKEV2_ALLOW Aug 26 13:09:54.774819: | creating state object #2 at 0x55fb06382eb0 Aug 26 13:09:54.774821: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:09:54.774826: | pstats #2 ikev2.ike started Aug 26 13:09:54.774828: | Message ID: init #2: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:09:54.774831: | parent state #2: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:09:54.774834: | Message ID: init_ike #2; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:09:54.774841: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:54.774843: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:09:54.774846: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:09:54.774848: | #2 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:09:54.774851: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:09:54.774854: | Message ID: start-responder #2 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:09:54.774857: | #2 in state PARENT_R0: processing SA_INIT request Aug 26 13:09:54.774859: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:09:54.774861: | Now let's proceed with state specific processing Aug 26 13:09:54.774862: | calling processor Respond to IKE_SA_INIT Aug 26 13:09:54.774867: | #2 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:09:54.774872: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 13:09:54.774875: | Comparing remote proposals against IKE responder 1 local proposals Aug 26 13:09:54.774877: | local proposal 1 type ENCR has 1 transforms Aug 26 13:09:54.774879: | local proposal 1 type PRF has 1 transforms Aug 26 13:09:54.774881: | local proposal 1 type INTEG has 1 transforms Aug 26 13:09:54.774882: | local proposal 1 type DH has 1 transforms Aug 26 13:09:54.774884: | local proposal 1 type ESN has 0 transforms Aug 26 13:09:54.774886: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:09:54.774889: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:09:54.774891: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:54.774892: | length: 44 (0x2c) Aug 26 13:09:54.774894: | prop #: 1 (0x1) Aug 26 13:09:54.774896: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:09:54.774897: | spi size: 0 (0x0) Aug 26 13:09:54.774899: | # transforms: 4 (0x4) Aug 26 13:09:54.774902: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Aug 26 13:09:54.774904: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:54.774905: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:54.774907: | length: 12 (0xc) Aug 26 13:09:54.774909: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:54.774914: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:54.774916: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:09:54.774918: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:54.774919: | length/value: 256 (0x100) Aug 26 13:09:54.774922: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:09:54.774924: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:54.774926: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:54.774928: | length: 8 (0x8) Aug 26 13:09:54.774929: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:09:54.774931: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:09:54.774933: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:09:54.774935: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:54.774937: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:54.774938: | length: 8 (0x8) Aug 26 13:09:54.774940: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:54.774942: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:09:54.774944: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 13:09:54.774946: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:54.774948: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:54.774949: | length: 8 (0x8) Aug 26 13:09:54.774951: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:09:54.774953: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:09:54.774955: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:09:54.774957: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Aug 26 13:09:54.774960: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Aug 26 13:09:54.774962: | remote proposal 1 matches local proposal 1 Aug 26 13:09:54.774965: "north-eastnets/0x2" #2: proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Aug 26 13:09:54.774969: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 13:09:54.774970: | converting proposal to internal trans attrs Aug 26 13:09:54.774974: | natd_hash: rcookie is zero Aug 26 13:09:54.774980: | natd_hash: hasher=0x55fb0498e800(20) Aug 26 13:09:54.774982: | natd_hash: icookie= a9 6d 2c db 22 7f 10 cd Aug 26 13:09:54.774984: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:09:54.774986: | natd_hash: ip= c0 01 03 21 Aug 26 13:09:54.774987: | natd_hash: port=500 Aug 26 13:09:54.774989: | natd_hash: hash= 0c 44 21 8c 70 e1 be 77 02 67 87 8e a8 87 7e d8 Aug 26 13:09:54.774991: | natd_hash: hash= 45 e3 32 03 Aug 26 13:09:54.774992: | natd_hash: rcookie is zero Aug 26 13:09:54.774996: | natd_hash: hasher=0x55fb0498e800(20) Aug 26 13:09:54.774997: | natd_hash: icookie= a9 6d 2c db 22 7f 10 cd Aug 26 13:09:54.774999: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:09:54.775001: | natd_hash: ip= c0 01 02 17 Aug 26 13:09:54.775002: | natd_hash: port=500 Aug 26 13:09:54.775004: | natd_hash: hash= c4 62 89 64 0a 54 50 39 dd 9a e2 ef e5 83 c8 53 Aug 26 13:09:54.775005: | natd_hash: hash= 4c e2 69 61 Aug 26 13:09:54.775007: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:09:54.775009: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:09:54.775010: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:09:54.775013: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 Aug 26 13:09:54.775017: | adding ikev2_inI1outR1 KE work-order 2 for state #2 Aug 26 13:09:54.775019: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb06382e40 Aug 26 13:09:54.775023: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 Aug 26 13:09:54.775025: | libevent_malloc: new ptr-libevent@0x55fb06384860 size 128 Aug 26 13:09:54.775033: | #2 spent 0.167 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:09:54.775038: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:54.775040: | #2 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:09:54.775042: | suspending state #2 and saving MD Aug 26 13:09:54.775044: | #2 is busy; has a suspended MD Aug 26 13:09:54.775047: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:09:54.775050: | "north-eastnets/0x2" #2 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:09:54.775053: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:54.775056: | #2 spent 0.489 milliseconds in ikev2_process_packet() Aug 26 13:09:54.775059: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:54.775061: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:54.775063: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:54.775065: | spent 0.498 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:54.775066: | crypto helper 2 resuming Aug 26 13:09:54.775075: | crypto helper 2 starting work-order 2 for state #2 Aug 26 13:09:54.775079: | crypto helper 2 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 2 Aug 26 13:09:54.775080: | crypto helper is pausing for 1 seconds Aug 26 13:09:55.420809: | crypto helper 0 finished build KE and nonce (ikev2_outI1 KE); request ID 1 time elapsed 1.000724 seconds Aug 26 13:09:55.420828: | (#1) spent 0.683 milliseconds in crypto helper computing work-order 1: ikev2_outI1 KE (pcr) Aug 26 13:09:55.420831: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 13:09:55.420834: | scheduling resume sending helper answer for #1 Aug 26 13:09:55.420837: | libevent_malloc: new ptr-libevent@0x7fedec006900 size 128 Aug 26 13:09:55.420846: | crypto helper 0 waiting (nothing to do) Aug 26 13:09:55.420857: | processing resume sending helper answer for #1 Aug 26 13:09:55.420871: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in resume_handler() at server.c:797) Aug 26 13:09:55.420889: | crypto helper 0 replies to request ID 1 Aug 26 13:09:55.420892: | calling continuation function 0x55fb048b9b50 Aug 26 13:09:55.420895: | ikev2_parent_outI1_continue for #1 Aug 26 13:09:55.420926: | **emit ISAKMP Message: Aug 26 13:09:55.420930: | initiator cookie: Aug 26 13:09:55.420932: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:55.420935: | responder cookie: Aug 26 13:09:55.420937: | 00 00 00 00 00 00 00 00 Aug 26 13:09:55.420941: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:09:55.420944: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:55.420947: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:09:55.420950: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:55.420952: | Message ID: 0 (0x0) Aug 26 13:09:55.420956: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:09:55.420963: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 13:09:55.420966: | Emitting ikev2_proposals ... Aug 26 13:09:55.420970: | ***emit IKEv2 Security Association Payload: Aug 26 13:09:55.420973: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.420975: | flags: none (0x0) Aug 26 13:09:55.420979: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:09:55.420985: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.420988: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:09:55.420991: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:55.420994: | prop #: 1 (0x1) Aug 26 13:09:55.420997: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:09:55.420999: | spi size: 0 (0x0) Aug 26 13:09:55.421002: | # transforms: 4 (0x4) Aug 26 13:09:55.421005: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:09:55.421008: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:09:55.421011: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.421013: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:55.421016: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:55.421019: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:55.421022: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:09:55.421025: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:55.421028: | length/value: 256 (0x100) Aug 26 13:09:55.421031: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:09:55.421033: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:09:55.421036: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.421039: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:09:55.421041: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:09:55.421045: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.421048: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:55.421051: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:55.421053: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:09:55.421056: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.421059: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:55.421061: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:09:55.421064: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.421067: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:55.421070: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:55.421073: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:09:55.421075: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:55.421078: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:09:55.421081: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:09:55.421084: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.421087: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:55.421090: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:55.421092: | emitting length of IKEv2 Proposal Substructure Payload: 44 Aug 26 13:09:55.421095: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:09:55.421098: | emitting length of IKEv2 Security Association Payload: 48 Aug 26 13:09:55.421101: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:09:55.421106: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:09:55.421109: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.421111: | flags: none (0x0) Aug 26 13:09:55.421129: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:09:55.421132: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:09:55.421135: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.421140: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:09:55.421142: | ikev2 g^x dc 1c 58 e1 89 30 89 23 39 5a f8 bb 84 41 b9 68 Aug 26 13:09:55.421145: | ikev2 g^x 07 c6 2e 88 cc 3f 94 e3 0c e3 3d dc f7 4d 47 4f Aug 26 13:09:55.421148: | ikev2 g^x 74 96 26 9a df ad ea b8 d3 3b 1d bc 5d 5d 78 f3 Aug 26 13:09:55.421150: | ikev2 g^x b6 e0 b1 07 6d 89 10 81 1d d3 82 f1 7d 61 10 59 Aug 26 13:09:55.421153: | ikev2 g^x 6f 3f 0a e4 9f 54 16 b0 b6 e0 f6 df 4a 4f 40 bf Aug 26 13:09:55.421155: | ikev2 g^x 62 e4 1e 0d bd 7e ca 41 21 fa c5 7d ef ba d4 12 Aug 26 13:09:55.421158: | ikev2 g^x 0b 55 54 23 c2 2a bf bc 8a 9f 3c 59 2e a9 59 d9 Aug 26 13:09:55.421160: | ikev2 g^x c4 d5 4b a9 15 54 c2 e0 d4 a2 70 00 6b 94 cc 16 Aug 26 13:09:55.421163: | ikev2 g^x b5 24 f1 c0 90 58 8e 1e 1b 59 40 ee 55 54 0d 37 Aug 26 13:09:55.421166: | ikev2 g^x 56 30 31 e8 d5 1f b9 83 65 df 52 6f da e0 0c 90 Aug 26 13:09:55.421168: | ikev2 g^x 6c 8f b1 66 8d 37 19 52 be 94 ce 92 bc 51 d5 ce Aug 26 13:09:55.421171: | ikev2 g^x e9 b2 c4 7c 4c 54 af 89 88 5a 24 58 46 b2 03 c2 Aug 26 13:09:55.421173: | ikev2 g^x f6 a5 5c 50 37 e4 13 bc a8 92 c1 1e fc 54 12 9a Aug 26 13:09:55.421176: | ikev2 g^x bf 1d 5c d8 ef 33 72 d1 24 6c 80 04 32 7f e7 65 Aug 26 13:09:55.421179: | ikev2 g^x a0 0f 42 1e 5f f4 c0 ac 89 57 5e 75 0b a6 3f ff Aug 26 13:09:55.421181: | ikev2 g^x c1 7c c5 4d 3c 3d 3e 6e 3a 95 38 7e b9 39 82 66 Aug 26 13:09:55.421184: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:09:55.421187: | ***emit IKEv2 Nonce Payload: Aug 26 13:09:55.421190: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:09:55.421193: | flags: none (0x0) Aug 26 13:09:55.421196: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:09:55.421199: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:09:55.421202: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.421205: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:09:55.421208: | IKEv2 nonce 29 ba 1e fb d3 96 67 cc d0 3c 87 81 8b 34 5b 7d Aug 26 13:09:55.421211: | IKEv2 nonce c1 fb d9 e1 9e 58 01 9b 2c 4b 83 1f c2 61 4b 9e Aug 26 13:09:55.421213: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:09:55.421216: | Adding a v2N Payload Aug 26 13:09:55.421219: | ***emit IKEv2 Notify Payload: Aug 26 13:09:55.421222: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.421224: | flags: none (0x0) Aug 26 13:09:55.421228: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:55.421230: | SPI size: 0 (0x0) Aug 26 13:09:55.421233: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:09:55.421237: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:09:55.421240: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.421242: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:09:55.421246: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:09:55.421249: | natd_hash: rcookie is zero Aug 26 13:09:55.421262: | natd_hash: hasher=0x55fb0498e800(20) Aug 26 13:09:55.421266: | natd_hash: icookie= f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:55.421270: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:09:55.421273: | natd_hash: ip= c0 01 03 21 Aug 26 13:09:55.421275: | natd_hash: port=500 Aug 26 13:09:55.421278: | natd_hash: hash= b2 73 1e dd 35 69 ae a2 da db cb 31 11 e4 44 d5 Aug 26 13:09:55.421280: | natd_hash: hash= 2d da 22 64 Aug 26 13:09:55.421283: | Adding a v2N Payload Aug 26 13:09:55.421286: | ***emit IKEv2 Notify Payload: Aug 26 13:09:55.421303: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.421310: | flags: none (0x0) Aug 26 13:09:55.421313: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:55.421316: | SPI size: 0 (0x0) Aug 26 13:09:55.421319: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:09:55.421322: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:09:55.421325: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.421329: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:09:55.421331: | Notify data b2 73 1e dd 35 69 ae a2 da db cb 31 11 e4 44 d5 Aug 26 13:09:55.421334: | Notify data 2d da 22 64 Aug 26 13:09:55.421336: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:09:55.421339: | natd_hash: rcookie is zero Aug 26 13:09:55.421347: | natd_hash: hasher=0x55fb0498e800(20) Aug 26 13:09:55.421350: | natd_hash: icookie= f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:55.421353: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:09:55.421355: | natd_hash: ip= c0 01 02 17 Aug 26 13:09:55.421357: | natd_hash: port=500 Aug 26 13:09:55.421360: | natd_hash: hash= 90 75 df 89 c4 de 22 74 9a 4d 78 0f 07 f7 0e 68 Aug 26 13:09:55.421362: | natd_hash: hash= 57 7f c9 9d Aug 26 13:09:55.421365: | Adding a v2N Payload Aug 26 13:09:55.421368: | ***emit IKEv2 Notify Payload: Aug 26 13:09:55.421370: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.421373: | flags: none (0x0) Aug 26 13:09:55.421376: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:55.421378: | SPI size: 0 (0x0) Aug 26 13:09:55.421381: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:09:55.421384: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:09:55.421387: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.421390: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:09:55.421393: | Notify data 90 75 df 89 c4 de 22 74 9a 4d 78 0f 07 f7 0e 68 Aug 26 13:09:55.421395: | Notify data 57 7f c9 9d Aug 26 13:09:55.421398: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:09:55.421401: | emitting length of ISAKMP Message: 440 Aug 26 13:09:55.421408: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_parent_outI1_common() at ikev2_parent.c:817) Aug 26 13:09:55.421419: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:55.421436: | #1 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK Aug 26 13:09:55.421439: | IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1 Aug 26 13:09:55.421458: | parent state #1: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) Aug 26 13:09:55.421461: | Message ID: updating counters for #1 to 4294967295 after switching state Aug 26 13:09:55.421464: | Message ID: IKE #1 skipping update_recv as MD is fake Aug 26 13:09:55.421470: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:09:55.421473: "north-eastnets/0x2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 Aug 26 13:09:55.421486: | sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.33:500) Aug 26 13:09:55.421494: | sending 440 bytes for STATE_PARENT_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:09:55.421502: | f4 b6 d6 b1 3a 28 54 37 00 00 00 00 00 00 00 00 Aug 26 13:09:55.421505: | 21 20 22 08 00 00 00 00 00 00 01 b8 22 00 00 30 Aug 26 13:09:55.421507: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Aug 26 13:09:55.421510: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:09:55.421512: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Aug 26 13:09:55.421515: | 00 0e 00 00 dc 1c 58 e1 89 30 89 23 39 5a f8 bb Aug 26 13:09:55.421517: | 84 41 b9 68 07 c6 2e 88 cc 3f 94 e3 0c e3 3d dc Aug 26 13:09:55.421519: | f7 4d 47 4f 74 96 26 9a df ad ea b8 d3 3b 1d bc Aug 26 13:09:55.421521: | 5d 5d 78 f3 b6 e0 b1 07 6d 89 10 81 1d d3 82 f1 Aug 26 13:09:55.421524: | 7d 61 10 59 6f 3f 0a e4 9f 54 16 b0 b6 e0 f6 df Aug 26 13:09:55.421527: | 4a 4f 40 bf 62 e4 1e 0d bd 7e ca 41 21 fa c5 7d Aug 26 13:09:55.421530: | ef ba d4 12 0b 55 54 23 c2 2a bf bc 8a 9f 3c 59 Aug 26 13:09:55.421532: | 2e a9 59 d9 c4 d5 4b a9 15 54 c2 e0 d4 a2 70 00 Aug 26 13:09:55.421535: | 6b 94 cc 16 b5 24 f1 c0 90 58 8e 1e 1b 59 40 ee Aug 26 13:09:55.421537: | 55 54 0d 37 56 30 31 e8 d5 1f b9 83 65 df 52 6f Aug 26 13:09:55.421540: | da e0 0c 90 6c 8f b1 66 8d 37 19 52 be 94 ce 92 Aug 26 13:09:55.421543: | bc 51 d5 ce e9 b2 c4 7c 4c 54 af 89 88 5a 24 58 Aug 26 13:09:55.421545: | 46 b2 03 c2 f6 a5 5c 50 37 e4 13 bc a8 92 c1 1e Aug 26 13:09:55.421560: | fc 54 12 9a bf 1d 5c d8 ef 33 72 d1 24 6c 80 04 Aug 26 13:09:55.421562: | 32 7f e7 65 a0 0f 42 1e 5f f4 c0 ac 89 57 5e 75 Aug 26 13:09:55.421565: | 0b a6 3f ff c1 7c c5 4d 3c 3d 3e 6e 3a 95 38 7e Aug 26 13:09:55.421567: | b9 39 82 66 29 00 00 24 29 ba 1e fb d3 96 67 cc Aug 26 13:09:55.421569: | d0 3c 87 81 8b 34 5b 7d c1 fb d9 e1 9e 58 01 9b Aug 26 13:09:55.421572: | 2c 4b 83 1f c2 61 4b 9e 29 00 00 08 00 00 40 2e Aug 26 13:09:55.421574: | 29 00 00 1c 00 00 40 04 b2 73 1e dd 35 69 ae a2 Aug 26 13:09:55.421576: | da db cb 31 11 e4 44 d5 2d da 22 64 00 00 00 1c Aug 26 13:09:55.421579: | 00 00 40 05 90 75 df 89 c4 de 22 74 9a 4d 78 0f Aug 26 13:09:55.421581: | 07 f7 0e 68 57 7f c9 9d Aug 26 13:09:55.421645: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:09:55.421651: | libevent_free: release ptr-libevent@0x55fb063818a0 Aug 26 13:09:55.421655: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb06381860 Aug 26 13:09:55.421658: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=50ms Aug 26 13:09:55.421662: | event_schedule: new EVENT_RETRANSMIT-pe@0x55fb06381860 Aug 26 13:09:55.421666: | inserting event EVENT_RETRANSMIT, timeout in 0.05 seconds for #1 Aug 26 13:09:55.421669: | libevent_malloc: new ptr-libevent@0x55fb063818a0 size 128 Aug 26 13:09:55.421688: | #1 STATE_PARENT_I1: retransmits: first event in 0.05 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 10281.164128 Aug 26 13:09:55.421692: | resume sending helper answer for #1 suppresed complete_v2_state_transition() and stole MD Aug 26 13:09:55.421712: | #1 spent 0.765 milliseconds in resume sending helper answer Aug 26 13:09:55.421718: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in resume_handler() at server.c:833) Aug 26 13:09:55.421721: | libevent_free: release ptr-libevent@0x7fedec006900 Aug 26 13:09:55.423483: | spent 0.00244 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:55.423504: | *received 440 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:55.423509: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:55.423512: | 21 20 22 20 00 00 00 00 00 00 01 b8 22 00 00 30 Aug 26 13:09:55.423514: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Aug 26 13:09:55.423517: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:09:55.423520: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Aug 26 13:09:55.423522: | 00 0e 00 00 e7 13 82 d8 bb 54 a6 8c 1d 79 bc b8 Aug 26 13:09:55.423528: | 87 69 70 71 93 20 8f 3b db 52 b3 4b 95 25 47 41 Aug 26 13:09:55.423530: | 86 1a 91 f3 ab 05 dc 85 58 3b 28 40 83 84 e7 73 Aug 26 13:09:55.423533: | 74 78 60 6f a0 77 3f 7f d0 55 b8 eb 40 bd c4 04 Aug 26 13:09:55.423536: | 8b 06 34 57 54 4c 39 cf f0 74 8d c9 5a ce 8c d3 Aug 26 13:09:55.423538: | 65 56 72 d9 3f 4e fc ad e5 95 25 3b 7e a0 c2 4f Aug 26 13:09:55.423541: | a2 50 3c 4a 7f 8e b2 f0 40 78 1d 86 0b a5 48 26 Aug 26 13:09:55.423544: | 11 43 55 ea 34 8e a2 f4 4d 09 09 c0 ab 03 10 81 Aug 26 13:09:55.423547: | b9 ed b1 74 a7 05 d7 7b e8 17 00 f1 2e ed 71 e6 Aug 26 13:09:55.423549: | fe 9b db 45 23 4e 19 a8 61 d4 22 dd ff fa 6a 51 Aug 26 13:09:55.423552: | 88 d8 45 da b7 cf 4a 46 9f d1 c9 d5 86 6b 42 34 Aug 26 13:09:55.423554: | 7c 98 79 20 44 46 bc cb 80 19 08 ed bb 32 ac 43 Aug 26 13:09:55.423557: | e8 79 47 6c da 97 21 74 db b7 89 16 9c 5e 12 2b Aug 26 13:09:55.423560: | 33 cb de 82 3a b3 a8 87 a7 36 c6 78 f9 d6 88 b2 Aug 26 13:09:55.423562: | b9 6c b5 10 a7 1f e3 e9 0b 95 c3 d0 90 67 17 cb Aug 26 13:09:55.423565: | 71 f5 ec 4c 4b 39 57 b5 51 cb 7a e9 6c ce b8 6d Aug 26 13:09:55.423568: | e5 96 5f 31 29 00 00 24 33 54 b4 80 94 43 5f 73 Aug 26 13:09:55.423570: | 22 ca 5f ba 23 3d 59 15 45 f7 29 e5 8d ca c3 d4 Aug 26 13:09:55.423573: | 2c 2d 1c 64 b1 e7 8f f2 29 00 00 08 00 00 40 2e Aug 26 13:09:55.423576: | 29 00 00 1c 00 00 40 04 fc f5 e9 7e 87 b3 dc 13 Aug 26 13:09:55.423578: | 83 db 76 22 b6 d8 f0 53 04 b9 41 02 00 00 00 1c Aug 26 13:09:55.423581: | 00 00 40 05 04 1f 76 61 db 60 35 12 3e f2 66 1b Aug 26 13:09:55.423584: | 5c e3 25 d8 0b 8d b1 ae Aug 26 13:09:55.423589: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:55.423593: | **parse ISAKMP Message: Aug 26 13:09:55.423596: | initiator cookie: Aug 26 13:09:55.423598: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:55.423601: | responder cookie: Aug 26 13:09:55.423603: | ed ec 45 23 73 d7 1a d3 Aug 26 13:09:55.423607: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:09:55.423610: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:55.423612: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:09:55.423615: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:09:55.423618: | Message ID: 0 (0x0) Aug 26 13:09:55.423621: | length: 440 (0x1b8) Aug 26 13:09:55.423624: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:09:55.423628: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response Aug 26 13:09:55.423632: | State DB: found IKEv2 state #1 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi) Aug 26 13:09:55.423638: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:55.423643: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:55.423646: | #1 is idle Aug 26 13:09:55.423649: | #1 idle Aug 26 13:09:55.423651: | unpacking clear payload Aug 26 13:09:55.423654: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:09:55.423658: | ***parse IKEv2 Security Association Payload: Aug 26 13:09:55.423661: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:09:55.423664: | flags: none (0x0) Aug 26 13:09:55.423666: | length: 48 (0x30) Aug 26 13:09:55.423669: | processing payload: ISAKMP_NEXT_v2SA (len=44) Aug 26 13:09:55.423672: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:09:55.423675: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:09:55.423678: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:09:55.423681: | flags: none (0x0) Aug 26 13:09:55.423683: | length: 264 (0x108) Aug 26 13:09:55.423686: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:09:55.423689: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:09:55.423692: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:09:55.423696: | ***parse IKEv2 Nonce Payload: Aug 26 13:09:55.423699: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:09:55.423702: | flags: none (0x0) Aug 26 13:09:55.423705: | length: 36 (0x24) Aug 26 13:09:55.423707: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:09:55.423710: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:09:55.423713: | ***parse IKEv2 Notify Payload: Aug 26 13:09:55.423716: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:09:55.423718: | flags: none (0x0) Aug 26 13:09:55.423721: | length: 8 (0x8) Aug 26 13:09:55.423724: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:55.423727: | SPI size: 0 (0x0) Aug 26 13:09:55.423730: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:09:55.423733: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:09:55.423735: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:09:55.423738: | ***parse IKEv2 Notify Payload: Aug 26 13:09:55.423741: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:09:55.423744: | flags: none (0x0) Aug 26 13:09:55.423746: | length: 28 (0x1c) Aug 26 13:09:55.423749: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:55.423752: | SPI size: 0 (0x0) Aug 26 13:09:55.423755: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:09:55.423757: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:09:55.423760: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:09:55.423763: | ***parse IKEv2 Notify Payload: Aug 26 13:09:55.423766: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.423768: | flags: none (0x0) Aug 26 13:09:55.423771: | length: 28 (0x1c) Aug 26 13:09:55.423774: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:55.423776: | SPI size: 0 (0x0) Aug 26 13:09:55.423779: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:09:55.423782: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:09:55.423785: | State DB: re-hashing IKEv2 state #1 IKE SPIi and SPI[ir] Aug 26 13:09:55.423791: | #1 in state PARENT_I1: sent v2I1, expected v2R1 Aug 26 13:09:55.423795: | selected state microcode Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH Aug 26 13:09:55.423797: | Now let's proceed with state specific processing Aug 26 13:09:55.423800: | calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH Aug 26 13:09:55.423804: | ikev2 parent inR1: calculating g^{xy} in order to send I2 Aug 26 13:09:55.423811: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator accepting remote proposal): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 13:09:55.423815: | Comparing remote proposals against IKE initiator (accepting) 1 local proposals Aug 26 13:09:55.423819: | local proposal 1 type ENCR has 1 transforms Aug 26 13:09:55.423822: | local proposal 1 type PRF has 1 transforms Aug 26 13:09:55.423825: | local proposal 1 type INTEG has 1 transforms Aug 26 13:09:55.423827: | local proposal 1 type DH has 1 transforms Aug 26 13:09:55.423830: | local proposal 1 type ESN has 0 transforms Aug 26 13:09:55.423834: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:09:55.423837: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:09:55.423840: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:55.423842: | length: 44 (0x2c) Aug 26 13:09:55.423845: | prop #: 1 (0x1) Aug 26 13:09:55.423848: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:09:55.423851: | spi size: 0 (0x0) Aug 26 13:09:55.423853: | # transforms: 4 (0x4) Aug 26 13:09:55.423857: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Aug 26 13:09:55.423860: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:55.423863: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.423865: | length: 12 (0xc) Aug 26 13:09:55.423868: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:55.423873: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:55.423876: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:09:55.423879: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:55.423881: | length/value: 256 (0x100) Aug 26 13:09:55.423886: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:09:55.423889: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:55.423892: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.423894: | length: 8 (0x8) Aug 26 13:09:55.423897: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:09:55.423900: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:09:55.423904: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:09:55.423907: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:55.423909: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.423912: | length: 8 (0x8) Aug 26 13:09:55.423915: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:55.423917: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:09:55.423921: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 13:09:55.423924: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:55.423927: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:55.423929: | length: 8 (0x8) Aug 26 13:09:55.423932: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:09:55.423935: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:09:55.423938: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:09:55.423942: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Aug 26 13:09:55.423947: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Aug 26 13:09:55.423950: | remote proposal 1 matches local proposal 1 Aug 26 13:09:55.423953: | remote accepted the proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Aug 26 13:09:55.423956: | converting proposal to internal trans attrs Aug 26 13:09:55.423970: | natd_hash: hasher=0x55fb0498e800(20) Aug 26 13:09:55.423974: | natd_hash: icookie= f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:55.423976: | natd_hash: rcookie= ed ec 45 23 73 d7 1a d3 Aug 26 13:09:55.423979: | natd_hash: ip= c0 01 03 21 Aug 26 13:09:55.423981: | natd_hash: port=500 Aug 26 13:09:55.423984: | natd_hash: hash= 04 1f 76 61 db 60 35 12 3e f2 66 1b 5c e3 25 d8 Aug 26 13:09:55.423986: | natd_hash: hash= 0b 8d b1 ae Aug 26 13:09:55.423993: | natd_hash: hasher=0x55fb0498e800(20) Aug 26 13:09:55.423995: | natd_hash: icookie= f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:55.423998: | natd_hash: rcookie= ed ec 45 23 73 d7 1a d3 Aug 26 13:09:55.424000: | natd_hash: ip= c0 01 02 17 Aug 26 13:09:55.424002: | natd_hash: port=500 Aug 26 13:09:55.424005: | natd_hash: hash= fc f5 e9 7e 87 b3 dc 13 83 db 76 22 b6 d8 f0 53 Aug 26 13:09:55.424007: | natd_hash: hash= 04 b9 41 02 Aug 26 13:09:55.424010: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:09:55.424013: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:09:55.424015: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:09:55.424019: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 Aug 26 13:09:55.424023: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey=AES_CBC Aug 26 13:09:55.424026: | adding ikev2_inR1outI2 KE work-order 3 for state #1 Aug 26 13:09:55.424030: | state #1 requesting EVENT_RETRANSMIT to be deleted Aug 26 13:09:55.424033: | #1 STATE_PARENT_I1: retransmits: cleared Aug 26 13:09:55.424036: | libevent_free: release ptr-libevent@0x55fb063818a0 Aug 26 13:09:55.424039: | free_event_entry: release EVENT_RETRANSMIT-pe@0x55fb06381860 Aug 26 13:09:55.424044: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb06381860 Aug 26 13:09:55.424048: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:09:55.424051: | libevent_malloc: new ptr-libevent@0x55fb063818a0 size 128 Aug 26 13:09:55.424062: | #1 spent 0.256 milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH in ikev2_process_state_packet() Aug 26 13:09:55.424068: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:55.424072: | #1 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND Aug 26 13:09:55.424078: | suspending state #1 and saving MD Aug 26 13:09:55.424082: | #1 is busy; has a suspended MD Aug 26 13:09:55.424068: | crypto helper 1 resuming Aug 26 13:09:55.424089: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:09:55.424097: | crypto helper 1 starting work-order 3 for state #1 Aug 26 13:09:55.424104: | "north-eastnets/0x2" #1 complete v2 state STATE_PARENT_I1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:09:55.424107: | crypto helper 1 doing compute dh (V2) (ikev2_inR1outI2 KE); request ID 3 Aug 26 13:09:55.424110: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:55.424111: | crypto helper is pausing for 1 seconds Aug 26 13:09:55.424117: | #1 spent 0.618 milliseconds in ikev2_process_packet() Aug 26 13:09:55.424122: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:55.424125: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:55.424129: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:55.424133: | spent 0.635 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:55.776102: | crypto helper 2 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 2 time elapsed 1.00102 seconds Aug 26 13:09:55.776125: | (#2) spent 0.947 milliseconds in crypto helper computing work-order 2: ikev2_inI1outR1 KE (pcr) Aug 26 13:09:55.776130: | crypto helper 2 sending results from work-order 2 for state #2 to event queue Aug 26 13:09:55.776133: | scheduling resume sending helper answer for #2 Aug 26 13:09:55.776138: | libevent_malloc: new ptr-libevent@0x7fede4006900 size 128 Aug 26 13:09:55.776151: | crypto helper 2 waiting (nothing to do) Aug 26 13:09:55.776198: | processing resume sending helper answer for #2 Aug 26 13:09:55.776215: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Aug 26 13:09:55.776221: | crypto helper 2 replies to request ID 2 Aug 26 13:09:55.776225: | calling continuation function 0x55fb048b9b50 Aug 26 13:09:55.776228: | ikev2_parent_inI1outR1_continue for #2: calculated ke+nonce, sending R1 Aug 26 13:09:55.776237: | **emit ISAKMP Message: Aug 26 13:09:55.776240: | initiator cookie: Aug 26 13:09:55.776243: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:55.776246: | responder cookie: Aug 26 13:09:55.776249: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.776252: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:09:55.776255: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:55.776259: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:09:55.776262: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:09:55.776265: | Message ID: 0 (0x0) Aug 26 13:09:55.776269: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:09:55.776272: | Emitting ikev2_proposal ... Aug 26 13:09:55.776275: | ***emit IKEv2 Security Association Payload: Aug 26 13:09:55.776279: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.776281: | flags: none (0x0) Aug 26 13:09:55.776285: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:09:55.776308: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.776317: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:09:55.776321: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:55.776324: | prop #: 1 (0x1) Aug 26 13:09:55.776327: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:09:55.776330: | spi size: 0 (0x0) Aug 26 13:09:55.776332: | # transforms: 4 (0x4) Aug 26 13:09:55.776336: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:09:55.776339: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:09:55.776342: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.776345: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:55.776348: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:55.776352: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:55.776355: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:09:55.776358: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:55.776361: | length/value: 256 (0x100) Aug 26 13:09:55.776364: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:09:55.776367: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:09:55.776370: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.776373: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:09:55.776376: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:09:55.776380: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.776383: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:55.776386: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:55.776389: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:09:55.776392: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.776395: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:55.776398: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:09:55.776401: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.776404: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:55.776407: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:55.776410: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:09:55.776413: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:55.776416: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:09:55.776419: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:09:55.776422: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:55.776425: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:55.776428: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:55.776431: | emitting length of IKEv2 Proposal Substructure Payload: 44 Aug 26 13:09:55.776435: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:09:55.776438: | emitting length of IKEv2 Security Association Payload: 48 Aug 26 13:09:55.776441: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:09:55.776445: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:09:55.776450: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.776453: | flags: none (0x0) Aug 26 13:09:55.776455: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:09:55.776459: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:09:55.776462: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.776466: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:09:55.776470: | ikev2 g^x 45 85 e9 ba f2 fe df 02 6e dc 2a 89 59 5f 81 1f Aug 26 13:09:55.776472: | ikev2 g^x 39 19 19 db 57 48 57 5e ab 48 f4 60 d6 53 0c 58 Aug 26 13:09:55.776475: | ikev2 g^x f0 1e 17 c6 21 3d db d3 9c 1d 07 bf a8 3a 5c 7a Aug 26 13:09:55.776478: | ikev2 g^x e2 97 7a 61 f7 01 13 e4 12 ba 1d f1 b6 6f f6 86 Aug 26 13:09:55.776481: | ikev2 g^x 14 1f 9e af b1 e2 31 1d da 6c 1e 58 32 a7 4e b1 Aug 26 13:09:55.776483: | ikev2 g^x 36 2b 14 60 5c eb 77 18 59 b2 9c 55 5d d1 b0 52 Aug 26 13:09:55.776486: | ikev2 g^x 7b d5 60 3f 90 e7 63 f7 de 9d d1 ef 82 ad bb be Aug 26 13:09:55.776489: | ikev2 g^x e1 36 10 8a fb d3 71 ee f7 d8 ca 34 f4 2c c8 a0 Aug 26 13:09:55.776491: | ikev2 g^x 1d b6 78 36 2d d5 eb 58 22 08 d2 ce 03 6a 9f e1 Aug 26 13:09:55.776494: | ikev2 g^x 87 48 5b e0 5c 8a 86 72 cd bf 6a 30 10 e1 c4 44 Aug 26 13:09:55.776497: | ikev2 g^x d9 12 ae dc 83 92 51 0c 1b ec 0a 32 5a d5 42 94 Aug 26 13:09:55.776500: | ikev2 g^x ac ea 0b 86 af 1b 32 73 e8 01 be 36 1c 2e 25 b2 Aug 26 13:09:55.776502: | ikev2 g^x b8 a2 d8 fd 76 82 28 26 c0 48 c3 25 89 c1 c9 43 Aug 26 13:09:55.776505: | ikev2 g^x ac 15 a6 ff fe bb 90 48 54 dd fd 57 cc 41 c7 cb Aug 26 13:09:55.776508: | ikev2 g^x df e6 e1 ee e8 32 a4 b0 d0 e4 f7 cd ab 35 01 35 Aug 26 13:09:55.776510: | ikev2 g^x c2 d0 e4 07 48 6a 04 11 80 e7 d4 3c e0 4d 30 d3 Aug 26 13:09:55.776513: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:09:55.776516: | ***emit IKEv2 Nonce Payload: Aug 26 13:09:55.776519: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:09:55.776522: | flags: none (0x0) Aug 26 13:09:55.776526: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:09:55.776529: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:09:55.776532: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.776536: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:09:55.776539: | IKEv2 nonce ac 5e a3 43 99 45 4c 20 c2 16 55 3a 8f b4 74 e9 Aug 26 13:09:55.776541: | IKEv2 nonce 72 c5 ab a7 70 8e 25 dc b7 59 ba be 00 4f c2 6f Aug 26 13:09:55.776544: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:09:55.776548: | Adding a v2N Payload Aug 26 13:09:55.776551: | ***emit IKEv2 Notify Payload: Aug 26 13:09:55.776554: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.776557: | flags: none (0x0) Aug 26 13:09:55.776560: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:55.776562: | SPI size: 0 (0x0) Aug 26 13:09:55.776566: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:09:55.776569: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:09:55.776572: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.776575: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:09:55.776579: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:09:55.776592: | natd_hash: hasher=0x55fb0498e800(20) Aug 26 13:09:55.776595: | natd_hash: icookie= a9 6d 2c db 22 7f 10 cd Aug 26 13:09:55.776598: | natd_hash: rcookie= a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.776601: | natd_hash: ip= c0 01 03 21 Aug 26 13:09:55.776605: | natd_hash: port=500 Aug 26 13:09:55.776608: | natd_hash: hash= e3 e4 aa a8 43 4a 9d fe d4 39 3a 77 ca 8f 0c 59 Aug 26 13:09:55.776611: | natd_hash: hash= ce 75 a8 72 Aug 26 13:09:55.776614: | Adding a v2N Payload Aug 26 13:09:55.776617: | ***emit IKEv2 Notify Payload: Aug 26 13:09:55.776619: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.776622: | flags: none (0x0) Aug 26 13:09:55.776625: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:55.776628: | SPI size: 0 (0x0) Aug 26 13:09:55.776631: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:09:55.776634: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:09:55.776637: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.776641: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:09:55.776644: | Notify data e3 e4 aa a8 43 4a 9d fe d4 39 3a 77 ca 8f 0c 59 Aug 26 13:09:55.776646: | Notify data ce 75 a8 72 Aug 26 13:09:55.776649: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:09:55.776655: | natd_hash: hasher=0x55fb0498e800(20) Aug 26 13:09:55.776658: | natd_hash: icookie= a9 6d 2c db 22 7f 10 cd Aug 26 13:09:55.776661: | natd_hash: rcookie= a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.776664: | natd_hash: ip= c0 01 02 17 Aug 26 13:09:55.776666: | natd_hash: port=500 Aug 26 13:09:55.776669: | natd_hash: hash= 34 c6 7e 17 47 38 5d 8b 86 e5 fa 27 e6 bd 1a 7f Aug 26 13:09:55.776672: | natd_hash: hash= be b4 fa b0 Aug 26 13:09:55.776674: | Adding a v2N Payload Aug 26 13:09:55.776677: | ***emit IKEv2 Notify Payload: Aug 26 13:09:55.776680: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:55.776683: | flags: none (0x0) Aug 26 13:09:55.776686: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:09:55.776688: | SPI size: 0 (0x0) Aug 26 13:09:55.776691: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:09:55.776695: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:09:55.776698: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:09:55.776701: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:09:55.776704: | Notify data 34 c6 7e 17 47 38 5d 8b 86 e5 fa 27 e6 bd 1a 7f Aug 26 13:09:55.776707: | Notify data be b4 fa b0 Aug 26 13:09:55.776709: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:09:55.776712: | emitting length of ISAKMP Message: 440 Aug 26 13:09:55.776721: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:55.776725: | #2 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:09:55.776729: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:09:55.776733: | parent state #2: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:09:55.776736: | Message ID: updating counters for #2 to 0 after switching state Aug 26 13:09:55.776742: | Message ID: recv #2 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:09:55.776747: | Message ID: sent #2 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:09:55.776753: "north-eastnets/0x2" #2: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Aug 26 13:09:55.776759: | sending V2 new request packet to 192.1.2.23:500 (from 192.1.3.33:500) Aug 26 13:09:55.776766: | sending 440 bytes for STATE_PARENT_R0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #2) Aug 26 13:09:55.776769: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.776773: | 21 20 22 20 00 00 00 00 00 00 01 b8 22 00 00 30 Aug 26 13:09:55.776776: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Aug 26 13:09:55.776779: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:09:55.776782: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Aug 26 13:09:55.776784: | 00 0e 00 00 45 85 e9 ba f2 fe df 02 6e dc 2a 89 Aug 26 13:09:55.776787: | 59 5f 81 1f 39 19 19 db 57 48 57 5e ab 48 f4 60 Aug 26 13:09:55.776790: | d6 53 0c 58 f0 1e 17 c6 21 3d db d3 9c 1d 07 bf Aug 26 13:09:55.776792: | a8 3a 5c 7a e2 97 7a 61 f7 01 13 e4 12 ba 1d f1 Aug 26 13:09:55.776795: | b6 6f f6 86 14 1f 9e af b1 e2 31 1d da 6c 1e 58 Aug 26 13:09:55.776798: | 32 a7 4e b1 36 2b 14 60 5c eb 77 18 59 b2 9c 55 Aug 26 13:09:55.776800: | 5d d1 b0 52 7b d5 60 3f 90 e7 63 f7 de 9d d1 ef Aug 26 13:09:55.776803: | 82 ad bb be e1 36 10 8a fb d3 71 ee f7 d8 ca 34 Aug 26 13:09:55.776806: | f4 2c c8 a0 1d b6 78 36 2d d5 eb 58 22 08 d2 ce Aug 26 13:09:55.776808: | 03 6a 9f e1 87 48 5b e0 5c 8a 86 72 cd bf 6a 30 Aug 26 13:09:55.776811: | 10 e1 c4 44 d9 12 ae dc 83 92 51 0c 1b ec 0a 32 Aug 26 13:09:55.776814: | 5a d5 42 94 ac ea 0b 86 af 1b 32 73 e8 01 be 36 Aug 26 13:09:55.776816: | 1c 2e 25 b2 b8 a2 d8 fd 76 82 28 26 c0 48 c3 25 Aug 26 13:09:55.776819: | 89 c1 c9 43 ac 15 a6 ff fe bb 90 48 54 dd fd 57 Aug 26 13:09:55.776822: | cc 41 c7 cb df e6 e1 ee e8 32 a4 b0 d0 e4 f7 cd Aug 26 13:09:55.776824: | ab 35 01 35 c2 d0 e4 07 48 6a 04 11 80 e7 d4 3c Aug 26 13:09:55.776827: | e0 4d 30 d3 29 00 00 24 ac 5e a3 43 99 45 4c 20 Aug 26 13:09:55.776830: | c2 16 55 3a 8f b4 74 e9 72 c5 ab a7 70 8e 25 dc Aug 26 13:09:55.776833: | b7 59 ba be 00 4f c2 6f 29 00 00 08 00 00 40 2e Aug 26 13:09:55.776835: | 29 00 00 1c 00 00 40 04 e3 e4 aa a8 43 4a 9d fe Aug 26 13:09:55.776838: | d4 39 3a 77 ca 8f 0c 59 ce 75 a8 72 00 00 00 1c Aug 26 13:09:55.776841: | 00 00 40 05 34 c6 7e 17 47 38 5d 8b 86 e5 fa 27 Aug 26 13:09:55.776843: | e6 bd 1a 7f be b4 fa b0 Aug 26 13:09:55.776888: | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:09:55.776894: | libevent_free: release ptr-libevent@0x55fb06384860 Aug 26 13:09:55.776898: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb06382e40 Aug 26 13:09:55.776901: | event_schedule: new EVENT_SO_DISCARD-pe@0x7fedec002b20 Aug 26 13:09:55.776906: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #2 Aug 26 13:09:55.776909: | libevent_malloc: new ptr-libevent@0x55fb06384860 size 128 Aug 26 13:09:55.776914: | resume sending helper answer for #2 suppresed complete_v2_state_transition() Aug 26 13:09:55.776921: | #2 spent 0.662 milliseconds in resume sending helper answer Aug 26 13:09:55.776927: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Aug 26 13:09:55.776930: | libevent_free: release ptr-libevent@0x7fede4006900 Aug 26 13:09:55.783861: | spent 0.00274 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:55.783885: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:55.783888: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.783891: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:55.783893: | bf a6 83 ef 6c 14 b4 1d 94 55 48 71 b0 5f 0a cb Aug 26 13:09:55.783895: | 45 e3 48 f8 06 21 db 58 63 cb 07 08 dc 07 47 d8 Aug 26 13:09:55.783897: | 09 5d 21 8d 9c f7 a2 52 f3 53 04 26 37 19 e9 46 Aug 26 13:09:55.783899: | 77 86 6f 6a 3c 55 05 64 54 58 7b f2 72 96 6b bc Aug 26 13:09:55.783901: | 7a 66 8d c7 23 2a 25 7f c9 ad a8 fe 97 2f 96 5a Aug 26 13:09:55.783903: | 29 8d f5 bf c3 68 24 c5 88 88 68 06 86 b6 0e f9 Aug 26 13:09:55.783905: | cf de eb fd 3a 76 80 12 a1 64 b1 8d 37 a0 a6 4e Aug 26 13:09:55.783907: | 4f 5f f8 1e 4b d4 52 20 25 e4 53 93 57 85 69 2f Aug 26 13:09:55.783909: | fd 67 af 96 73 35 d5 cf be 3a 9f bc 36 82 50 7a Aug 26 13:09:55.783914: | 0b 56 a1 48 b0 83 c7 96 57 bd 3c 38 05 83 a2 f1 Aug 26 13:09:55.783916: | de f6 99 82 ed 65 93 12 dd b8 59 14 fe 95 88 91 Aug 26 13:09:55.783918: | 7e 34 be ba 3a 59 7b e6 b5 42 d5 a2 0d 2c 82 44 Aug 26 13:09:55.783920: | fc 2f 76 dd 28 bf 64 0f a9 3e 6f 3f 34 12 3b 7e Aug 26 13:09:55.783922: | e2 53 2e 76 07 70 c8 01 03 a2 91 cf 89 97 95 f2 Aug 26 13:09:55.783924: | 21 04 5f 49 3c 76 1d 99 d9 59 7a fa 3b 41 b0 ce Aug 26 13:09:55.783926: | 81 ae 67 40 bc 86 14 9b 23 a4 62 93 cc f8 27 28 Aug 26 13:09:55.783928: | fe 4f 7b 07 fe 8c 82 39 10 84 b4 69 40 d5 a5 d7 Aug 26 13:09:55.783930: | 1d 23 bd 18 8c 77 24 12 50 26 b5 73 45 dc a6 9f Aug 26 13:09:55.783932: | 5c ee 73 59 2c 93 90 ac b3 4c d6 02 18 cc 2b 64 Aug 26 13:09:55.783934: | 5f 11 6c c9 fe 97 c7 7e b9 f0 04 29 af 51 fd be Aug 26 13:09:55.783936: | cb 71 6d 88 e1 d5 46 8b be f2 9d af 51 6e 0b 33 Aug 26 13:09:55.783938: | ea ab a3 b5 e1 e9 d9 9a 2f da 96 61 b4 e7 55 3a Aug 26 13:09:55.783940: | a0 b9 4a 59 8e 36 2a 48 72 fb d4 d1 7f 35 29 74 Aug 26 13:09:55.783942: | 9f e4 71 a0 6c 09 e3 73 c2 5a 74 92 0d 33 bf 85 Aug 26 13:09:55.783944: | 70 18 ef 71 0d f7 8e 72 a6 e6 10 81 37 e2 93 36 Aug 26 13:09:55.783946: | 1b b4 ea 28 00 09 34 6f 6c 6c c9 4d 31 f6 ed f3 Aug 26 13:09:55.783948: | 6c 21 ea 11 82 bb b4 73 8f 16 83 9c c8 8c 8b 60 Aug 26 13:09:55.783952: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:55.783955: | **parse ISAKMP Message: Aug 26 13:09:55.783958: | initiator cookie: Aug 26 13:09:55.783960: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:55.783962: | responder cookie: Aug 26 13:09:55.783964: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.783967: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:55.783969: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:55.783971: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:55.783974: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:55.783976: | Message ID: 1 (0x1) Aug 26 13:09:55.783978: | length: 464 (0x1d0) Aug 26 13:09:55.783981: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:09:55.783983: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:09:55.783987: | State DB: found IKEv2 state #2 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:09:55.783992: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:55.783995: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:09:55.783999: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:09:55.784001: | #2 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:09:55.784005: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:09:55.784007: | unpacking clear payload Aug 26 13:09:55.784010: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:09:55.784012: | ***parse IKEv2 Encryption Payload: Aug 26 13:09:55.784015: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:09:55.784017: | flags: none (0x0) Aug 26 13:09:55.784019: | length: 436 (0x1b4) Aug 26 13:09:55.784022: | processing payload: ISAKMP_NEXT_v2SK (len=432) Aug 26 13:09:55.784026: | Message ID: start-responder #2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:09:55.784028: | #2 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:09:55.784031: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:09:55.784033: | Now let's proceed with state specific processing Aug 26 13:09:55.784035: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:09:55.784038: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:09:55.784046: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey=AES_CBC Aug 26 13:09:55.784050: | adding ikev2_inI2outR2 KE work-order 4 for state #2 Aug 26 13:09:55.784053: | state #2 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:09:55.784056: | libevent_free: release ptr-libevent@0x55fb06384860 Aug 26 13:09:55.784058: | free_event_entry: release EVENT_SO_DISCARD-pe@0x7fedec002b20 Aug 26 13:09:55.784061: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fedec002b20 Aug 26 13:09:55.784064: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 Aug 26 13:09:55.784067: | libevent_malloc: new ptr-libevent@0x55fb06384860 size 128 Aug 26 13:09:55.784077: | #2 spent 0.037 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:09:55.784082: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:55.784085: | #2 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:09:55.784087: | suspending state #2 and saving MD Aug 26 13:09:55.784090: | #2 is busy; has a suspended MD Aug 26 13:09:55.784093: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:09:55.784097: | "north-eastnets/0x2" #2 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:09:55.784100: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:55.784104: | #2 spent 0.229 milliseconds in ikev2_process_packet() Aug 26 13:09:55.784108: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:55.784110: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:55.784112: | crypto helper 3 resuming Aug 26 13:09:55.784113: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:55.784128: | crypto helper 3 starting work-order 4 for state #2 Aug 26 13:09:55.784135: | spent 0.254 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:55.784141: | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 4 Aug 26 13:09:55.784144: | crypto helper is pausing for 1 seconds Aug 26 13:09:55.834126: | spent 0.00315 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:55.834155: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:55.834159: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.834162: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:55.834165: | bf a6 83 ef 6c 14 b4 1d 94 55 48 71 b0 5f 0a cb Aug 26 13:09:55.834168: | 45 e3 48 f8 06 21 db 58 63 cb 07 08 dc 07 47 d8 Aug 26 13:09:55.834170: | 09 5d 21 8d 9c f7 a2 52 f3 53 04 26 37 19 e9 46 Aug 26 13:09:55.834173: | 77 86 6f 6a 3c 55 05 64 54 58 7b f2 72 96 6b bc Aug 26 13:09:55.834176: | 7a 66 8d c7 23 2a 25 7f c9 ad a8 fe 97 2f 96 5a Aug 26 13:09:55.834178: | 29 8d f5 bf c3 68 24 c5 88 88 68 06 86 b6 0e f9 Aug 26 13:09:55.834181: | cf de eb fd 3a 76 80 12 a1 64 b1 8d 37 a0 a6 4e Aug 26 13:09:55.834184: | 4f 5f f8 1e 4b d4 52 20 25 e4 53 93 57 85 69 2f Aug 26 13:09:55.834186: | fd 67 af 96 73 35 d5 cf be 3a 9f bc 36 82 50 7a Aug 26 13:09:55.834189: | 0b 56 a1 48 b0 83 c7 96 57 bd 3c 38 05 83 a2 f1 Aug 26 13:09:55.834192: | de f6 99 82 ed 65 93 12 dd b8 59 14 fe 95 88 91 Aug 26 13:09:55.834195: | 7e 34 be ba 3a 59 7b e6 b5 42 d5 a2 0d 2c 82 44 Aug 26 13:09:55.834197: | fc 2f 76 dd 28 bf 64 0f a9 3e 6f 3f 34 12 3b 7e Aug 26 13:09:55.834200: | e2 53 2e 76 07 70 c8 01 03 a2 91 cf 89 97 95 f2 Aug 26 13:09:55.834203: | 21 04 5f 49 3c 76 1d 99 d9 59 7a fa 3b 41 b0 ce Aug 26 13:09:55.834205: | 81 ae 67 40 bc 86 14 9b 23 a4 62 93 cc f8 27 28 Aug 26 13:09:55.834211: | fe 4f 7b 07 fe 8c 82 39 10 84 b4 69 40 d5 a5 d7 Aug 26 13:09:55.834214: | 1d 23 bd 18 8c 77 24 12 50 26 b5 73 45 dc a6 9f Aug 26 13:09:55.834216: | 5c ee 73 59 2c 93 90 ac b3 4c d6 02 18 cc 2b 64 Aug 26 13:09:55.834219: | 5f 11 6c c9 fe 97 c7 7e b9 f0 04 29 af 51 fd be Aug 26 13:09:55.834222: | cb 71 6d 88 e1 d5 46 8b be f2 9d af 51 6e 0b 33 Aug 26 13:09:55.834224: | ea ab a3 b5 e1 e9 d9 9a 2f da 96 61 b4 e7 55 3a Aug 26 13:09:55.834227: | a0 b9 4a 59 8e 36 2a 48 72 fb d4 d1 7f 35 29 74 Aug 26 13:09:55.834229: | 9f e4 71 a0 6c 09 e3 73 c2 5a 74 92 0d 33 bf 85 Aug 26 13:09:55.834232: | 70 18 ef 71 0d f7 8e 72 a6 e6 10 81 37 e2 93 36 Aug 26 13:09:55.834235: | 1b b4 ea 28 00 09 34 6f 6c 6c c9 4d 31 f6 ed f3 Aug 26 13:09:55.834237: | 6c 21 ea 11 82 bb b4 73 8f 16 83 9c c8 8c 8b 60 Aug 26 13:09:55.834243: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:55.834248: | **parse ISAKMP Message: Aug 26 13:09:55.834251: | initiator cookie: Aug 26 13:09:55.834254: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:55.834256: | responder cookie: Aug 26 13:09:55.834259: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.834262: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:55.834265: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:55.834268: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:55.834272: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:55.834275: | Message ID: 1 (0x1) Aug 26 13:09:55.834277: | length: 464 (0x1d0) Aug 26 13:09:55.834281: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:09:55.834285: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:09:55.834299: | State DB: found IKEv2 state #2 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:09:55.834309: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:55.834315: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:55.834318: | #2 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:09:55.834322: "north-eastnets/0x2" #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_PARENT_R1 Aug 26 13:09:55.834327: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:55.834333: | #2 spent 0.182 milliseconds in ikev2_process_packet() Aug 26 13:09:55.834338: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:55.834341: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:55.834345: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:55.834349: | spent 0.199 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:55.885460: | spent 0.00308 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:55.885728: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:55.885731: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.885733: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:55.885735: | bf a6 83 ef 6c 14 b4 1d 94 55 48 71 b0 5f 0a cb Aug 26 13:09:55.885736: | 45 e3 48 f8 06 21 db 58 63 cb 07 08 dc 07 47 d8 Aug 26 13:09:55.885738: | 09 5d 21 8d 9c f7 a2 52 f3 53 04 26 37 19 e9 46 Aug 26 13:09:55.885739: | 77 86 6f 6a 3c 55 05 64 54 58 7b f2 72 96 6b bc Aug 26 13:09:55.885741: | 7a 66 8d c7 23 2a 25 7f c9 ad a8 fe 97 2f 96 5a Aug 26 13:09:55.885743: | 29 8d f5 bf c3 68 24 c5 88 88 68 06 86 b6 0e f9 Aug 26 13:09:55.885744: | cf de eb fd 3a 76 80 12 a1 64 b1 8d 37 a0 a6 4e Aug 26 13:09:55.885746: | 4f 5f f8 1e 4b d4 52 20 25 e4 53 93 57 85 69 2f Aug 26 13:09:55.885747: | fd 67 af 96 73 35 d5 cf be 3a 9f bc 36 82 50 7a Aug 26 13:09:55.885749: | 0b 56 a1 48 b0 83 c7 96 57 bd 3c 38 05 83 a2 f1 Aug 26 13:09:55.885768: | de f6 99 82 ed 65 93 12 dd b8 59 14 fe 95 88 91 Aug 26 13:09:55.885770: | 7e 34 be ba 3a 59 7b e6 b5 42 d5 a2 0d 2c 82 44 Aug 26 13:09:55.885771: | fc 2f 76 dd 28 bf 64 0f a9 3e 6f 3f 34 12 3b 7e Aug 26 13:09:55.885773: | e2 53 2e 76 07 70 c8 01 03 a2 91 cf 89 97 95 f2 Aug 26 13:09:55.885775: | 21 04 5f 49 3c 76 1d 99 d9 59 7a fa 3b 41 b0 ce Aug 26 13:09:55.885776: | 81 ae 67 40 bc 86 14 9b 23 a4 62 93 cc f8 27 28 Aug 26 13:09:55.885778: | fe 4f 7b 07 fe 8c 82 39 10 84 b4 69 40 d5 a5 d7 Aug 26 13:09:55.885780: | 1d 23 bd 18 8c 77 24 12 50 26 b5 73 45 dc a6 9f Aug 26 13:09:55.885781: | 5c ee 73 59 2c 93 90 ac b3 4c d6 02 18 cc 2b 64 Aug 26 13:09:55.885783: | 5f 11 6c c9 fe 97 c7 7e b9 f0 04 29 af 51 fd be Aug 26 13:09:55.885785: | cb 71 6d 88 e1 d5 46 8b be f2 9d af 51 6e 0b 33 Aug 26 13:09:55.885786: | ea ab a3 b5 e1 e9 d9 9a 2f da 96 61 b4 e7 55 3a Aug 26 13:09:55.885788: | a0 b9 4a 59 8e 36 2a 48 72 fb d4 d1 7f 35 29 74 Aug 26 13:09:55.885789: | 9f e4 71 a0 6c 09 e3 73 c2 5a 74 92 0d 33 bf 85 Aug 26 13:09:55.885791: | 70 18 ef 71 0d f7 8e 72 a6 e6 10 81 37 e2 93 36 Aug 26 13:09:55.885793: | 1b b4 ea 28 00 09 34 6f 6c 6c c9 4d 31 f6 ed f3 Aug 26 13:09:55.885794: | 6c 21 ea 11 82 bb b4 73 8f 16 83 9c c8 8c 8b 60 Aug 26 13:09:55.885798: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:55.885801: | **parse ISAKMP Message: Aug 26 13:09:55.885803: | initiator cookie: Aug 26 13:09:55.885805: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:55.885807: | responder cookie: Aug 26 13:09:55.885808: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.885810: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:55.885812: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:55.885814: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:55.885816: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:55.885818: | Message ID: 1 (0x1) Aug 26 13:09:55.885820: | length: 464 (0x1d0) Aug 26 13:09:55.885822: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:09:55.885825: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:09:55.885828: | State DB: found IKEv2 state #2 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:09:55.885833: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:55.885837: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:55.885841: | #2 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:09:55.885844: "north-eastnets/0x2" #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_PARENT_R1 Aug 26 13:09:55.885849: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:55.885855: | #2 spent 0.382 milliseconds in ikev2_process_packet() Aug 26 13:09:55.885859: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:55.885862: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:55.885864: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:55.885867: | spent 0.396 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:55.985777: | spent 0.00304 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:55.985800: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:55.985804: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.985807: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:55.985810: | bf a6 83 ef 6c 14 b4 1d 94 55 48 71 b0 5f 0a cb Aug 26 13:09:55.985813: | 45 e3 48 f8 06 21 db 58 63 cb 07 08 dc 07 47 d8 Aug 26 13:09:55.985815: | 09 5d 21 8d 9c f7 a2 52 f3 53 04 26 37 19 e9 46 Aug 26 13:09:55.985820: | 77 86 6f 6a 3c 55 05 64 54 58 7b f2 72 96 6b bc Aug 26 13:09:55.985823: | 7a 66 8d c7 23 2a 25 7f c9 ad a8 fe 97 2f 96 5a Aug 26 13:09:55.985825: | 29 8d f5 bf c3 68 24 c5 88 88 68 06 86 b6 0e f9 Aug 26 13:09:55.985828: | cf de eb fd 3a 76 80 12 a1 64 b1 8d 37 a0 a6 4e Aug 26 13:09:55.985830: | 4f 5f f8 1e 4b d4 52 20 25 e4 53 93 57 85 69 2f Aug 26 13:09:55.985833: | fd 67 af 96 73 35 d5 cf be 3a 9f bc 36 82 50 7a Aug 26 13:09:55.985835: | 0b 56 a1 48 b0 83 c7 96 57 bd 3c 38 05 83 a2 f1 Aug 26 13:09:55.985838: | de f6 99 82 ed 65 93 12 dd b8 59 14 fe 95 88 91 Aug 26 13:09:55.985840: | 7e 34 be ba 3a 59 7b e6 b5 42 d5 a2 0d 2c 82 44 Aug 26 13:09:55.985843: | fc 2f 76 dd 28 bf 64 0f a9 3e 6f 3f 34 12 3b 7e Aug 26 13:09:55.985845: | e2 53 2e 76 07 70 c8 01 03 a2 91 cf 89 97 95 f2 Aug 26 13:09:55.985848: | 21 04 5f 49 3c 76 1d 99 d9 59 7a fa 3b 41 b0 ce Aug 26 13:09:55.985851: | 81 ae 67 40 bc 86 14 9b 23 a4 62 93 cc f8 27 28 Aug 26 13:09:55.985853: | fe 4f 7b 07 fe 8c 82 39 10 84 b4 69 40 d5 a5 d7 Aug 26 13:09:55.985856: | 1d 23 bd 18 8c 77 24 12 50 26 b5 73 45 dc a6 9f Aug 26 13:09:55.985858: | 5c ee 73 59 2c 93 90 ac b3 4c d6 02 18 cc 2b 64 Aug 26 13:09:55.985861: | 5f 11 6c c9 fe 97 c7 7e b9 f0 04 29 af 51 fd be Aug 26 13:09:55.985864: | cb 71 6d 88 e1 d5 46 8b be f2 9d af 51 6e 0b 33 Aug 26 13:09:55.985866: | ea ab a3 b5 e1 e9 d9 9a 2f da 96 61 b4 e7 55 3a Aug 26 13:09:55.985869: | a0 b9 4a 59 8e 36 2a 48 72 fb d4 d1 7f 35 29 74 Aug 26 13:09:55.985871: | 9f e4 71 a0 6c 09 e3 73 c2 5a 74 92 0d 33 bf 85 Aug 26 13:09:55.985874: | 70 18 ef 71 0d f7 8e 72 a6 e6 10 81 37 e2 93 36 Aug 26 13:09:55.985876: | 1b b4 ea 28 00 09 34 6f 6c 6c c9 4d 31 f6 ed f3 Aug 26 13:09:55.985879: | 6c 21 ea 11 82 bb b4 73 8f 16 83 9c c8 8c 8b 60 Aug 26 13:09:55.985884: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:55.985889: | **parse ISAKMP Message: Aug 26 13:09:55.985892: | initiator cookie: Aug 26 13:09:55.985894: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:55.985897: | responder cookie: Aug 26 13:09:55.985900: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:55.985903: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:55.985906: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:55.985909: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:55.985912: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:55.985915: | Message ID: 1 (0x1) Aug 26 13:09:55.985917: | length: 464 (0x1d0) Aug 26 13:09:55.985921: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:09:55.985924: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:09:55.985928: | State DB: found IKEv2 state #2 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:09:55.985935: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:55.985941: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:55.985944: | #2 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:09:55.985948: "north-eastnets/0x2" #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_PARENT_R1 Aug 26 13:09:55.985953: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:55.985958: | #2 spent 0.167 milliseconds in ikev2_process_packet() Aug 26 13:09:55.985962: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:55.985966: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:55.985969: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:55.985973: | spent 0.182 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:56.187579: | spent 0.0029 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:56.187604: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:56.187609: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.187611: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:56.187614: | bf a6 83 ef 6c 14 b4 1d 94 55 48 71 b0 5f 0a cb Aug 26 13:09:56.187617: | 45 e3 48 f8 06 21 db 58 63 cb 07 08 dc 07 47 d8 Aug 26 13:09:56.187620: | 09 5d 21 8d 9c f7 a2 52 f3 53 04 26 37 19 e9 46 Aug 26 13:09:56.187623: | 77 86 6f 6a 3c 55 05 64 54 58 7b f2 72 96 6b bc Aug 26 13:09:56.187625: | 7a 66 8d c7 23 2a 25 7f c9 ad a8 fe 97 2f 96 5a Aug 26 13:09:56.187628: | 29 8d f5 bf c3 68 24 c5 88 88 68 06 86 b6 0e f9 Aug 26 13:09:56.187631: | cf de eb fd 3a 76 80 12 a1 64 b1 8d 37 a0 a6 4e Aug 26 13:09:56.187634: | 4f 5f f8 1e 4b d4 52 20 25 e4 53 93 57 85 69 2f Aug 26 13:09:56.187637: | fd 67 af 96 73 35 d5 cf be 3a 9f bc 36 82 50 7a Aug 26 13:09:56.187640: | 0b 56 a1 48 b0 83 c7 96 57 bd 3c 38 05 83 a2 f1 Aug 26 13:09:56.187643: | de f6 99 82 ed 65 93 12 dd b8 59 14 fe 95 88 91 Aug 26 13:09:56.187646: | 7e 34 be ba 3a 59 7b e6 b5 42 d5 a2 0d 2c 82 44 Aug 26 13:09:56.187649: | fc 2f 76 dd 28 bf 64 0f a9 3e 6f 3f 34 12 3b 7e Aug 26 13:09:56.187652: | e2 53 2e 76 07 70 c8 01 03 a2 91 cf 89 97 95 f2 Aug 26 13:09:56.187655: | 21 04 5f 49 3c 76 1d 99 d9 59 7a fa 3b 41 b0 ce Aug 26 13:09:56.187658: | 81 ae 67 40 bc 86 14 9b 23 a4 62 93 cc f8 27 28 Aug 26 13:09:56.187661: | fe 4f 7b 07 fe 8c 82 39 10 84 b4 69 40 d5 a5 d7 Aug 26 13:09:56.187664: | 1d 23 bd 18 8c 77 24 12 50 26 b5 73 45 dc a6 9f Aug 26 13:09:56.187666: | 5c ee 73 59 2c 93 90 ac b3 4c d6 02 18 cc 2b 64 Aug 26 13:09:56.187669: | 5f 11 6c c9 fe 97 c7 7e b9 f0 04 29 af 51 fd be Aug 26 13:09:56.187672: | cb 71 6d 88 e1 d5 46 8b be f2 9d af 51 6e 0b 33 Aug 26 13:09:56.187674: | ea ab a3 b5 e1 e9 d9 9a 2f da 96 61 b4 e7 55 3a Aug 26 13:09:56.187676: | a0 b9 4a 59 8e 36 2a 48 72 fb d4 d1 7f 35 29 74 Aug 26 13:09:56.187679: | 9f e4 71 a0 6c 09 e3 73 c2 5a 74 92 0d 33 bf 85 Aug 26 13:09:56.187681: | 70 18 ef 71 0d f7 8e 72 a6 e6 10 81 37 e2 93 36 Aug 26 13:09:56.187683: | 1b b4 ea 28 00 09 34 6f 6c 6c c9 4d 31 f6 ed f3 Aug 26 13:09:56.187686: | 6c 21 ea 11 82 bb b4 73 8f 16 83 9c c8 8c 8b 60 Aug 26 13:09:56.187692: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:56.187696: | **parse ISAKMP Message: Aug 26 13:09:56.187700: | initiator cookie: Aug 26 13:09:56.187703: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:56.187706: | responder cookie: Aug 26 13:09:56.187708: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.187712: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:56.187715: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:56.187718: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:56.187722: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:56.187725: | Message ID: 1 (0x1) Aug 26 13:09:56.187728: | length: 464 (0x1d0) Aug 26 13:09:56.187732: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:09:56.187736: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:09:56.187741: | State DB: found IKEv2 state #2 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:09:56.187748: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:56.187754: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:56.187758: | #2 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:09:56.187762: "north-eastnets/0x2" #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_PARENT_R1 Aug 26 13:09:56.187768: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:56.187778: | #2 spent 0.183 milliseconds in ikev2_process_packet() Aug 26 13:09:56.187783: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:56.187788: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:56.187792: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:56.187797: | spent 0.202 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:56.426258: | calculating skeyseed using prf=sha2_256 integ=sha2_256 cipherkey-size=32 salt-size=0 Aug 26 13:09:56.427312: | crypto helper 1 finished compute dh (V2) (ikev2_inR1outI2 KE); request ID 3 time elapsed 1.003197 seconds Aug 26 13:09:56.427354: | (#1) spent 3.12 milliseconds in crypto helper computing work-order 3: ikev2_inR1outI2 KE (pcr) Aug 26 13:09:56.427369: | crypto helper 1 sending results from work-order 3 for state #1 to event queue Aug 26 13:09:56.427398: | scheduling resume sending helper answer for #1 Aug 26 13:09:56.427412: | libevent_malloc: new ptr-libevent@0x7fede8000f40 size 128 Aug 26 13:09:56.427439: | crypto helper 1 waiting (nothing to do) Aug 26 13:09:56.427507: | processing resume sending helper answer for #1 Aug 26 13:09:56.427550: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in resume_handler() at server.c:797) Aug 26 13:09:56.427566: | crypto helper 1 replies to request ID 3 Aug 26 13:09:56.427575: | calling continuation function 0x55fb048b9b50 Aug 26 13:09:56.427584: | ikev2_parent_inR1outI2_continue for #1: calculating g^{xy}, sending I2 Aug 26 13:09:56.427611: | creating state object #3 at 0x55fb06388d10 Aug 26 13:09:56.427621: | State DB: adding IKEv2 state #3 in UNDEFINED Aug 26 13:09:56.427639: | pstats #3 ikev2.child started Aug 26 13:09:56.427649: | duplicating state object #1 "north-eastnets/0x2" as #3 for IPSEC SA Aug 26 13:09:56.427664: | #3 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:09:56.427685: | Message ID: init_child #1.#3; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:09:56.427699: | Message ID: switch-from #1 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=0->-1 wip.responder=-1 Aug 26 13:09:56.427713: | Message ID: switch-to #1.#3 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->0 wip.responder=-1 Aug 26 13:09:56.427722: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:09:56.427733: | libevent_free: release ptr-libevent@0x55fb063818a0 Aug 26 13:09:56.427742: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb06381860 Aug 26 13:09:56.427751: | event_schedule: new EVENT_SA_REPLACE-pe@0x55fb06381860 Aug 26 13:09:56.427763: | inserting event EVENT_SA_REPLACE, timeout in 60 seconds for #1 Aug 26 13:09:56.427772: | libevent_malloc: new ptr-libevent@0x55fb063818a0 size 128 Aug 26 13:09:56.427783: | parent state #1: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA) Aug 26 13:09:56.427803: | **emit ISAKMP Message: Aug 26 13:09:56.427812: | initiator cookie: Aug 26 13:09:56.427820: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:56.427827: | responder cookie: Aug 26 13:09:56.427834: | ed ec 45 23 73 d7 1a d3 Aug 26 13:09:56.427843: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:09:56.427851: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:56.427860: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:56.427869: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:56.427877: | Message ID: 1 (0x1) Aug 26 13:09:56.427886: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:09:56.427895: | ***emit IKEv2 Encryption Payload: Aug 26 13:09:56.427904: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.427911: | flags: none (0x0) Aug 26 13:09:56.427930: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:09:56.427940: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.427952: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:09:56.427974: | IKEv2 CERT: send a certificate? Aug 26 13:09:56.427982: | IKEv2 CERT: no certificate to send Aug 26 13:09:56.427990: | IDr payload will be sent Aug 26 13:09:56.428035: | ****emit IKEv2 Identification - Initiator - Payload: Aug 26 13:09:56.428045: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.428053: | flags: none (0x0) Aug 26 13:09:56.428061: | ID type: ID_FQDN (0x2) Aug 26 13:09:56.428072: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi) Aug 26 13:09:56.428081: | next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.428091: | emitting 5 raw bytes of my identity into IKEv2 Identification - Initiator - Payload Aug 26 13:09:56.428098: | my identity 6e 6f 72 74 68 Aug 26 13:09:56.428107: | emitting length of IKEv2 Identification - Initiator - Payload: 13 Aug 26 13:09:56.428131: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:09:56.428140: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:09:56.428147: | flags: none (0x0) Aug 26 13:09:56.428155: | ID type: ID_FQDN (0x2) Aug 26 13:09:56.428164: | next payload chain: ignoring supplied 'IKEv2 Identification - Responder - Payload'.'next payload type' value 39:ISAKMP_NEXT_v2AUTH Aug 26 13:09:56.428174: | next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:09:56.428183: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.428192: | emitting 4 raw bytes of IDr into IKEv2 Identification - Responder - Payload Aug 26 13:09:56.428200: | IDr 65 61 73 74 Aug 26 13:09:56.428208: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:09:56.428215: | not sending INITIAL_CONTACT Aug 26 13:09:56.428224: | ****emit IKEv2 Authentication Payload: Aug 26 13:09:56.428232: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.428239: | flags: none (0x0) Aug 26 13:09:56.428247: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 13:09:56.428257: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:09:56.428266: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.428281: | started looking for secret for @north->@east of kind PKK_RSA Aug 26 13:09:56.428312: | actually looking for secret for @north->@east of kind PKK_RSA Aug 26 13:09:56.428342: | line 1: key type PKK_RSA(@north) to type PKK_RSA Aug 26 13:09:56.428357: | 1: compared key (none) to @north / @east -> 002 Aug 26 13:09:56.428366: | 2: compared key (none) to @north / @east -> 002 Aug 26 13:09:56.428373: | line 1: match=002 Aug 26 13:09:56.428383: | match 002 beats previous best_match 000 match=0x55fb063730d0 (line=1) Aug 26 13:09:56.428391: | concluding with best_match=002 best=0x55fb063730d0 (lineno=1) Aug 26 13:09:56.445532: | #1 spent 16.9 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Aug 26 13:09:56.445574: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Aug 26 13:09:56.445586: | rsa signature 32 c8 e8 41 a0 82 09 c4 38 e7 cf 29 87 49 fb 83 Aug 26 13:09:56.445594: | rsa signature 31 e9 69 74 41 0f 07 49 40 2c 7a 3f d5 d3 bf 17 Aug 26 13:09:56.445601: | rsa signature 79 48 74 71 da c4 d8 61 24 e4 94 70 32 46 42 ab Aug 26 13:09:56.445618: | rsa signature 82 ee 1a ba cc bb a4 ab d7 41 31 46 1f c4 75 a8 Aug 26 13:09:56.445626: | rsa signature 4e a0 a6 64 a7 1e 8b f2 5f c8 7f 3b 30 1d 6b bb Aug 26 13:09:56.445634: | rsa signature 99 b3 85 e6 87 52 16 08 20 91 a2 40 c3 88 89 6b Aug 26 13:09:56.445641: | rsa signature 52 f9 63 58 81 90 db e1 e0 48 7b 76 db 20 d3 95 Aug 26 13:09:56.445649: | rsa signature 0d 88 bc ba b0 c0 b4 28 59 76 3f be 32 bd a3 a7 Aug 26 13:09:56.445656: | rsa signature 9e 87 e8 b3 84 06 70 ee 1e 2b 61 36 9a aa 9a dc Aug 26 13:09:56.445663: | rsa signature 2d 79 c3 6a e6 2f 10 ae 72 4a bc 21 cc ee 79 a1 Aug 26 13:09:56.445671: | rsa signature 54 68 22 67 b5 8f 6a 86 c8 6d 83 5f 89 d2 9a 10 Aug 26 13:09:56.445678: | rsa signature fe cc ad fd 94 d4 dd 4a f3 02 f0 de de c3 43 dc Aug 26 13:09:56.445685: | rsa signature 08 3b 9f 3c 2d 1a 53 ec 40 29 46 6e d2 68 c4 2b Aug 26 13:09:56.445693: | rsa signature 57 28 93 ba 00 a9 bb 6b 8c b3 86 30 3b 71 39 c7 Aug 26 13:09:56.445700: | rsa signature e9 fa 62 41 26 11 30 ea 8d d8 03 81 ca 01 61 2e Aug 26 13:09:56.445708: | rsa signature 1f 44 1d 80 9c 14 5c cd d3 e6 a7 c5 ff 3f d2 70 Aug 26 13:09:56.445715: | rsa signature 13 15 b2 9c e4 58 a2 f3 b3 7c 0c 25 58 6f 2a 02 Aug 26 13:09:56.445722: | rsa signature f7 f0 Aug 26 13:09:56.445738: | #1 spent 17.3 milliseconds in ikev2_calculate_rsa_hash() Aug 26 13:09:56.445748: | emitting length of IKEv2 Authentication Payload: 282 Aug 26 13:09:56.445757: | getting first pending from state #1 Aug 26 13:09:56.445767: | Switching Child connection for #3 to "north-eastnets/0x1" from "north-eastnets/0x2" Aug 26 13:09:56.445784: | in connection_discard for connection north-eastnets/0x2 Aug 26 13:09:56.446518: | netlink_get_spi: allocated 0xea232af2 for esp.0@192.1.3.33 Aug 26 13:09:56.446547: | constructing ESP/AH proposals with all DH removed for north-eastnets/0x1 (IKE SA initiator emitting ESP/AH proposals) Aug 26 13:09:56.446564: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Aug 26 13:09:56.446583: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Aug 26 13:09:56.446598: "north-eastnets/0x1": constructed local ESP/AH proposals for north-eastnets/0x1 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Aug 26 13:09:56.446630: | Emitting ikev2_proposals ... Aug 26 13:09:56.446646: | ****emit IKEv2 Security Association Payload: Aug 26 13:09:56.446659: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.446673: | flags: none (0x0) Aug 26 13:09:56.446690: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:09:56.446701: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.446710: | discarding DH=NONE Aug 26 13:09:56.446719: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:09:56.446727: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:56.446735: | prop #: 1 (0x1) Aug 26 13:09:56.446743: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:09:56.446751: | spi size: 4 (0x4) Aug 26 13:09:56.446758: | # transforms: 3 (0x3) Aug 26 13:09:56.446767: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:09:56.446777: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:09:56.446785: | our spi ea 23 2a f2 Aug 26 13:09:56.446793: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:56.446801: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.446809: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:56.446817: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:56.446825: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:56.446843: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:09:56.446853: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:56.446861: | length/value: 128 (0x80) Aug 26 13:09:56.446870: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:09:56.446878: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:56.446886: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.446895: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:56.446907: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:09:56.446918: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.446927: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:56.446938: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:56.446949: | discarding DH=NONE Aug 26 13:09:56.446959: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:56.446967: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:56.446975: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:09:56.446983: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:09:56.446995: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.447005: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:56.447014: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:56.447023: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:09:56.447036: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:09:56.447046: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:09:56.447055: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:09:56.447064: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:09:56.447073: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.447080: | flags: none (0x0) Aug 26 13:09:56.447090: | number of TS: 1 (0x1) Aug 26 13:09:56.447103: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:09:56.447112: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.447121: | *****emit IKEv2 Traffic Selector: Aug 26 13:09:56.447133: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.447144: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.447152: | start port: 0 (0x0) Aug 26 13:09:56.447160: | end port: 65535 (0xffff) Aug 26 13:09:56.447172: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:09:56.447184: | ipv4 start c0 00 03 00 Aug 26 13:09:56.447194: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:09:56.447202: | ipv4 end c0 00 03 ff Aug 26 13:09:56.447210: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:09:56.447221: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:09:56.447233: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:09:56.447242: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.447249: | flags: none (0x0) Aug 26 13:09:56.447258: | number of TS: 1 (0x1) Aug 26 13:09:56.447274: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:09:56.447284: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.447318: | *****emit IKEv2 Traffic Selector: Aug 26 13:09:56.447329: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.447338: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.447350: | start port: 0 (0x0) Aug 26 13:09:56.447359: | end port: 65535 (0xffff) Aug 26 13:09:56.447369: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:09:56.447376: | ipv4 start c0 00 02 00 Aug 26 13:09:56.447386: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:09:56.447397: | ipv4 end c0 00 02 ff Aug 26 13:09:56.447407: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:09:56.447415: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:09:56.447424: | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE Aug 26 13:09:56.447432: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:09:56.447443: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:09:56.447458: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.447469: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:09:56.447478: | emitting length of IKEv2 Encryption Payload: 436 Aug 26 13:09:56.447487: | emitting length of ISAKMP Message: 464 Aug 26 13:09:56.447601: | data being hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:56.447614: | data being hmac: 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:56.447621: | data being hmac: 66 58 0f a9 8f 2a 2f e8 8a 63 8b 03 75 c0 51 b0 Aug 26 13:09:56.447630: | data being hmac: 26 67 d0 66 7d 92 b6 0b 7e fb c3 70 87 45 c9 bf Aug 26 13:09:56.447642: | data being hmac: 2d cb 9a 83 f8 21 92 13 e6 8f cc 33 78 84 26 83 Aug 26 13:09:56.447652: | data being hmac: de fb 32 44 9b 0d f6 07 6c 38 ec 74 f4 96 be 22 Aug 26 13:09:56.447660: | data being hmac: f8 bf 9f 1b 67 96 9c 98 14 fa 28 b5 62 2a ea 99 Aug 26 13:09:56.447667: | data being hmac: 81 ba 9e 2c 98 e7 7c 50 ef 28 60 07 4b 68 48 c7 Aug 26 13:09:56.447676: | data being hmac: dd 43 3e 18 6e eb ad a9 20 56 1e 4d fe de 9b 80 Aug 26 13:09:56.447688: | data being hmac: ca a4 a1 2a c9 91 bb ba 28 90 b7 1a ce ad c6 be Aug 26 13:09:56.447697: | data being hmac: b6 5f fe f8 e9 3e 18 fa 81 a5 7f f7 81 54 5f 3f Aug 26 13:09:56.447705: | data being hmac: cc 93 75 d1 45 7d 7f d3 89 87 dd 03 73 e4 d0 a5 Aug 26 13:09:56.447713: | data being hmac: fb 5a d3 b7 fc 2b c6 22 9d 61 4d e3 36 ab 3f 41 Aug 26 13:09:56.447723: | data being hmac: 88 a4 74 cc 96 a6 1c e1 14 ae 42 3f 1b dc 24 93 Aug 26 13:09:56.447734: | data being hmac: c6 7c ef 1d 74 0e f0 93 37 5e 2b a8 65 64 81 51 Aug 26 13:09:56.447742: | data being hmac: 92 3c 32 3f 7e 28 ed d0 be 3b 58 d1 58 38 68 5a Aug 26 13:09:56.447750: | data being hmac: 5e e8 40 f5 be d4 99 1e eb 87 65 fc c9 4b cd 10 Aug 26 13:09:56.447757: | data being hmac: b1 58 95 8a 3c d4 0c f7 50 3c 63 65 4b 0b a2 c0 Aug 26 13:09:56.447767: | data being hmac: 00 e9 66 2d b2 56 d8 97 40 fc 1b 4b a9 0f c4 d6 Aug 26 13:09:56.447778: | data being hmac: 98 ad d3 15 1f 58 90 67 4a cb de 9b 6e 04 7b 43 Aug 26 13:09:56.447787: | data being hmac: d9 1a 28 1b ce 18 a8 d3 c2 7f 18 41 d1 b3 7c fc Aug 26 13:09:56.447794: | data being hmac: e4 c8 bb d7 f5 79 45 91 7e 04 32 a9 9d 70 4c 37 Aug 26 13:09:56.447801: | data being hmac: 3c fe 5b 2f 72 9b 33 7c 4b 65 3a 1c 77 fc 90 38 Aug 26 13:09:56.447809: | data being hmac: 31 2a 5f 69 ad 98 44 93 42 83 c5 7a 1b 5d d7 46 Aug 26 13:09:56.447821: | data being hmac: 2b 72 f0 c0 46 18 19 b9 b6 ff a9 2d 2c 0b 16 cb Aug 26 13:09:56.447831: | data being hmac: 3c 67 0c 6b b3 59 3e 3d 39 1f 19 20 f0 59 15 5b Aug 26 13:09:56.447839: | data being hmac: 6c dd fe e9 fa b7 6c 4b 9b f9 f5 a3 d0 d2 b2 b5 Aug 26 13:09:56.447847: | data being hmac: 21 d9 e4 09 83 c3 7b 7a ee f5 8a 8c d7 f7 d0 b0 Aug 26 13:09:56.447862: | out calculated auth: Aug 26 13:09:56.447874: | eb db 45 5e bc 70 d6 e7 51 2b d5 82 7e 55 c3 1e Aug 26 13:09:56.447900: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:56.447920: | start processing: state #3 connection "north-eastnets/0x1" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:56.447934: | #3 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_OK Aug 26 13:09:56.447945: | IKEv2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2 Aug 26 13:09:56.447959: | child state #3: UNDEFINED(ignore) => PARENT_I2(open IKE SA) Aug 26 13:09:56.447970: | Message ID: updating counters for #3 to 0 after switching state Aug 26 13:09:56.447988: | Message ID: recv #1.#3 response 0; ike: initiator.sent=0 initiator.recv=-1->0 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=-1 Aug 26 13:09:56.448008: | Message ID: sent #1.#3 request 1; ike: initiator.sent=0->1 initiator.recv=0 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->1 wip.responder=-1 Aug 26 13:09:56.448025: "north-eastnets/0x1" #3: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Aug 26 13:09:56.448073: | sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.33:500) Aug 26 13:09:56.448105: | sending 464 bytes for STATE_PARENT_I1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:09:56.448119: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:56.448132: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:56.448143: | 66 58 0f a9 8f 2a 2f e8 8a 63 8b 03 75 c0 51 b0 Aug 26 13:09:56.448152: | 26 67 d0 66 7d 92 b6 0b 7e fb c3 70 87 45 c9 bf Aug 26 13:09:56.448164: | 2d cb 9a 83 f8 21 92 13 e6 8f cc 33 78 84 26 83 Aug 26 13:09:56.448175: | de fb 32 44 9b 0d f6 07 6c 38 ec 74 f4 96 be 22 Aug 26 13:09:56.448186: | f8 bf 9f 1b 67 96 9c 98 14 fa 28 b5 62 2a ea 99 Aug 26 13:09:56.448197: | 81 ba 9e 2c 98 e7 7c 50 ef 28 60 07 4b 68 48 c7 Aug 26 13:09:56.448209: | dd 43 3e 18 6e eb ad a9 20 56 1e 4d fe de 9b 80 Aug 26 13:09:56.448218: | ca a4 a1 2a c9 91 bb ba 28 90 b7 1a ce ad c6 be Aug 26 13:09:56.448230: | b6 5f fe f8 e9 3e 18 fa 81 a5 7f f7 81 54 5f 3f Aug 26 13:09:56.448240: | cc 93 75 d1 45 7d 7f d3 89 87 dd 03 73 e4 d0 a5 Aug 26 13:09:56.448252: | fb 5a d3 b7 fc 2b c6 22 9d 61 4d e3 36 ab 3f 41 Aug 26 13:09:56.448262: | 88 a4 74 cc 96 a6 1c e1 14 ae 42 3f 1b dc 24 93 Aug 26 13:09:56.448272: | c6 7c ef 1d 74 0e f0 93 37 5e 2b a8 65 64 81 51 Aug 26 13:09:56.448283: | 92 3c 32 3f 7e 28 ed d0 be 3b 58 d1 58 38 68 5a Aug 26 13:09:56.448306: | 5e e8 40 f5 be d4 99 1e eb 87 65 fc c9 4b cd 10 Aug 26 13:09:56.448324: | b1 58 95 8a 3c d4 0c f7 50 3c 63 65 4b 0b a2 c0 Aug 26 13:09:56.448335: | 00 e9 66 2d b2 56 d8 97 40 fc 1b 4b a9 0f c4 d6 Aug 26 13:09:56.448346: | 98 ad d3 15 1f 58 90 67 4a cb de 9b 6e 04 7b 43 Aug 26 13:09:56.448355: | d9 1a 28 1b ce 18 a8 d3 c2 7f 18 41 d1 b3 7c fc Aug 26 13:09:56.448367: | e4 c8 bb d7 f5 79 45 91 7e 04 32 a9 9d 70 4c 37 Aug 26 13:09:56.448376: | 3c fe 5b 2f 72 9b 33 7c 4b 65 3a 1c 77 fc 90 38 Aug 26 13:09:56.448387: | 31 2a 5f 69 ad 98 44 93 42 83 c5 7a 1b 5d d7 46 Aug 26 13:09:56.448398: | 2b 72 f0 c0 46 18 19 b9 b6 ff a9 2d 2c 0b 16 cb Aug 26 13:09:56.448408: | 3c 67 0c 6b b3 59 3e 3d 39 1f 19 20 f0 59 15 5b Aug 26 13:09:56.448420: | 6c dd fe e9 fa b7 6c 4b 9b f9 f5 a3 d0 d2 b2 b5 Aug 26 13:09:56.448429: | 21 d9 e4 09 83 c3 7b 7a ee f5 8a 8c d7 f7 d0 b0 Aug 26 13:09:56.448441: | eb db 45 5e bc 70 d6 e7 51 2b d5 82 7e 55 c3 1e Aug 26 13:09:56.449422: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=50ms Aug 26 13:09:56.449469: | event_schedule: new EVENT_RETRANSMIT-pe@0x55fb063849e0 Aug 26 13:09:56.449501: | inserting event EVENT_RETRANSMIT, timeout in 0.05 seconds for #3 Aug 26 13:09:56.449520: | libevent_malloc: new ptr-libevent@0x7fede4006900 size 128 Aug 26 13:09:56.449546: | #3 STATE_PARENT_I2: retransmits: first event in 0.05 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 10282.191925 Aug 26 13:09:56.449565: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:09:56.449589: | #1 spent 3.74 milliseconds Aug 26 13:09:56.449606: | #1 spent 21.7 milliseconds in resume sending helper answer Aug 26 13:09:56.449628: | stop processing: state #3 connection "north-eastnets/0x1" from 192.1.2.23 (in resume_handler() at server.c:833) Aug 26 13:09:56.449645: | libevent_free: release ptr-libevent@0x7fede8000f40 Aug 26 13:09:56.499771: | timer_event_cb: processing event@0x55fb063849e0 Aug 26 13:09:56.499825: | handling event EVENT_RETRANSMIT for child state #3 Aug 26 13:09:56.499858: | start processing: state #3 connection "north-eastnets/0x1" from 192.1.2.23 (in timer_event_cb() at timer.c:250) Aug 26 13:09:56.499879: | IKEv2 retransmit event Aug 26 13:09:56.499905: | [RE]START processing: state #3 connection "north-eastnets/0x1" from 192.1.2.23 (in retransmit_v2_msg() at retry.c:144) Aug 26 13:09:56.499928: | handling event EVENT_RETRANSMIT for 192.1.2.23 "north-eastnets/0x1" #3 attempt 2 of 0 Aug 26 13:09:56.499949: | and parent for 192.1.2.23 "north-eastnets/0x1" #1 keying attempt 1 of 0; retransmit 1 Aug 26 13:09:56.499980: | retransmits: current time 10282.242429; retransmit count 0 exceeds limit? NO; deltatime 0.05 exceeds limit? NO; monotime 0.050504 exceeds limit? NO Aug 26 13:09:56.499997: | event_schedule: new EVENT_RETRANSMIT-pe@0x55fb06384420 Aug 26 13:09:56.500016: | inserting event EVENT_RETRANSMIT, timeout in 0.05 seconds for #3 Aug 26 13:09:56.500033: | libevent_malloc: new ptr-libevent@0x7fede8000f40 size 128 Aug 26 13:09:56.500054: "north-eastnets/0x1" #3: STATE_PARENT_I2: retransmission; will wait 0.05 seconds for response Aug 26 13:09:56.500118: | sending 464 bytes for EVENT_RETRANSMIT through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:09:56.500135: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:56.500148: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:56.500160: | 66 58 0f a9 8f 2a 2f e8 8a 63 8b 03 75 c0 51 b0 Aug 26 13:09:56.500172: | 26 67 d0 66 7d 92 b6 0b 7e fb c3 70 87 45 c9 bf Aug 26 13:09:56.500183: | 2d cb 9a 83 f8 21 92 13 e6 8f cc 33 78 84 26 83 Aug 26 13:09:56.500195: | de fb 32 44 9b 0d f6 07 6c 38 ec 74 f4 96 be 22 Aug 26 13:09:56.500206: | f8 bf 9f 1b 67 96 9c 98 14 fa 28 b5 62 2a ea 99 Aug 26 13:09:56.500218: | 81 ba 9e 2c 98 e7 7c 50 ef 28 60 07 4b 68 48 c7 Aug 26 13:09:56.500231: | dd 43 3e 18 6e eb ad a9 20 56 1e 4d fe de 9b 80 Aug 26 13:09:56.500242: | ca a4 a1 2a c9 91 bb ba 28 90 b7 1a ce ad c6 be Aug 26 13:09:56.500254: | b6 5f fe f8 e9 3e 18 fa 81 a5 7f f7 81 54 5f 3f Aug 26 13:09:56.500265: | cc 93 75 d1 45 7d 7f d3 89 87 dd 03 73 e4 d0 a5 Aug 26 13:09:56.500276: | fb 5a d3 b7 fc 2b c6 22 9d 61 4d e3 36 ab 3f 41 Aug 26 13:09:56.500340: | 88 a4 74 cc 96 a6 1c e1 14 ae 42 3f 1b dc 24 93 Aug 26 13:09:56.500367: | c6 7c ef 1d 74 0e f0 93 37 5e 2b a8 65 64 81 51 Aug 26 13:09:56.500380: | 92 3c 32 3f 7e 28 ed d0 be 3b 58 d1 58 38 68 5a Aug 26 13:09:56.500392: | 5e e8 40 f5 be d4 99 1e eb 87 65 fc c9 4b cd 10 Aug 26 13:09:56.500403: | b1 58 95 8a 3c d4 0c f7 50 3c 63 65 4b 0b a2 c0 Aug 26 13:09:56.500415: | 00 e9 66 2d b2 56 d8 97 40 fc 1b 4b a9 0f c4 d6 Aug 26 13:09:56.500427: | 98 ad d3 15 1f 58 90 67 4a cb de 9b 6e 04 7b 43 Aug 26 13:09:56.500439: | d9 1a 28 1b ce 18 a8 d3 c2 7f 18 41 d1 b3 7c fc Aug 26 13:09:56.500451: | e4 c8 bb d7 f5 79 45 91 7e 04 32 a9 9d 70 4c 37 Aug 26 13:09:56.500463: | 3c fe 5b 2f 72 9b 33 7c 4b 65 3a 1c 77 fc 90 38 Aug 26 13:09:56.500475: | 31 2a 5f 69 ad 98 44 93 42 83 c5 7a 1b 5d d7 46 Aug 26 13:09:56.500498: | 2b 72 f0 c0 46 18 19 b9 b6 ff a9 2d 2c 0b 16 cb Aug 26 13:09:56.500513: | 3c 67 0c 6b b3 59 3e 3d 39 1f 19 20 f0 59 15 5b Aug 26 13:09:56.500525: | 6c dd fe e9 fa b7 6c 4b 9b f9 f5 a3 d0 d2 b2 b5 Aug 26 13:09:56.500537: | 21 d9 e4 09 83 c3 7b 7a ee f5 8a 8c d7 f7 d0 b0 Aug 26 13:09:56.500549: | eb db 45 5e bc 70 d6 e7 51 2b d5 82 7e 55 c3 1e Aug 26 13:09:56.500670: | libevent_free: release ptr-libevent@0x7fede4006900 Aug 26 13:09:56.500694: | free_event_entry: release EVENT_RETRANSMIT-pe@0x55fb063849e0 Aug 26 13:09:56.500724: | #3 spent 0.852 milliseconds in timer_event_cb() EVENT_RETRANSMIT Aug 26 13:09:56.500751: | stop processing: state #3 connection "north-eastnets/0x1" from 192.1.2.23 (in timer_event_cb() at timer.c:557) Aug 26 13:09:56.514593: | spent 0.0097 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:56.514665: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:56.514678: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:56.514687: | 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Aug 26 13:09:56.514694: | 39 52 32 25 db ae a0 8d 06 b0 1d 13 df d7 82 56 Aug 26 13:09:56.514701: | 7a 4d 59 93 fb d2 7f 37 70 e8 d5 af 93 7d d9 76 Aug 26 13:09:56.514708: | 6e f6 11 1f d2 29 f1 36 f4 96 8e a3 3e 37 0b 18 Aug 26 13:09:56.514716: | 14 9c 88 9e 9c 8e e8 57 94 5c f6 76 f3 37 fd d5 Aug 26 13:09:56.514723: | 5e c2 37 a2 fe 1b 3e 40 88 b2 a0 84 29 79 30 ee Aug 26 13:09:56.514730: | 61 f3 22 f1 6e b4 82 7f 94 66 b9 4e 6b 9d 01 79 Aug 26 13:09:56.514737: | 5a 35 59 67 c2 97 bf b1 db 0f b1 e6 fc 9e d2 6a Aug 26 13:09:56.514745: | e6 92 d9 93 00 c3 f1 a2 20 8b 13 95 5f 23 39 75 Aug 26 13:09:56.514752: | 06 2b 68 eb 5e b4 09 f4 9c ce 8e b1 5c b4 43 6a Aug 26 13:09:56.514759: | c2 46 9c b3 f6 3f 95 c8 6c 82 09 41 ac e8 14 46 Aug 26 13:09:56.514766: | 72 7f 29 11 0f 09 16 4f 76 7f 45 94 bc 11 42 79 Aug 26 13:09:56.514773: | c8 a2 66 3a e3 43 c4 00 69 95 a0 d7 a9 75 23 90 Aug 26 13:09:56.514781: | d4 29 2b 73 1c 0e 75 4d 9b 01 8e 31 9f 79 17 da Aug 26 13:09:56.514788: | 8b 5d c7 fc 22 41 e2 49 d6 2d c0 59 93 7e 93 dd Aug 26 13:09:56.514795: | 66 9d 2a 47 1d f4 94 2e 42 e4 c1 ab 9f 45 1a 59 Aug 26 13:09:56.514802: | 59 0e a3 15 e1 fa cf ee c3 1e 59 4f 98 4c 67 72 Aug 26 13:09:56.514809: | 9a e8 d5 ca 95 4f ac 68 43 51 93 0b d3 f5 20 c6 Aug 26 13:09:56.514817: | e9 8b e3 29 53 b8 20 8c b3 3d 23 46 c0 91 7f 31 Aug 26 13:09:56.514824: | ae 01 76 69 8d a2 a5 45 33 90 90 11 14 42 3a f0 Aug 26 13:09:56.514831: | 99 72 5b b3 76 a7 94 37 60 e6 bb 8a 8e 8e fe 41 Aug 26 13:09:56.514838: | e7 79 49 35 02 5a 73 a4 05 ec 52 75 c0 70 d1 ec Aug 26 13:09:56.514845: | 44 7d a1 7f d6 11 bf b4 9b ba 3d 72 d4 57 1f 14 Aug 26 13:09:56.514853: | ab ec f4 b6 97 76 96 df da bd 7f e2 83 fa 29 f1 Aug 26 13:09:56.514860: | 53 42 f7 49 54 04 28 a5 93 8a 24 05 b1 10 6b d1 Aug 26 13:09:56.514867: | b1 11 cf 6b 26 cf 4c af c8 15 56 22 e3 a9 d7 2e Aug 26 13:09:56.514874: | 46 d8 14 12 c8 14 a0 ab da 2d 79 6a a2 c8 8d 4e Aug 26 13:09:56.514881: | c2 92 2d d8 0c 2e 81 d7 d1 a9 60 8c 86 31 32 21 Aug 26 13:09:56.514896: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:56.514907: | **parse ISAKMP Message: Aug 26 13:09:56.514916: | initiator cookie: Aug 26 13:09:56.514924: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:56.514931: | responder cookie: Aug 26 13:09:56.514938: | ed ec 45 23 73 d7 1a d3 Aug 26 13:09:56.514947: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:56.514956: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:56.514964: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:56.514972: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:09:56.514980: | Message ID: 1 (0x1) Aug 26 13:09:56.514988: | length: 464 (0x1d0) Aug 26 13:09:56.514997: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:09:56.515017: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response Aug 26 13:09:56.515029: | State DB: found IKEv2 state #1 in PARENT_I2 (find_v2_ike_sa) Aug 26 13:09:56.515048: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:56.515058: | State DB: found IKEv2 state #3 in PARENT_I2 (find_v2_sa_by_initiator_wip) Aug 26 13:09:56.515071: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:56.515084: | start processing: state #3 connection "north-eastnets/0x1" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:56.515092: | #3 is idle Aug 26 13:09:56.515099: | #3 idle Aug 26 13:09:56.515106: | unpacking clear payload Aug 26 13:09:56.515114: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:09:56.515123: | ***parse IKEv2 Encryption Payload: Aug 26 13:09:56.515132: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:09:56.515140: | flags: none (0x0) Aug 26 13:09:56.515147: | length: 436 (0x1b4) Aug 26 13:09:56.515156: | processing payload: ISAKMP_NEXT_v2SK (len=432) Aug 26 13:09:56.515164: | #3 in state PARENT_I2: sent v2I2, expected v2R2 Aug 26 13:09:56.515241: | data for hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:56.515251: | data for hmac: 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Aug 26 13:09:56.515259: | data for hmac: 39 52 32 25 db ae a0 8d 06 b0 1d 13 df d7 82 56 Aug 26 13:09:56.515266: | data for hmac: 7a 4d 59 93 fb d2 7f 37 70 e8 d5 af 93 7d d9 76 Aug 26 13:09:56.515274: | data for hmac: 6e f6 11 1f d2 29 f1 36 f4 96 8e a3 3e 37 0b 18 Aug 26 13:09:56.515281: | data for hmac: 14 9c 88 9e 9c 8e e8 57 94 5c f6 76 f3 37 fd d5 Aug 26 13:09:56.515306: | data for hmac: 5e c2 37 a2 fe 1b 3e 40 88 b2 a0 84 29 79 30 ee Aug 26 13:09:56.515327: | data for hmac: 61 f3 22 f1 6e b4 82 7f 94 66 b9 4e 6b 9d 01 79 Aug 26 13:09:56.515340: | data for hmac: 5a 35 59 67 c2 97 bf b1 db 0f b1 e6 fc 9e d2 6a Aug 26 13:09:56.515352: | data for hmac: e6 92 d9 93 00 c3 f1 a2 20 8b 13 95 5f 23 39 75 Aug 26 13:09:56.515365: | data for hmac: 06 2b 68 eb 5e b4 09 f4 9c ce 8e b1 5c b4 43 6a Aug 26 13:09:56.515376: | data for hmac: c2 46 9c b3 f6 3f 95 c8 6c 82 09 41 ac e8 14 46 Aug 26 13:09:56.515388: | data for hmac: 72 7f 29 11 0f 09 16 4f 76 7f 45 94 bc 11 42 79 Aug 26 13:09:56.515397: | data for hmac: c8 a2 66 3a e3 43 c4 00 69 95 a0 d7 a9 75 23 90 Aug 26 13:09:56.515405: | data for hmac: d4 29 2b 73 1c 0e 75 4d 9b 01 8e 31 9f 79 17 da Aug 26 13:09:56.515412: | data for hmac: 8b 5d c7 fc 22 41 e2 49 d6 2d c0 59 93 7e 93 dd Aug 26 13:09:56.515419: | data for hmac: 66 9d 2a 47 1d f4 94 2e 42 e4 c1 ab 9f 45 1a 59 Aug 26 13:09:56.515427: | data for hmac: 59 0e a3 15 e1 fa cf ee c3 1e 59 4f 98 4c 67 72 Aug 26 13:09:56.515434: | data for hmac: 9a e8 d5 ca 95 4f ac 68 43 51 93 0b d3 f5 20 c6 Aug 26 13:09:56.515442: | data for hmac: e9 8b e3 29 53 b8 20 8c b3 3d 23 46 c0 91 7f 31 Aug 26 13:09:56.515449: | data for hmac: ae 01 76 69 8d a2 a5 45 33 90 90 11 14 42 3a f0 Aug 26 13:09:56.515458: | data for hmac: 99 72 5b b3 76 a7 94 37 60 e6 bb 8a 8e 8e fe 41 Aug 26 13:09:56.515470: | data for hmac: e7 79 49 35 02 5a 73 a4 05 ec 52 75 c0 70 d1 ec Aug 26 13:09:56.515481: | data for hmac: 44 7d a1 7f d6 11 bf b4 9b ba 3d 72 d4 57 1f 14 Aug 26 13:09:56.515494: | data for hmac: ab ec f4 b6 97 76 96 df da bd 7f e2 83 fa 29 f1 Aug 26 13:09:56.515505: | data for hmac: 53 42 f7 49 54 04 28 a5 93 8a 24 05 b1 10 6b d1 Aug 26 13:09:56.515517: | data for hmac: b1 11 cf 6b 26 cf 4c af c8 15 56 22 e3 a9 d7 2e Aug 26 13:09:56.515527: | data for hmac: 46 d8 14 12 c8 14 a0 ab da 2d 79 6a a2 c8 8d 4e Aug 26 13:09:56.515539: | calculated auth: c2 92 2d d8 0c 2e 81 d7 d1 a9 60 8c 86 31 32 21 Aug 26 13:09:56.515551: | provided auth: c2 92 2d d8 0c 2e 81 d7 d1 a9 60 8c 86 31 32 21 Aug 26 13:09:56.515570: | authenticator matched Aug 26 13:09:56.515617: | #3 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:09:56.515634: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:09:56.515650: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:09:56.515659: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:09:56.515667: | flags: none (0x0) Aug 26 13:09:56.515675: | length: 12 (0xc) Aug 26 13:09:56.515683: | ID type: ID_FQDN (0x2) Aug 26 13:09:56.515691: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 13:09:56.515698: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:09:56.515707: | **parse IKEv2 Authentication Payload: Aug 26 13:09:56.515714: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:09:56.515722: | flags: none (0x0) Aug 26 13:09:56.515729: | length: 282 (0x11a) Aug 26 13:09:56.515737: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 13:09:56.515745: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Aug 26 13:09:56.515752: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:09:56.515760: | **parse IKEv2 Security Association Payload: Aug 26 13:09:56.515768: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:09:56.515775: | flags: none (0x0) Aug 26 13:09:56.515782: | length: 44 (0x2c) Aug 26 13:09:56.515790: | processing payload: ISAKMP_NEXT_v2SA (len=40) Aug 26 13:09:56.515797: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:09:56.515805: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:09:56.515813: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:09:56.515820: | flags: none (0x0) Aug 26 13:09:56.515827: | length: 24 (0x18) Aug 26 13:09:56.515835: | number of TS: 1 (0x1) Aug 26 13:09:56.515842: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:09:56.515849: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:09:56.515857: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:09:56.515865: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.515872: | flags: none (0x0) Aug 26 13:09:56.515879: | length: 24 (0x18) Aug 26 13:09:56.515886: | number of TS: 1 (0x1) Aug 26 13:09:56.515894: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:09:56.515902: | selected state microcode Initiator: process IKE_AUTH response Aug 26 13:09:56.515910: | Now let's proceed with state specific processing Aug 26 13:09:56.515918: | calling processor Initiator: process IKE_AUTH response Aug 26 13:09:56.515934: | offered CA: '%none' Aug 26 13:09:56.515947: "north-eastnets/0x1" #3: IKEv2 mode peer ID is ID_FQDN: '@east' Aug 26 13:09:56.516015: | verifying AUTH payload Aug 26 13:09:56.516035: | #1 spent 1.38 milliseconds Aug 26 13:09:56.516066: | required RSA CA is '%any' Aug 26 13:09:56.516077: | checking RSA keyid '@east' for match with '@east' Aug 26 13:09:56.516085: | key issuer CA is '%any' Aug 26 13:09:56.516261: | an RSA Sig check passed with *AQO9bJbr3 [preloaded key] Aug 26 13:09:56.516281: | #1 spent 0.181 milliseconds in try_all_RSA_keys() trying a pubkey Aug 26 13:09:56.516313: "north-eastnets/0x1" #3: Authenticated using RSA Aug 26 13:09:56.516366: | #1 spent 0.314 milliseconds in ikev2_verify_rsa_hash() Aug 26 13:09:56.516388: | parent state #1: PARENT_I2(open IKE SA) => PARENT_I3(established IKE SA) Aug 26 13:09:56.516409: | #1 will start re-keying in 2607 seconds with margin of 993 seconds (attempting re-key) Aug 26 13:09:56.516423: | state #1 requesting EVENT_SA_REPLACE to be deleted Aug 26 13:09:56.516440: | libevent_free: release ptr-libevent@0x55fb063818a0 Aug 26 13:09:56.516454: | free_event_entry: release EVENT_SA_REPLACE-pe@0x55fb06381860 Aug 26 13:09:56.516468: | event_schedule: new EVENT_SA_REKEY-pe@0x55fb06381860 Aug 26 13:09:56.516486: | inserting event EVENT_SA_REKEY, timeout in 2607 seconds for #1 Aug 26 13:09:56.516500: | libevent_malloc: new ptr-libevent@0x55fb063818a0 size 128 Aug 26 13:09:56.517362: | pstats #1 ikev2.ike established Aug 26 13:09:56.517412: | TSi: parsing 1 traffic selectors Aug 26 13:09:56.517438: | ***parse IKEv2 Traffic Selector: Aug 26 13:09:56.517457: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.517472: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.517486: | length: 16 (0x10) Aug 26 13:09:56.517499: | start port: 0 (0x0) Aug 26 13:09:56.517512: | end port: 65535 (0xffff) Aug 26 13:09:56.517528: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:09:56.517541: | TS low c0 00 03 00 Aug 26 13:09:56.517556: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:09:56.517570: | TS high c0 00 03 ff Aug 26 13:09:56.517585: | TSi: parsed 1 traffic selectors Aug 26 13:09:56.517599: | TSr: parsing 1 traffic selectors Aug 26 13:09:56.517614: | ***parse IKEv2 Traffic Selector: Aug 26 13:09:56.517629: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.517645: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.517659: | length: 16 (0x10) Aug 26 13:09:56.517672: | start port: 0 (0x0) Aug 26 13:09:56.517686: | end port: 65535 (0xffff) Aug 26 13:09:56.517701: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:09:56.517714: | TS low c0 00 02 00 Aug 26 13:09:56.517728: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:09:56.517741: | TS high c0 00 02 ff Aug 26 13:09:56.517755: | TSr: parsed 1 traffic selectors Aug 26 13:09:56.517783: | evaluating our conn="north-eastnets/0x1" I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:09:56.517804: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.517826: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:09:56.517836: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:09:56.517844: | TSi[0] port match: YES fitness 65536 Aug 26 13:09:56.517853: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:09:56.517863: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:56.517877: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.517894: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:09:56.517903: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:09:56.517910: | TSr[0] port match: YES fitness 65536 Aug 26 13:09:56.517918: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:09:56.517927: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:56.517935: | best fit so far: TSi[0] TSr[0] Aug 26 13:09:56.517942: | found an acceptable TSi/TSr Traffic Selector Aug 26 13:09:56.517949: | printing contents struct traffic_selector Aug 26 13:09:56.517957: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Aug 26 13:09:56.517964: | ipprotoid: 0 Aug 26 13:09:56.517972: | port range: 0-65535 Aug 26 13:09:56.517984: | ip range: 192.0.3.0-192.0.3.255 Aug 26 13:09:56.517991: | printing contents struct traffic_selector Aug 26 13:09:56.517998: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Aug 26 13:09:56.518005: | ipprotoid: 0 Aug 26 13:09:56.518012: | port range: 0-65535 Aug 26 13:09:56.518023: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:09:56.518044: | using existing local ESP/AH proposals for north-eastnets/0x1 (IKE_AUTH initiator accepting remote ESP/AH proposal): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Aug 26 13:09:56.518055: | Comparing remote proposals against IKE_AUTH initiator accepting remote ESP/AH proposal 1 local proposals Aug 26 13:09:56.518066: | local proposal 1 type ENCR has 1 transforms Aug 26 13:09:56.518075: | local proposal 1 type PRF has 0 transforms Aug 26 13:09:56.518083: | local proposal 1 type INTEG has 1 transforms Aug 26 13:09:56.518090: | local proposal 1 type DH has 1 transforms Aug 26 13:09:56.518098: | local proposal 1 type ESN has 1 transforms Aug 26 13:09:56.518108: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:09:56.518125: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:09:56.518135: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:56.518143: | length: 40 (0x28) Aug 26 13:09:56.518151: | prop #: 1 (0x1) Aug 26 13:09:56.518159: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:09:56.518166: | spi size: 4 (0x4) Aug 26 13:09:56.518174: | # transforms: 3 (0x3) Aug 26 13:09:56.518184: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:09:56.518191: | remote SPI 2e 93 a5 12 Aug 26 13:09:56.518201: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Aug 26 13:09:56.518210: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.518218: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.518226: | length: 12 (0xc) Aug 26 13:09:56.518234: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:56.518241: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:56.518250: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:09:56.518258: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:56.518266: | length/value: 128 (0x80) Aug 26 13:09:56.518279: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:09:56.518287: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.518338: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.518346: | length: 8 (0x8) Aug 26 13:09:56.518353: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:56.518361: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:09:56.518372: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 13:09:56.518381: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.518388: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:56.518396: | length: 8 (0x8) Aug 26 13:09:56.518403: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:09:56.518411: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:09:56.518421: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:09:56.518432: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Aug 26 13:09:56.518446: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Aug 26 13:09:56.518454: | remote proposal 1 matches local proposal 1 Aug 26 13:09:56.518463: | remote accepted the proposal 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match] Aug 26 13:09:56.518479: | IKE_AUTH initiator accepting remote ESP/AH proposal ikev2_proposal: 1:ESP:SPI=2e93a512;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Aug 26 13:09:56.518487: | converting proposal to internal trans attrs Aug 26 13:09:56.518505: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Aug 26 13:09:56.519352: | #1 spent 2.93 milliseconds Aug 26 13:09:56.519391: | install_ipsec_sa() for #3: inbound and outbound Aug 26 13:09:56.519408: | could_route called for north-eastnets/0x1 (kind=CK_PERMANENT) Aug 26 13:09:56.519419: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:09:56.519430: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 13:09:56.519438: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 13:09:56.519447: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 13:09:56.519455: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:09:56.519472: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Aug 26 13:09:56.519483: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 13:09:56.519493: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 13:09:56.519501: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 13:09:56.519528: | setting IPsec SA replay-window to 32 Aug 26 13:09:56.519538: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Aug 26 13:09:56.519547: | netlink: enabling tunnel mode Aug 26 13:09:56.519556: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:09:56.519564: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:09:56.519787: | netlink response for Add SA esp.2e93a512@192.1.2.23 included non-error error Aug 26 13:09:56.519804: | set up outgoing SA, ref=0/0 Aug 26 13:09:56.519836: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 13:09:56.519858: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 13:09:56.519877: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 13:09:56.519898: | setting IPsec SA replay-window to 32 Aug 26 13:09:56.519914: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Aug 26 13:09:56.519928: | netlink: enabling tunnel mode Aug 26 13:09:56.519945: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:09:56.519961: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:09:56.520174: | netlink response for Add SA esp.ea232af2@192.1.3.33 included non-error error Aug 26 13:09:56.520203: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 13:09:56.520242: | add inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.10000@192.1.3.33 (raw_eroute) Aug 26 13:09:56.520259: | IPsec Sa SPD priority set to 1042407 Aug 26 13:09:56.520474: | raw_eroute result=success Aug 26 13:09:56.520509: | set up incoming SA, ref=0/0 Aug 26 13:09:56.520525: | sr for #3: unrouted Aug 26 13:09:56.520543: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:09:56.520558: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:09:56.520575: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 13:09:56.520590: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 13:09:56.520607: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 13:09:56.520624: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:09:56.520644: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Aug 26 13:09:56.520664: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #3 Aug 26 13:09:56.520680: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 13:09:56.520721: | eroute_connection add eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.0@192.1.2.23 (raw_eroute) Aug 26 13:09:56.520739: | IPsec Sa SPD priority set to 1042407 Aug 26 13:09:56.520864: | raw_eroute result=success Aug 26 13:09:56.520895: | running updown command "ipsec _updown" for verb up Aug 26 13:09:56.520910: | command executing up-client Aug 26 13:09:56.521011: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x2 Aug 26 13:09:56.521025: | popen cmd is 1041 chars long Aug 26 13:09:56.521034: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1': Aug 26 13:09:56.521052: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_: Aug 26 13:09:56.521062: | cmd( 160):MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PL: Aug 26 13:09:56.521074: | cmd( 240):UTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO: Aug 26 13:09:56.521086: | cmd( 320):_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@ea: Aug 26 13:09:56.521097: | cmd( 400):st' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEE: Aug 26 13:09:56.521109: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Aug 26 13:09:56.521121: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCR: Aug 26 13:09:56.521132: | cmd( 640):YPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND: Aug 26 13:09:56.521144: | cmd( 720):='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO=: Aug 26 13:09:56.521157: | cmd( 800):'0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_: Aug 26 13:09:56.521169: | cmd( 880):CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROU: Aug 26 13:09:56.521182: | cmd( 960):TING='no' VTI_SHARED='no' SPI_IN=0x2e93a512 SPI_OUT=0xea232af2 ipsec _updown 2>&: Aug 26 13:09:56.521190: | cmd(1040):1: Aug 26 13:09:56.557625: | route_and_eroute: firewall_notified: true Aug 26 13:09:56.557661: | running updown command "ipsec _updown" for verb prepare Aug 26 13:09:56.557671: | command executing prepare-client Aug 26 13:09:56.557735: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Aug 26 13:09:56.557746: | popen cmd is 1046 chars long Aug 26 13:09:56.557752: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Aug 26 13:09:56.557758: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' P: Aug 26 13:09:56.557764: | cmd( 160):LUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.: Aug 26 13:09:56.557770: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 13:09:56.557775: | cmd( 320):PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID: Aug 26 13:09:56.557781: | cmd( 400):='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUT: Aug 26 13:09:56.557786: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Aug 26 13:09:56.557792: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG: Aug 26 13:09:56.557798: | cmd( 640):+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Aug 26 13:09:56.557803: | cmd( 720):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_C: Aug 26 13:09:56.557808: | cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P: Aug 26 13:09:56.557820: | cmd( 880):LUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VT: Aug 26 13:09:56.557827: | cmd( 960):I_ROUTING='no' VTI_SHARED='no' SPI_IN=0x2e93a512 SPI_OUT=0xea232af2 ipsec _updow: Aug 26 13:09:56.557832: | cmd(1040):n 2>&1: Aug 26 13:09:56.587415: | running updown command "ipsec _updown" for verb route Aug 26 13:09:56.587434: | command executing route-client Aug 26 13:09:56.587479: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Aug 26 13:09:56.587485: | popen cmd is 1044 chars long Aug 26 13:09:56.587490: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0: Aug 26 13:09:56.587494: | cmd( 80):x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLU: Aug 26 13:09:56.587498: | cmd( 160):TO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0': Aug 26 13:09:56.587502: | cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Aug 26 13:09:56.587505: | cmd( 320):UTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID=': Aug 26 13:09:56.587509: | cmd( 400):@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_: Aug 26 13:09:56.587513: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Aug 26 13:09:56.587516: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+E: Aug 26 13:09:56.587520: | cmd( 640):NCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_K: Aug 26 13:09:56.587523: | cmd( 720):IND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS: Aug 26 13:09:56.587527: | cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU: Aug 26 13:09:56.587530: | cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_: Aug 26 13:09:56.587534: | cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0x2e93a512 SPI_OUT=0xea232af2 ipsec _updown : Aug 26 13:09:56.587537: | cmd(1040):2>&1: Aug 26 13:09:56.647348: | route_and_eroute: instance "north-eastnets/0x1", setting eroute_owner {spd=0x55fb0637ea10,sr=0x55fb0637ea10} to #3 (was #0) (newest_ipsec_sa=#0) Aug 26 13:09:56.647544: | #1 spent 4.34 milliseconds in install_ipsec_sa() Aug 26 13:09:56.647557: | inR2: instance north-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #3 (was #0) (spd.eroute=#3) cloned from #1 Aug 26 13:09:56.647562: | state #3 requesting EVENT_RETRANSMIT to be deleted Aug 26 13:09:56.647568: | #3 STATE_PARENT_I2: retransmits: cleared Aug 26 13:09:56.647579: | libevent_free: release ptr-libevent@0x7fede8000f40 Aug 26 13:09:56.647584: | free_event_entry: release EVENT_RETRANSMIT-pe@0x55fb06384420 Aug 26 13:09:56.647590: | #3 spent 7.73 milliseconds in processing: Initiator: process IKE_AUTH response in ikev2_process_state_packet() Aug 26 13:09:56.647601: | [RE]START processing: state #3 connection "north-eastnets/0x1" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:56.647610: | #3 complete_v2_state_transition() PARENT_I2->V2_IPSEC_I with status STF_OK Aug 26 13:09:56.647614: | IKEv2: transition from state STATE_PARENT_I2 to state STATE_V2_IPSEC_I Aug 26 13:09:56.647618: | child state #3: PARENT_I2(open IKE SA) => V2_IPSEC_I(established CHILD SA) Aug 26 13:09:56.647622: | Message ID: updating counters for #3 to 1 after switching state Aug 26 13:09:56.647630: | Message ID: recv #1.#3 response 1; ike: initiator.sent=1 initiator.recv=0->1 responder.sent=-1 responder.recv=-1; child: wip.initiator=1->-1 wip.responder=-1 Aug 26 13:09:56.647636: | Message ID: #1.#3 skipping update_send as nothing to send; initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Aug 26 13:09:56.647640: | pstats #3 ikev2.child established Aug 26 13:09:56.647652: "north-eastnets/0x1" #3: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] Aug 26 13:09:56.647665: | NAT-T: encaps is 'auto' Aug 26 13:09:56.647671: "north-eastnets/0x1" #3: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x2e93a512 <0xea232af2 xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive} Aug 26 13:09:56.647677: | releasing whack for #3 (sock=fd@26) Aug 26 13:09:56.647682: | close_any(fd@26) (in release_whack() at state.c:654) Aug 26 13:09:56.647685: | releasing whack and unpending for parent #1 Aug 26 13:09:56.647689: | unpending state #1 connection "north-eastnets/0x1" Aug 26 13:09:56.647696: | delete from pending Child SA with 192.1.2.23 "north-eastnets/0x1" Aug 26 13:09:56.647700: | removing pending policy for no connection {0x55fb062dccb0} Aug 26 13:09:56.647706: | FOR_EACH_STATE_... in find_pending_phase2 Aug 26 13:09:56.647713: | creating state object #4 at 0x55fb063861d0 Aug 26 13:09:56.647717: | State DB: adding IKEv2 state #4 in UNDEFINED Aug 26 13:09:56.647728: | pstats #4 ikev2.child started Aug 26 13:09:56.647732: | duplicating state object #1 "north-eastnets/0x2" as #4 for IPSEC SA Aug 26 13:09:56.647738: | #4 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:09:56.647754: | Message ID: init_child #1.#4; ike: initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:09:56.647760: | suspend processing: state #3 connection "north-eastnets/0x1" from 192.1.2.23 (in ikev2_initiate_child_sa() at ikev2_parent.c:5637) Aug 26 13:09:56.647766: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_initiate_child_sa() at ikev2_parent.c:5637) Aug 26 13:09:56.647771: | child state #4: UNDEFINED(ignore) => V2_CREATE_I0(established IKE SA) Aug 26 13:09:56.647774: | create child proposal's DH changed from no-PFS to MODP2048, flushing Aug 26 13:09:56.647778: | constructing ESP/AH proposals with default DH MODP2048 for north-eastnets/0x2 (ESP/AH initiator emitting proposals) Aug 26 13:09:56.647784: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Aug 26 13:09:56.647791: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 13:09:56.647796: "north-eastnets/0x2": constructed local ESP/AH proposals for north-eastnets/0x2 (ESP/AH initiator emitting proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 13:09:56.647809: | #4 schedule initiate IPsec SA RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO using IKE# 1 pfs=MODP3072 Aug 26 13:09:56.647813: | event_schedule: new EVENT_v2_INITIATE_CHILD-pe@0x55fb06384420 Aug 26 13:09:56.647818: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #4 Aug 26 13:09:56.647822: | libevent_malloc: new ptr-libevent@0x7fede8000f40 size 128 Aug 26 13:09:56.647829: | RESET processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_initiate_child_sa() at ikev2_parent.c:5737) Aug 26 13:09:56.647834: | RESET processing: from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5737) Aug 26 13:09:56.647841: | delete from pending Child SA with 192.1.2.23 "north-eastnets/0x2" Aug 26 13:09:56.647844: | removing pending policy for no connection {0x55fb06351890} Aug 26 13:09:56.647849: | close_any(fd@24) (in release_whack() at state.c:654) Aug 26 13:09:56.647854: | #3 will start re-keying in 28048 seconds with margin of 752 seconds (attempting re-key) Aug 26 13:09:56.647858: | event_schedule: new EVENT_SA_REKEY-pe@0x55fb063849e0 Aug 26 13:09:56.647861: | inserting event EVENT_SA_REKEY, timeout in 28048 seconds for #3 Aug 26 13:09:56.647866: | libevent_malloc: new ptr-libevent@0x55fb0638e6c0 size 128 Aug 26 13:09:56.647870: | libevent_realloc: release ptr-libevent@0x55fb06361830 Aug 26 13:09:56.647873: | libevent_realloc: new ptr-libevent@0x55fb0638e9e0 size 128 Aug 26 13:09:56.647877: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:56.647883: | #1 spent 9.31 milliseconds in ikev2_process_packet() Aug 26 13:09:56.647891: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:56.647894: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:56.647899: | spent 9.32 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:56.647915: | spent 0.00233 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:56.647932: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:56.647937: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:56.647939: | 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Aug 26 13:09:56.647942: | 39 52 32 25 db ae a0 8d 06 b0 1d 13 df d7 82 56 Aug 26 13:09:56.647945: | 7a 4d 59 93 fb d2 7f 37 70 e8 d5 af 93 7d d9 76 Aug 26 13:09:56.647948: | 6e f6 11 1f d2 29 f1 36 f4 96 8e a3 3e 37 0b 18 Aug 26 13:09:56.647950: | 14 9c 88 9e 9c 8e e8 57 94 5c f6 76 f3 37 fd d5 Aug 26 13:09:56.647953: | 5e c2 37 a2 fe 1b 3e 40 88 b2 a0 84 29 79 30 ee Aug 26 13:09:56.647956: | 61 f3 22 f1 6e b4 82 7f 94 66 b9 4e 6b 9d 01 79 Aug 26 13:09:56.647959: | 5a 35 59 67 c2 97 bf b1 db 0f b1 e6 fc 9e d2 6a Aug 26 13:09:56.647961: | e6 92 d9 93 00 c3 f1 a2 20 8b 13 95 5f 23 39 75 Aug 26 13:09:56.647964: | 06 2b 68 eb 5e b4 09 f4 9c ce 8e b1 5c b4 43 6a Aug 26 13:09:56.647967: | c2 46 9c b3 f6 3f 95 c8 6c 82 09 41 ac e8 14 46 Aug 26 13:09:56.647970: | 72 7f 29 11 0f 09 16 4f 76 7f 45 94 bc 11 42 79 Aug 26 13:09:56.647972: | c8 a2 66 3a e3 43 c4 00 69 95 a0 d7 a9 75 23 90 Aug 26 13:09:56.647975: | d4 29 2b 73 1c 0e 75 4d 9b 01 8e 31 9f 79 17 da Aug 26 13:09:56.647978: | 8b 5d c7 fc 22 41 e2 49 d6 2d c0 59 93 7e 93 dd Aug 26 13:09:56.647980: | 66 9d 2a 47 1d f4 94 2e 42 e4 c1 ab 9f 45 1a 59 Aug 26 13:09:56.647983: | 59 0e a3 15 e1 fa cf ee c3 1e 59 4f 98 4c 67 72 Aug 26 13:09:56.647986: | 9a e8 d5 ca 95 4f ac 68 43 51 93 0b d3 f5 20 c6 Aug 26 13:09:56.647988: | e9 8b e3 29 53 b8 20 8c b3 3d 23 46 c0 91 7f 31 Aug 26 13:09:56.647991: | ae 01 76 69 8d a2 a5 45 33 90 90 11 14 42 3a f0 Aug 26 13:09:56.647994: | 99 72 5b b3 76 a7 94 37 60 e6 bb 8a 8e 8e fe 41 Aug 26 13:09:56.647996: | e7 79 49 35 02 5a 73 a4 05 ec 52 75 c0 70 d1 ec Aug 26 13:09:56.647999: | 44 7d a1 7f d6 11 bf b4 9b ba 3d 72 d4 57 1f 14 Aug 26 13:09:56.648002: | ab ec f4 b6 97 76 96 df da bd 7f e2 83 fa 29 f1 Aug 26 13:09:56.648004: | 53 42 f7 49 54 04 28 a5 93 8a 24 05 b1 10 6b d1 Aug 26 13:09:56.648007: | b1 11 cf 6b 26 cf 4c af c8 15 56 22 e3 a9 d7 2e Aug 26 13:09:56.648010: | 46 d8 14 12 c8 14 a0 ab da 2d 79 6a a2 c8 8d 4e Aug 26 13:09:56.648013: | c2 92 2d d8 0c 2e 81 d7 d1 a9 60 8c 86 31 32 21 Aug 26 13:09:56.648018: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:56.648023: | **parse ISAKMP Message: Aug 26 13:09:56.648026: | initiator cookie: Aug 26 13:09:56.648029: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:56.648032: | responder cookie: Aug 26 13:09:56.648034: | ed ec 45 23 73 d7 1a d3 Aug 26 13:09:56.648040: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:56.648043: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:56.648047: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:56.648051: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:09:56.648054: | Message ID: 1 (0x1) Aug 26 13:09:56.648057: | length: 464 (0x1d0) Aug 26 13:09:56.648061: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:09:56.648064: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response Aug 26 13:09:56.648068: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Aug 26 13:09:56.648075: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:56.648079: | State DB: IKEv2 state not found (find_v2_sa_by_initiator_wip) Aug 26 13:09:56.648084: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:09:56.648090: | Message ID: #1 already processed response 1 (IKE_AUTH); discarding packet; initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 Aug 26 13:09:56.648095: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:56.648100: | #1 spent 0.179 milliseconds in ikev2_process_packet() Aug 26 13:09:56.648105: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:56.648109: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:56.648112: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:56.648116: | spent 0.195 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:56.648126: | timer_event_cb: processing event@0x55fb06384420 Aug 26 13:09:56.648130: | handling event EVENT_v2_INITIATE_CHILD for child state #4 Aug 26 13:09:56.648136: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in timer_event_cb() at timer.c:250) Aug 26 13:09:56.648141: | adding Child Initiator KE and nonce ni work-order 5 for state #4 Aug 26 13:09:56.648145: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638d2a0 Aug 26 13:09:56.648149: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Aug 26 13:09:56.648153: | libevent_malloc: new ptr-libevent@0x55fb0638e950 size 128 Aug 26 13:09:56.648161: | libevent_free: release ptr-libevent@0x7fede8000f40 Aug 26 13:09:56.648165: | free_event_entry: release EVENT_v2_INITIATE_CHILD-pe@0x55fb06384420 Aug 26 13:09:56.648171: | #4 spent 0.0442 milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Aug 26 13:09:56.648176: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in timer_event_cb() at timer.c:557) Aug 26 13:09:56.648180: | processing signal PLUTO_SIGCHLD Aug 26 13:09:56.648186: | waitpid returned ECHILD (no child processes left) Aug 26 13:09:56.648190: | spent 0.00561 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:09:56.648194: | processing signal PLUTO_SIGCHLD Aug 26 13:09:56.648198: | waitpid returned ECHILD (no child processes left) Aug 26 13:09:56.648202: | spent 0.004 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:09:56.648205: | processing signal PLUTO_SIGCHLD Aug 26 13:09:56.648209: | waitpid returned ECHILD (no child processes left) Aug 26 13:09:56.648214: | spent 0.00436 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:09:56.648223: | spent 0.00152 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:56.648233: | *received 464 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:56.648237: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.648240: | 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:56.648243: | bf a6 83 ef 6c 14 b4 1d 94 55 48 71 b0 5f 0a cb Aug 26 13:09:56.648245: | 45 e3 48 f8 06 21 db 58 63 cb 07 08 dc 07 47 d8 Aug 26 13:09:56.648250: | 09 5d 21 8d 9c f7 a2 52 f3 53 04 26 37 19 e9 46 Aug 26 13:09:56.648253: | 77 86 6f 6a 3c 55 05 64 54 58 7b f2 72 96 6b bc Aug 26 13:09:56.648256: | 7a 66 8d c7 23 2a 25 7f c9 ad a8 fe 97 2f 96 5a Aug 26 13:09:56.648259: | 29 8d f5 bf c3 68 24 c5 88 88 68 06 86 b6 0e f9 Aug 26 13:09:56.648261: | cf de eb fd 3a 76 80 12 a1 64 b1 8d 37 a0 a6 4e Aug 26 13:09:56.648264: | 4f 5f f8 1e 4b d4 52 20 25 e4 53 93 57 85 69 2f Aug 26 13:09:56.648267: | fd 67 af 96 73 35 d5 cf be 3a 9f bc 36 82 50 7a Aug 26 13:09:56.648269: | 0b 56 a1 48 b0 83 c7 96 57 bd 3c 38 05 83 a2 f1 Aug 26 13:09:56.648272: | de f6 99 82 ed 65 93 12 dd b8 59 14 fe 95 88 91 Aug 26 13:09:56.648275: | 7e 34 be ba 3a 59 7b e6 b5 42 d5 a2 0d 2c 82 44 Aug 26 13:09:56.648277: | fc 2f 76 dd 28 bf 64 0f a9 3e 6f 3f 34 12 3b 7e Aug 26 13:09:56.648280: | e2 53 2e 76 07 70 c8 01 03 a2 91 cf 89 97 95 f2 Aug 26 13:09:56.648283: | 21 04 5f 49 3c 76 1d 99 d9 59 7a fa 3b 41 b0 ce Aug 26 13:09:56.648286: | 81 ae 67 40 bc 86 14 9b 23 a4 62 93 cc f8 27 28 Aug 26 13:09:56.648292: | fe 4f 7b 07 fe 8c 82 39 10 84 b4 69 40 d5 a5 d7 Aug 26 13:09:56.648298: | 1d 23 bd 18 8c 77 24 12 50 26 b5 73 45 dc a6 9f Aug 26 13:09:56.648301: | 5c ee 73 59 2c 93 90 ac b3 4c d6 02 18 cc 2b 64 Aug 26 13:09:56.648304: | 5f 11 6c c9 fe 97 c7 7e b9 f0 04 29 af 51 fd be Aug 26 13:09:56.648306: | cb 71 6d 88 e1 d5 46 8b be f2 9d af 51 6e 0b 33 Aug 26 13:09:56.648309: | ea ab a3 b5 e1 e9 d9 9a 2f da 96 61 b4 e7 55 3a Aug 26 13:09:56.648312: | a0 b9 4a 59 8e 36 2a 48 72 fb d4 d1 7f 35 29 74 Aug 26 13:09:56.648315: | 9f e4 71 a0 6c 09 e3 73 c2 5a 74 92 0d 33 bf 85 Aug 26 13:09:56.648317: | 70 18 ef 71 0d f7 8e 72 a6 e6 10 81 37 e2 93 36 Aug 26 13:09:56.648320: | 1b b4 ea 28 00 09 34 6f 6c 6c c9 4d 31 f6 ed f3 Aug 26 13:09:56.648322: | 6c 21 ea 11 82 bb b4 73 8f 16 83 9c c8 8c 8b 60 Aug 26 13:09:56.648327: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:56.648330: | **parse ISAKMP Message: Aug 26 13:09:56.648334: | initiator cookie: Aug 26 13:09:56.648336: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:56.648339: | responder cookie: Aug 26 13:09:56.648342: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.648345: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:56.648348: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:56.648351: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:56.648354: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:56.648357: | Message ID: 1 (0x1) Aug 26 13:09:56.648359: | length: 464 (0x1d0) Aug 26 13:09:56.648363: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:09:56.648366: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:09:56.648370: | State DB: found IKEv2 state #2 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:09:56.648378: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:56.648384: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:56.648387: | #2 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:09:56.648391: "north-eastnets/0x2" #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_PARENT_R1 Aug 26 13:09:56.648396: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:56.648402: | #2 spent 0.171 milliseconds in ikev2_process_packet() Aug 26 13:09:56.648406: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:56.648410: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:56.648413: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:56.648418: | spent 0.187 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:56.649492: | crypto helper 4 resuming Aug 26 13:09:56.649509: | crypto helper 4 starting work-order 5 for state #4 Aug 26 13:09:56.649515: | crypto helper 4 doing build KE and nonce (Child Initiator KE and nonce ni); request ID 5 Aug 26 13:09:56.649519: | crypto helper is pausing for 1 seconds Aug 26 13:09:56.785123: | calculating skeyseed using prf=sha2_256 integ=sha2_256 cipherkey-size=32 salt-size=0 Aug 26 13:09:56.785702: | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 4 time elapsed 1.001561 seconds Aug 26 13:09:56.785718: | (#2) spent 1.51 milliseconds in crypto helper computing work-order 4: ikev2_inI2outR2 KE (pcr) Aug 26 13:09:56.785722: | crypto helper 3 sending results from work-order 4 for state #2 to event queue Aug 26 13:09:56.785726: | scheduling resume sending helper answer for #2 Aug 26 13:09:56.785731: | libevent_malloc: new ptr-libevent@0x7feddc003060 size 128 Aug 26 13:09:56.785746: | crypto helper 3 waiting (nothing to do) Aug 26 13:09:56.785757: | processing resume sending helper answer for #2 Aug 26 13:09:56.785772: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:797) Aug 26 13:09:56.785778: | crypto helper 3 replies to request ID 4 Aug 26 13:09:56.785781: | calling continuation function 0x55fb048b9b50 Aug 26 13:09:56.785785: | ikev2_parent_inI2outR2_continue for #2: calculating g^{xy}, sending R2 Aug 26 13:09:56.785789: | #2 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:09:56.785819: | data for hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.785823: | data for hmac: 2e 20 23 08 00 00 00 01 00 00 01 d0 23 00 01 b4 Aug 26 13:09:56.785826: | data for hmac: bf a6 83 ef 6c 14 b4 1d 94 55 48 71 b0 5f 0a cb Aug 26 13:09:56.785829: | data for hmac: 45 e3 48 f8 06 21 db 58 63 cb 07 08 dc 07 47 d8 Aug 26 13:09:56.785832: | data for hmac: 09 5d 21 8d 9c f7 a2 52 f3 53 04 26 37 19 e9 46 Aug 26 13:09:56.785834: | data for hmac: 77 86 6f 6a 3c 55 05 64 54 58 7b f2 72 96 6b bc Aug 26 13:09:56.785837: | data for hmac: 7a 66 8d c7 23 2a 25 7f c9 ad a8 fe 97 2f 96 5a Aug 26 13:09:56.785840: | data for hmac: 29 8d f5 bf c3 68 24 c5 88 88 68 06 86 b6 0e f9 Aug 26 13:09:56.785843: | data for hmac: cf de eb fd 3a 76 80 12 a1 64 b1 8d 37 a0 a6 4e Aug 26 13:09:56.785845: | data for hmac: 4f 5f f8 1e 4b d4 52 20 25 e4 53 93 57 85 69 2f Aug 26 13:09:56.785848: | data for hmac: fd 67 af 96 73 35 d5 cf be 3a 9f bc 36 82 50 7a Aug 26 13:09:56.785851: | data for hmac: 0b 56 a1 48 b0 83 c7 96 57 bd 3c 38 05 83 a2 f1 Aug 26 13:09:56.785853: | data for hmac: de f6 99 82 ed 65 93 12 dd b8 59 14 fe 95 88 91 Aug 26 13:09:56.785856: | data for hmac: 7e 34 be ba 3a 59 7b e6 b5 42 d5 a2 0d 2c 82 44 Aug 26 13:09:56.785859: | data for hmac: fc 2f 76 dd 28 bf 64 0f a9 3e 6f 3f 34 12 3b 7e Aug 26 13:09:56.785862: | data for hmac: e2 53 2e 76 07 70 c8 01 03 a2 91 cf 89 97 95 f2 Aug 26 13:09:56.785865: | data for hmac: 21 04 5f 49 3c 76 1d 99 d9 59 7a fa 3b 41 b0 ce Aug 26 13:09:56.785868: | data for hmac: 81 ae 67 40 bc 86 14 9b 23 a4 62 93 cc f8 27 28 Aug 26 13:09:56.785870: | data for hmac: fe 4f 7b 07 fe 8c 82 39 10 84 b4 69 40 d5 a5 d7 Aug 26 13:09:56.785873: | data for hmac: 1d 23 bd 18 8c 77 24 12 50 26 b5 73 45 dc a6 9f Aug 26 13:09:56.785876: | data for hmac: 5c ee 73 59 2c 93 90 ac b3 4c d6 02 18 cc 2b 64 Aug 26 13:09:56.785879: | data for hmac: 5f 11 6c c9 fe 97 c7 7e b9 f0 04 29 af 51 fd be Aug 26 13:09:56.785882: | data for hmac: cb 71 6d 88 e1 d5 46 8b be f2 9d af 51 6e 0b 33 Aug 26 13:09:56.785884: | data for hmac: ea ab a3 b5 e1 e9 d9 9a 2f da 96 61 b4 e7 55 3a Aug 26 13:09:56.785887: | data for hmac: a0 b9 4a 59 8e 36 2a 48 72 fb d4 d1 7f 35 29 74 Aug 26 13:09:56.785890: | data for hmac: 9f e4 71 a0 6c 09 e3 73 c2 5a 74 92 0d 33 bf 85 Aug 26 13:09:56.785893: | data for hmac: 70 18 ef 71 0d f7 8e 72 a6 e6 10 81 37 e2 93 36 Aug 26 13:09:56.785896: | data for hmac: 1b b4 ea 28 00 09 34 6f 6c 6c c9 4d 31 f6 ed f3 Aug 26 13:09:56.785903: | calculated auth: 6c 21 ea 11 82 bb b4 73 8f 16 83 9c c8 8c 8b 60 Aug 26 13:09:56.785906: | provided auth: 6c 21 ea 11 82 bb b4 73 8f 16 83 9c c8 8c 8b 60 Aug 26 13:09:56.785909: | authenticator matched Aug 26 13:09:56.785918: | #2 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:09:56.785922: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:09:56.785927: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:09:56.785930: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:09:56.785934: | flags: none (0x0) Aug 26 13:09:56.785937: | length: 12 (0xc) Aug 26 13:09:56.785940: | ID type: ID_FQDN (0x2) Aug 26 13:09:56.785943: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:09:56.785946: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:09:56.785949: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:09:56.785952: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:09:56.785955: | flags: none (0x0) Aug 26 13:09:56.785958: | length: 13 (0xd) Aug 26 13:09:56.785960: | ID type: ID_FQDN (0x2) Aug 26 13:09:56.785963: | processing payload: ISAKMP_NEXT_v2IDr (len=5) Aug 26 13:09:56.785966: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:09:56.785969: | **parse IKEv2 Authentication Payload: Aug 26 13:09:56.785972: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:09:56.785975: | flags: none (0x0) Aug 26 13:09:56.785978: | length: 282 (0x11a) Aug 26 13:09:56.785981: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 13:09:56.785984: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Aug 26 13:09:56.785986: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:09:56.785990: | **parse IKEv2 Security Association Payload: Aug 26 13:09:56.785993: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:09:56.785995: | flags: none (0x0) Aug 26 13:09:56.785998: | length: 44 (0x2c) Aug 26 13:09:56.786001: | processing payload: ISAKMP_NEXT_v2SA (len=40) Aug 26 13:09:56.786004: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:09:56.786007: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:09:56.786010: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:09:56.786013: | flags: none (0x0) Aug 26 13:09:56.786015: | length: 24 (0x18) Aug 26 13:09:56.786018: | number of TS: 1 (0x1) Aug 26 13:09:56.786021: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:09:56.786024: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:09:56.786027: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:09:56.786030: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.786032: | flags: none (0x0) Aug 26 13:09:56.786035: | length: 24 (0x18) Aug 26 13:09:56.786038: | number of TS: 1 (0x1) Aug 26 13:09:56.786041: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:09:56.786044: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:09:56.786047: | Now let's proceed with state specific processing Aug 26 13:09:56.786050: | calling processor Responder: process IKE_AUTH request Aug 26 13:09:56.786056: "north-eastnets/0x2" #2: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 13:09:56.786063: | #2 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:09:56.786066: | received IDr payload - extracting our alleged ID Aug 26 13:09:56.786070: | refine_host_connection for IKEv2: starting with "north-eastnets/0x2" Aug 26 13:09:56.786076: | match_id a=@east Aug 26 13:09:56.786078: | b=@east Aug 26 13:09:56.786081: | results matched Aug 26 13:09:56.786085: | refine_host_connection: checking "north-eastnets/0x2" against "north-eastnets/0x2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:09:56.786088: | Warning: not switching back to template of current instance Aug 26 13:09:56.786092: | Peer expects us to be @north (ID_FQDN) according to its IDr payload Aug 26 13:09:56.786097: | This connection's local id is @north (ID_FQDN) Aug 26 13:09:56.786101: | refine_host_connection: checked north-eastnets/0x2 against north-eastnets/0x2, now for see if best Aug 26 13:09:56.786105: | started looking for secret for @north->@east of kind PKK_RSA Aug 26 13:09:56.786108: | actually looking for secret for @north->@east of kind PKK_RSA Aug 26 13:09:56.786111: | line 1: key type PKK_RSA(@north) to type PKK_RSA Aug 26 13:09:56.786115: | 1: compared key (none) to @north / @east -> 002 Aug 26 13:09:56.786118: | 2: compared key (none) to @north / @east -> 002 Aug 26 13:09:56.786121: | line 1: match=002 Aug 26 13:09:56.786125: | match 002 beats previous best_match 000 match=0x55fb063730d0 (line=1) Aug 26 13:09:56.786128: | concluding with best_match=002 best=0x55fb063730d0 (lineno=1) Aug 26 13:09:56.786130: | returning because exact peer id match Aug 26 13:09:56.786133: | offered CA: '%none' Aug 26 13:09:56.786137: "north-eastnets/0x2" #2: IKEv2 mode peer ID is ID_FQDN: '@east' Aug 26 13:09:56.786154: | verifying AUTH payload Aug 26 13:09:56.786171: | required RSA CA is '%any' Aug 26 13:09:56.786175: | checking RSA keyid '@east' for match with '@east' Aug 26 13:09:56.786178: | key issuer CA is '%any' Aug 26 13:09:56.786249: | an RSA Sig check passed with *AQO9bJbr3 [preloaded key] Aug 26 13:09:56.786257: | #2 spent 0.0729 milliseconds in try_all_RSA_keys() trying a pubkey Aug 26 13:09:56.786260: "north-eastnets/0x2" #2: Authenticated using RSA Aug 26 13:09:56.786265: | #2 spent 0.105 milliseconds in ikev2_verify_rsa_hash() Aug 26 13:09:56.786270: | parent state #2: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:09:56.786275: | #2 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:09:56.786278: | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:09:56.786283: | libevent_free: release ptr-libevent@0x55fb06384860 Aug 26 13:09:56.786314: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fedec002b20 Aug 26 13:09:56.786323: | event_schedule: new EVENT_SA_REKEY-pe@0x7fedec002b20 Aug 26 13:09:56.786327: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #2 Aug 26 13:09:56.786331: | libevent_malloc: new ptr-libevent@0x55fb06384860 size 128 Aug 26 13:09:56.786838: | pstats #2 ikev2.ike established Aug 26 13:09:56.786868: | **emit ISAKMP Message: Aug 26 13:09:56.786873: | initiator cookie: Aug 26 13:09:56.786876: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:56.786879: | responder cookie: Aug 26 13:09:56.786882: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.786885: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:09:56.786889: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:56.786892: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:09:56.786896: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:09:56.786899: | Message ID: 1 (0x1) Aug 26 13:09:56.786902: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:09:56.786906: | IKEv2 CERT: send a certificate? Aug 26 13:09:56.786909: | IKEv2 CERT: no certificate to send Aug 26 13:09:56.786912: | ***emit IKEv2 Encryption Payload: Aug 26 13:09:56.786915: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.786918: | flags: none (0x0) Aug 26 13:09:56.786923: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:09:56.786927: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.786931: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:09:56.786946: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:09:56.786963: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:09:56.786970: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.786973: | flags: none (0x0) Aug 26 13:09:56.786977: | ID type: ID_FQDN (0x2) Aug 26 13:09:56.786984: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:09:56.786988: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.786993: | emitting 5 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:09:56.786996: | my identity 6e 6f 72 74 68 Aug 26 13:09:56.786999: | emitting length of IKEv2 Identification - Responder - Payload: 13 Aug 26 13:09:56.787008: | assembled IDr payload Aug 26 13:09:56.787011: | CHILD SA proposals received Aug 26 13:09:56.787015: | going to assemble AUTH payload Aug 26 13:09:56.787018: | ****emit IKEv2 Authentication Payload: Aug 26 13:09:56.787021: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:09:56.787024: | flags: none (0x0) Aug 26 13:09:56.787028: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 13:09:56.787034: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:09:56.787040: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:09:56.787044: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.787050: | started looking for secret for @north->@east of kind PKK_RSA Aug 26 13:09:56.787053: | actually looking for secret for @north->@east of kind PKK_RSA Aug 26 13:09:56.787057: | line 1: key type PKK_RSA(@north) to type PKK_RSA Aug 26 13:09:56.787061: | 1: compared key (none) to @north / @east -> 002 Aug 26 13:09:56.787064: | 2: compared key (none) to @north / @east -> 002 Aug 26 13:09:56.787067: | line 1: match=002 Aug 26 13:09:56.787070: | match 002 beats previous best_match 000 match=0x55fb063730d0 (line=1) Aug 26 13:09:56.787073: | concluding with best_match=002 best=0x55fb063730d0 (lineno=1) Aug 26 13:09:56.791636: | #2 spent 4.53 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Aug 26 13:09:56.791653: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Aug 26 13:09:56.791657: | rsa signature 48 e5 8b 52 dc 96 96 84 6e 27 48 cc 6c da a2 73 Aug 26 13:09:56.791659: | rsa signature 44 11 f6 d3 dc 6d 82 bf 64 dc 54 7c 15 3a b1 47 Aug 26 13:09:56.791662: | rsa signature 5a a6 54 98 c0 09 5a ea 1a 73 da cc c7 51 81 ff Aug 26 13:09:56.791665: | rsa signature 6d c8 3f 01 ad 2d 5a d7 b9 ec 32 a8 fe 3c e8 ea Aug 26 13:09:56.791668: | rsa signature 18 b6 ac 93 4c 3d 90 89 d3 6e 0c 34 c0 3c 26 a9 Aug 26 13:09:56.791670: | rsa signature 62 5e b3 66 70 db 42 86 32 ca 2b f7 c4 5a 19 68 Aug 26 13:09:56.791673: | rsa signature 56 a5 ec 47 88 5a a7 00 ff f3 fe d1 c3 39 7b 64 Aug 26 13:09:56.791676: | rsa signature dc ef 3b 77 f6 31 16 1e 7e 3d 38 cf 2f ef e9 26 Aug 26 13:09:56.791679: | rsa signature 1b 7c 1a 27 c0 0e 52 a7 4f a9 72 34 1d bc ad eb Aug 26 13:09:56.791681: | rsa signature e5 a9 59 c9 e3 2e 05 4f 5b f9 20 b5 22 ff 5a 3a Aug 26 13:09:56.791684: | rsa signature b0 48 13 65 36 d8 d1 8b 12 a5 32 54 06 0f d1 41 Aug 26 13:09:56.791687: | rsa signature 6c c6 e5 60 67 23 52 76 fb 89 50 14 66 89 97 be Aug 26 13:09:56.791689: | rsa signature f9 46 e2 d0 2a d7 33 f6 25 81 15 bb a9 cb 12 c4 Aug 26 13:09:56.791692: | rsa signature cf 68 15 1b 26 d5 7e f0 96 33 a5 88 73 e6 83 c7 Aug 26 13:09:56.791695: | rsa signature 60 a6 a0 4f 09 fa 39 9a d1 3a 0c ea 3b e3 8e ef Aug 26 13:09:56.791698: | rsa signature 2f 1f 50 3f 97 44 12 a2 d7 15 9e 67 e0 46 9f 99 Aug 26 13:09:56.791700: | rsa signature 0e 1e a2 b9 25 62 4e 5b e9 67 ac d7 1a fb 4b 98 Aug 26 13:09:56.791703: | rsa signature db 97 Aug 26 13:09:56.791708: | #2 spent 4.64 milliseconds in ikev2_calculate_rsa_hash() Aug 26 13:09:56.791711: | emitting length of IKEv2 Authentication Payload: 282 Aug 26 13:09:56.791721: | creating state object #5 at 0x55fb06394860 Aug 26 13:09:56.791725: | State DB: adding IKEv2 state #5 in UNDEFINED Aug 26 13:09:56.791731: | pstats #5 ikev2.child started Aug 26 13:09:56.791735: | duplicating state object #2 "north-eastnets/0x2" as #5 for IPSEC SA Aug 26 13:09:56.791740: | #5 setting local endpoint to 192.1.3.33:500 from #2.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:09:56.791748: | Message ID: init_child #2.#5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:09:56.791753: | Message ID: switch-from #2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:09:56.791758: | Message ID: switch-to #2.#5 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:09:56.791761: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:09:56.791765: | TSi: parsing 1 traffic selectors Aug 26 13:09:56.791769: | ***parse IKEv2 Traffic Selector: Aug 26 13:09:56.791772: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.791775: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.791778: | length: 16 (0x10) Aug 26 13:09:56.791780: | start port: 0 (0x0) Aug 26 13:09:56.791783: | end port: 65535 (0xffff) Aug 26 13:09:56.791786: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:09:56.791789: | TS low c0 00 16 00 Aug 26 13:09:56.791792: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:09:56.791795: | TS high c0 00 16 ff Aug 26 13:09:56.791798: | TSi: parsed 1 traffic selectors Aug 26 13:09:56.791800: | TSr: parsing 1 traffic selectors Aug 26 13:09:56.791803: | ***parse IKEv2 Traffic Selector: Aug 26 13:09:56.791806: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.791809: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.791812: | length: 16 (0x10) Aug 26 13:09:56.791814: | start port: 0 (0x0) Aug 26 13:09:56.791817: | end port: 65535 (0xffff) Aug 26 13:09:56.791820: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:09:56.791822: | TS low c0 00 03 00 Aug 26 13:09:56.791825: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:09:56.791828: | TS high c0 00 03 ff Aug 26 13:09:56.791830: | TSr: parsed 1 traffic selectors Aug 26 13:09:56.791833: | looking for best SPD in current connection Aug 26 13:09:56.791840: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0/0 R=192.0.3.0/24:0/0 to their: Aug 26 13:09:56.791846: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.791853: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Aug 26 13:09:56.791856: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:09:56.791859: | TSi[0] port match: YES fitness 65536 Aug 26 13:09:56.791863: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:09:56.791866: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:56.791871: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.791877: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:09:56.791880: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:09:56.791883: | TSr[0] port match: YES fitness 65536 Aug 26 13:09:56.791886: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:09:56.791889: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:56.791892: | best fit so far: TSi[0] TSr[0] Aug 26 13:09:56.791895: | found better spd route for TSi[0],TSr[0] Aug 26 13:09:56.791898: | looking for better host pair Aug 26 13:09:56.791903: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Aug 26 13:09:56.791908: | checking hostpair 192.0.3.0/24 -> 192.0.22.0/24 is found Aug 26 13:09:56.791913: | investigating connection "north-eastnets/0x2" as a better match Aug 26 13:09:56.791917: | match_id a=@east Aug 26 13:09:56.791919: | b=@east Aug 26 13:09:56.791922: | results matched Aug 26 13:09:56.791928: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0/0 R=192.0.3.0/24:0/0 to their: Aug 26 13:09:56.791932: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.791939: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Aug 26 13:09:56.791942: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:09:56.791945: | TSi[0] port match: YES fitness 65536 Aug 26 13:09:56.791948: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:09:56.791951: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:56.791956: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.791962: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:09:56.791965: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:09:56.791968: | TSr[0] port match: YES fitness 65536 Aug 26 13:09:56.791971: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:09:56.791974: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:56.791977: | best fit so far: TSi[0] TSr[0] Aug 26 13:09:56.791980: | investigating connection "north-eastnets/0x1" as a better match Aug 26 13:09:56.791983: | match_id a=@east Aug 26 13:09:56.791986: | b=@east Aug 26 13:09:56.791988: | results matched Aug 26 13:09:56.791994: | evaluating our conn="north-eastnets/0x1" I=192.0.2.0/24:0/0 R=192.0.3.0/24:0/0 to their: Aug 26 13:09:56.791999: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.792005: | match address end->client=192.0.2.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: NO Aug 26 13:09:56.792008: | did not find a better connection using host pair Aug 26 13:09:56.792011: | printing contents struct traffic_selector Aug 26 13:09:56.792013: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:09:56.792016: | ipprotoid: 0 Aug 26 13:09:56.792019: | port range: 0-65535 Aug 26 13:09:56.792023: | ip range: 192.0.3.0-192.0.3.255 Aug 26 13:09:56.792025: | printing contents struct traffic_selector Aug 26 13:09:56.792028: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:09:56.792031: | ipprotoid: 0 Aug 26 13:09:56.792033: | port range: 0-65535 Aug 26 13:09:56.792037: | ip range: 192.0.22.0-192.0.22.255 Aug 26 13:09:56.792042: | constructing ESP/AH proposals with all DH removed for north-eastnets/0x2 (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:09:56.792047: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Aug 26 13:09:56.792053: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Aug 26 13:09:56.792058: "north-eastnets/0x2": constructed local ESP/AH proposals for north-eastnets/0x2 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=NONE;ESN=DISABLED Aug 26 13:09:56.792062: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Aug 26 13:09:56.792066: | local proposal 1 type ENCR has 1 transforms Aug 26 13:09:56.792069: | local proposal 1 type PRF has 0 transforms Aug 26 13:09:56.792071: | local proposal 1 type INTEG has 1 transforms Aug 26 13:09:56.792074: | local proposal 1 type DH has 1 transforms Aug 26 13:09:56.792077: | local proposal 1 type ESN has 1 transforms Aug 26 13:09:56.792081: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:09:56.792084: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:09:56.792087: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:56.792090: | length: 40 (0x28) Aug 26 13:09:56.792094: | prop #: 1 (0x1) Aug 26 13:09:56.792097: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:09:56.792100: | spi size: 4 (0x4) Aug 26 13:09:56.792102: | # transforms: 3 (0x3) Aug 26 13:09:56.792106: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:09:56.792109: | remote SPI 7d 9f 9f aa Aug 26 13:09:56.792112: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Aug 26 13:09:56.792116: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.792119: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.792121: | length: 12 (0xc) Aug 26 13:09:56.792124: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:56.792127: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:56.792130: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:09:56.792133: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:56.792136: | length/value: 128 (0x80) Aug 26 13:09:56.792141: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:09:56.792144: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.792147: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.792149: | length: 8 (0x8) Aug 26 13:09:56.792152: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:56.792155: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:09:56.792159: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 13:09:56.792162: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.792165: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:56.792167: | length: 8 (0x8) Aug 26 13:09:56.792170: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:09:56.792173: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:09:56.792177: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:09:56.792181: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Aug 26 13:09:56.792186: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Aug 26 13:09:56.792189: | remote proposal 1 matches local proposal 1 Aug 26 13:09:56.792194: "north-eastnets/0x2" #2: proposal 1:ESP:SPI=7d9f9faa;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match] Aug 26 13:09:56.792200: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=7d9f9faa;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Aug 26 13:09:56.792203: | converting proposal to internal trans attrs Aug 26 13:09:56.792602: | netlink_get_spi: allocated 0x39ab502d for esp.0@192.1.3.33 Aug 26 13:09:56.792610: | Emitting ikev2_proposal ... Aug 26 13:09:56.792614: | ****emit IKEv2 Security Association Payload: Aug 26 13:09:56.792617: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.792620: | flags: none (0x0) Aug 26 13:09:56.792624: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:09:56.792631: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.792636: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:09:56.792640: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:56.792643: | prop #: 1 (0x1) Aug 26 13:09:56.792646: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:09:56.792649: | spi size: 4 (0x4) Aug 26 13:09:56.792652: | # transforms: 3 (0x3) Aug 26 13:09:56.792656: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:09:56.792660: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:09:56.792666: | our spi 39 ab 50 2d Aug 26 13:09:56.792670: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:56.792673: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.792676: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:56.792679: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:56.792684: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:56.792687: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:09:56.792691: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:56.792694: | length/value: 128 (0x80) Aug 26 13:09:56.792697: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:09:56.792701: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:56.792704: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.792708: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:56.792711: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:09:56.792715: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.792720: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:56.792723: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:56.792726: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:56.792730: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:56.792736: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:09:56.792740: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:09:56.792744: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.792747: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:56.792750: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:56.792753: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:09:56.792757: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:09:56.792760: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:09:56.792763: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:09:56.792766: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:09:56.792769: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.792772: | flags: none (0x0) Aug 26 13:09:56.792775: | number of TS: 1 (0x1) Aug 26 13:09:56.792779: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:09:56.792783: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.792786: | *****emit IKEv2 Traffic Selector: Aug 26 13:09:56.792789: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.792792: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.792794: | start port: 0 (0x0) Aug 26 13:09:56.792797: | end port: 65535 (0xffff) Aug 26 13:09:56.792801: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:09:56.792803: | ipv4 start c0 00 16 00 Aug 26 13:09:56.792806: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:09:56.792809: | ipv4 end c0 00 16 ff Aug 26 13:09:56.792812: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:09:56.792815: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:09:56.792818: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:09:56.792823: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.792826: | flags: none (0x0) Aug 26 13:09:56.792829: | number of TS: 1 (0x1) Aug 26 13:09:56.792833: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:09:56.792836: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:56.792839: | *****emit IKEv2 Traffic Selector: Aug 26 13:09:56.792842: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.792845: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.792847: | start port: 0 (0x0) Aug 26 13:09:56.792850: | end port: 65535 (0xffff) Aug 26 13:09:56.792853: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:09:56.792856: | ipv4 start c0 00 03 00 Aug 26 13:09:56.792859: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:09:56.792862: | ipv4 end c0 00 03 ff Aug 26 13:09:56.792865: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:09:56.792867: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:09:56.792871: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:09:56.792875: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Aug 26 13:09:56.793199: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:09:56.793209: | #2 spent 1.5 milliseconds Aug 26 13:09:56.793213: | install_ipsec_sa() for #5: inbound and outbound Aug 26 13:09:56.793216: | could_route called for north-eastnets/0x2 (kind=CK_PERMANENT) Aug 26 13:09:56.793219: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:09:56.793223: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:09:56.793226: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 13:09:56.793229: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:09:56.793232: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:09:56.793237: | route owner of "north-eastnets/0x2" unrouted: NULL; eroute owner: NULL Aug 26 13:09:56.793241: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 13:09:56.793245: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 13:09:56.793248: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 13:09:56.793253: | setting IPsec SA replay-window to 32 Aug 26 13:09:56.793256: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Aug 26 13:09:56.793260: | netlink: enabling tunnel mode Aug 26 13:09:56.793263: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:09:56.793266: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:09:56.793352: | netlink response for Add SA esp.7d9f9faa@192.1.2.23 included non-error error Aug 26 13:09:56.793360: | set up outgoing SA, ref=0/0 Aug 26 13:09:56.793364: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 13:09:56.793367: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 13:09:56.793370: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 13:09:56.793375: | setting IPsec SA replay-window to 32 Aug 26 13:09:56.793378: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Aug 26 13:09:56.793381: | netlink: enabling tunnel mode Aug 26 13:09:56.793384: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:09:56.793387: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:09:56.793434: | netlink response for Add SA esp.39ab502d@192.1.3.33 included non-error error Aug 26 13:09:56.793440: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 13:09:56.793448: | add inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => tun.10000@192.1.3.33 (raw_eroute) Aug 26 13:09:56.793454: | IPsec Sa SPD priority set to 1042407 Aug 26 13:09:56.793500: | raw_eroute result=success Aug 26 13:09:56.793505: | set up incoming SA, ref=0/0 Aug 26 13:09:56.793509: | sr for #5: unrouted Aug 26 13:09:56.793512: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:09:56.793515: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:09:56.793519: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:09:56.793522: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 13:09:56.793525: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:09:56.793528: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:09:56.793532: | route owner of "north-eastnets/0x2" unrouted: NULL; eroute owner: NULL Aug 26 13:09:56.793536: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #5 Aug 26 13:09:56.793539: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 13:09:56.793547: | eroute_connection add eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.0@192.1.2.23 (raw_eroute) Aug 26 13:09:56.793550: | IPsec Sa SPD priority set to 1042407 Aug 26 13:09:56.793575: | raw_eroute result=success Aug 26 13:09:56.793579: | running updown command "ipsec _updown" for verb up Aug 26 13:09:56.793582: | command executing up-client Aug 26 13:09:56.793612: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0 Aug 26 13:09:56.793615: | popen cmd is 1043 chars long Aug 26 13:09:56.793619: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2': Aug 26 13:09:56.793622: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_: Aug 26 13:09:56.793625: | cmd( 160):MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PL: Aug 26 13:09:56.793628: | cmd( 240):UTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO: Aug 26 13:09:56.793631: | cmd( 320):_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@ea: Aug 26 13:09:56.793634: | cmd( 400):st' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_P: Aug 26 13:09:56.793637: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 13:09:56.793639: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+EN: Aug 26 13:09:56.793642: | cmd( 640):CRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KI: Aug 26 13:09:56.793645: | cmd( 720):ND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISC: Aug 26 13:09:56.793648: | cmd( 800):O='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUT: Aug 26 13:09:56.793651: | cmd( 880):O_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_R: Aug 26 13:09:56.793654: | cmd( 960):OUTING='no' VTI_SHARED='no' SPI_IN=0x7d9f9faa SPI_OUT=0x39ab502d ipsec _updown 2: Aug 26 13:09:56.793656: | cmd(1040):>&1: Aug 26 13:09:56.806463: | route_and_eroute: firewall_notified: true Aug 26 13:09:56.806481: | running updown command "ipsec _updown" for verb prepare Aug 26 13:09:56.806485: | command executing prepare-client Aug 26 13:09:56.806519: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no Aug 26 13:09:56.806523: | popen cmd is 1048 chars long Aug 26 13:09:56.806526: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Aug 26 13:09:56.806529: | cmd( 80):/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' P: Aug 26 13:09:56.806532: | cmd( 160):LUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.: Aug 26 13:09:56.806535: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 13:09:56.806538: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID: Aug 26 13:09:56.806541: | cmd( 400):='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PL: Aug 26 13:09:56.806543: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Aug 26 13:09:56.806546: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSAS: Aug 26 13:09:56.806549: | cmd( 640):IG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CO: Aug 26 13:09:56.806552: | cmd( 720):NN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Aug 26 13:09:56.806555: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Aug 26 13:09:56.806558: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Aug 26 13:09:56.806561: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7d9f9faa SPI_OUT=0x39ab502d ipsec _upd: Aug 26 13:09:56.806563: | cmd(1040):own 2>&1: Aug 26 13:09:56.818277: | running updown command "ipsec _updown" for verb route Aug 26 13:09:56.818297: | command executing route-client Aug 26 13:09:56.818332: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SP Aug 26 13:09:56.818336: | popen cmd is 1046 chars long Aug 26 13:09:56.818343: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0: Aug 26 13:09:56.818346: | cmd( 80):x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLU: Aug 26 13:09:56.818349: | cmd( 160):TO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0': Aug 26 13:09:56.818351: | cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Aug 26 13:09:56.818354: | cmd( 320):UTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID=': Aug 26 13:09:56.818357: | cmd( 400):@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUT: Aug 26 13:09:56.818360: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Aug 26 13:09:56.818362: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG: Aug 26 13:09:56.818365: | cmd( 640):+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Aug 26 13:09:56.818368: | cmd( 720):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_C: Aug 26 13:09:56.818371: | cmd( 800):ISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' P: Aug 26 13:09:56.818373: | cmd( 880):LUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VT: Aug 26 13:09:56.818376: | cmd( 960):I_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7d9f9faa SPI_OUT=0x39ab502d ipsec _updow: Aug 26 13:09:56.818379: | cmd(1040):n 2>&1: Aug 26 13:09:56.834000: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x55fb0637f470,sr=0x55fb0637f470} to #5 (was #0) (newest_ipsec_sa=#0) Aug 26 13:09:56.834107: | #2 spent 1.91 milliseconds in install_ipsec_sa() Aug 26 13:09:56.834116: | ISAKMP_v2_IKE_AUTH: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #5 (was #0) (spd.eroute=#5) cloned from #2 Aug 26 13:09:56.834121: | adding 13 bytes of padding (including 1 byte padding-length) Aug 26 13:09:56.834125: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834130: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834134: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834137: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834141: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834144: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834147: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834151: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834154: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834157: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834160: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834164: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834167: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:56.834171: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:09:56.834174: | emitting length of IKEv2 Encryption Payload: 436 Aug 26 13:09:56.834177: | emitting length of ISAKMP Message: 464 Aug 26 13:09:56.834251: | data being hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.834257: | data being hmac: 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Aug 26 13:09:56.834260: | data being hmac: e7 71 a8 46 4f 36 63 72 31 cb aa 07 96 3b 1f fd Aug 26 13:09:56.834263: | data being hmac: c1 2f e7 c9 02 57 d3 b4 54 0c 48 6d 31 9d e6 94 Aug 26 13:09:56.834268: | data being hmac: 90 01 a2 55 35 35 85 ec 11 48 47 ac d5 52 d1 86 Aug 26 13:09:56.834272: | data being hmac: 9a 07 53 d0 2d f5 f8 ba 28 0b b7 63 dd 64 51 fb Aug 26 13:09:56.834274: | data being hmac: f7 e8 ba bf 41 0f f2 f4 30 16 4b a9 53 f8 48 a8 Aug 26 13:09:56.834277: | data being hmac: 5a 9b da 07 e1 f5 a5 f7 03 82 de 0c 7c 34 22 a8 Aug 26 13:09:56.834280: | data being hmac: 8f 89 01 6b f9 bd 27 d8 46 f4 64 bc 15 f2 58 7a Aug 26 13:09:56.834283: | data being hmac: a9 33 c9 4a 62 0e 45 73 e5 59 72 a8 54 cd 78 f8 Aug 26 13:09:56.834286: | data being hmac: c6 9b 2f 90 10 9e 46 c9 9e c8 34 4b da 2a 75 54 Aug 26 13:09:56.834296: | data being hmac: cb 5b e5 4d 58 d0 ff 2c a6 48 3b 97 33 0d c0 6e Aug 26 13:09:56.834303: | data being hmac: 9c 03 e0 6e 2b 6b 3f 6f b4 29 cc b1 d8 c5 8f 5b Aug 26 13:09:56.834306: | data being hmac: 49 4e 15 84 5f 3d ee 12 e1 14 fa a2 55 11 64 59 Aug 26 13:09:56.834309: | data being hmac: 3e 1b 46 10 8b 78 ef ff f5 b2 83 c0 b5 8c 91 ae Aug 26 13:09:56.834311: | data being hmac: 04 15 1a d8 36 32 b5 cd 22 a2 60 c2 dc bf d0 95 Aug 26 13:09:56.834314: | data being hmac: ab a6 48 50 68 3e 51 28 c5 26 19 09 e9 bb ee 9b Aug 26 13:09:56.834317: | data being hmac: 5d f2 9a 4c 8e 10 c7 0d 2a 60 ce 93 31 dd 5c 2a Aug 26 13:09:56.834320: | data being hmac: 48 b6 a0 73 3b 30 b9 3d 03 14 6f 87 20 cc 5a 38 Aug 26 13:09:56.834322: | data being hmac: f0 45 22 cd 22 7f b6 ff c2 9a 14 a0 4a 92 30 70 Aug 26 13:09:56.834325: | data being hmac: c8 fa bf 5c 37 58 1b 04 d1 10 6a 31 a4 52 41 25 Aug 26 13:09:56.834328: | data being hmac: bb 15 6d 6b 10 53 26 92 61 e9 7f da 92 99 2f 71 Aug 26 13:09:56.834331: | data being hmac: 3f 85 d6 77 98 78 0f 1a 24 ee 89 a5 75 ca 7d 66 Aug 26 13:09:56.834334: | data being hmac: d6 8d 2d 5a 52 ca 41 56 2e 7b 70 5f 87 ed 56 71 Aug 26 13:09:56.834337: | data being hmac: b1 c9 ae 16 db 47 95 c5 66 96 98 9b d7 54 13 0b Aug 26 13:09:56.834339: | data being hmac: 2f 20 e4 09 e6 46 92 6b 4d 14 9c 23 17 68 ca 8b Aug 26 13:09:56.834342: | data being hmac: 9b db aa 69 ef 8d 6c 8b 64 81 e4 51 fb 05 39 9a Aug 26 13:09:56.834345: | data being hmac: fd 99 48 e5 d4 e7 2b 5a 34 24 e2 ba a2 2e 86 68 Aug 26 13:09:56.834348: | out calculated auth: Aug 26 13:09:56.834351: | 90 db c6 8a 4d 83 ab f5 24 80 d3 fc 7a 7b e0 fc Aug 26 13:09:56.834360: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:09:56.834367: | #2 spent 9.27 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:09:56.834377: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:56.834385: | start processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:56.834390: | #5 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:09:56.834394: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:09:56.834398: | child state #5: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:09:56.834403: | Message ID: updating counters for #5 to 1 after switching state Aug 26 13:09:56.834410: | Message ID: recv #2.#5 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:09:56.834415: | Message ID: sent #2.#5 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:09:56.834419: | pstats #5 ikev2.child established Aug 26 13:09:56.834430: "north-eastnets/0x2" #5: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.22.0-192.0.22.255:0-65535 0] Aug 26 13:09:56.834435: | NAT-T: encaps is 'auto' Aug 26 13:09:56.834440: "north-eastnets/0x2" #5: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x7d9f9faa <0x39ab502d xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive} Aug 26 13:09:56.834449: | sending V2 new request packet to 192.1.2.23:500 (from 192.1.3.33:500) Aug 26 13:09:56.834458: | sending 464 bytes for STATE_PARENT_R1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #2) Aug 26 13:09:56.834462: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.834465: | 2e 20 23 20 00 00 00 01 00 00 01 d0 24 00 01 b4 Aug 26 13:09:56.834468: | e7 71 a8 46 4f 36 63 72 31 cb aa 07 96 3b 1f fd Aug 26 13:09:56.834470: | c1 2f e7 c9 02 57 d3 b4 54 0c 48 6d 31 9d e6 94 Aug 26 13:09:56.834473: | 90 01 a2 55 35 35 85 ec 11 48 47 ac d5 52 d1 86 Aug 26 13:09:56.834476: | 9a 07 53 d0 2d f5 f8 ba 28 0b b7 63 dd 64 51 fb Aug 26 13:09:56.834478: | f7 e8 ba bf 41 0f f2 f4 30 16 4b a9 53 f8 48 a8 Aug 26 13:09:56.834481: | 5a 9b da 07 e1 f5 a5 f7 03 82 de 0c 7c 34 22 a8 Aug 26 13:09:56.834484: | 8f 89 01 6b f9 bd 27 d8 46 f4 64 bc 15 f2 58 7a Aug 26 13:09:56.834486: | a9 33 c9 4a 62 0e 45 73 e5 59 72 a8 54 cd 78 f8 Aug 26 13:09:56.834489: | c6 9b 2f 90 10 9e 46 c9 9e c8 34 4b da 2a 75 54 Aug 26 13:09:56.834492: | cb 5b e5 4d 58 d0 ff 2c a6 48 3b 97 33 0d c0 6e Aug 26 13:09:56.834494: | 9c 03 e0 6e 2b 6b 3f 6f b4 29 cc b1 d8 c5 8f 5b Aug 26 13:09:56.834497: | 49 4e 15 84 5f 3d ee 12 e1 14 fa a2 55 11 64 59 Aug 26 13:09:56.834500: | 3e 1b 46 10 8b 78 ef ff f5 b2 83 c0 b5 8c 91 ae Aug 26 13:09:56.834503: | 04 15 1a d8 36 32 b5 cd 22 a2 60 c2 dc bf d0 95 Aug 26 13:09:56.834505: | ab a6 48 50 68 3e 51 28 c5 26 19 09 e9 bb ee 9b Aug 26 13:09:56.834508: | 5d f2 9a 4c 8e 10 c7 0d 2a 60 ce 93 31 dd 5c 2a Aug 26 13:09:56.834511: | 48 b6 a0 73 3b 30 b9 3d 03 14 6f 87 20 cc 5a 38 Aug 26 13:09:56.834514: | f0 45 22 cd 22 7f b6 ff c2 9a 14 a0 4a 92 30 70 Aug 26 13:09:56.834516: | c8 fa bf 5c 37 58 1b 04 d1 10 6a 31 a4 52 41 25 Aug 26 13:09:56.834519: | bb 15 6d 6b 10 53 26 92 61 e9 7f da 92 99 2f 71 Aug 26 13:09:56.834521: | 3f 85 d6 77 98 78 0f 1a 24 ee 89 a5 75 ca 7d 66 Aug 26 13:09:56.834524: | d6 8d 2d 5a 52 ca 41 56 2e 7b 70 5f 87 ed 56 71 Aug 26 13:09:56.834527: | b1 c9 ae 16 db 47 95 c5 66 96 98 9b d7 54 13 0b Aug 26 13:09:56.834530: | 2f 20 e4 09 e6 46 92 6b 4d 14 9c 23 17 68 ca 8b Aug 26 13:09:56.834532: | 9b db aa 69 ef 8d 6c 8b 64 81 e4 51 fb 05 39 9a Aug 26 13:09:56.834535: | fd 99 48 e5 d4 e7 2b 5a 34 24 e2 ba a2 2e 86 68 Aug 26 13:09:56.834538: | 90 db c6 8a 4d 83 ab f5 24 80 d3 fc 7a 7b e0 fc Aug 26 13:09:56.836918: | releasing whack for #5 (sock=fd@-1) Aug 26 13:09:56.836931: | releasing whack and unpending for parent #2 Aug 26 13:09:56.836935: | unpending state #2 connection "north-eastnets/0x2" Aug 26 13:09:56.836941: | #5 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:09:56.836945: | event_schedule: new EVENT_SA_REKEY-pe@0x55fb0638ae20 Aug 26 13:09:56.836950: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #5 Aug 26 13:09:56.836954: | libevent_malloc: new ptr-libevent@0x55fb0639a310 size 128 Aug 26 13:09:56.836967: | resume sending helper answer for #2 suppresed complete_v2_state_transition() Aug 26 13:09:56.836975: | #2 spent 9.8 milliseconds in resume sending helper answer Aug 26 13:09:56.836982: | stop processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:833) Aug 26 13:09:56.836988: | libevent_free: release ptr-libevent@0x7feddc003060 Aug 26 13:09:56.837006: | processing signal PLUTO_SIGCHLD Aug 26 13:09:56.837013: | waitpid returned ECHILD (no child processes left) Aug 26 13:09:56.837018: | spent 0.00625 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:09:56.837022: | processing signal PLUTO_SIGCHLD Aug 26 13:09:56.837026: | waitpid returned ECHILD (no child processes left) Aug 26 13:09:56.837030: | spent 0.00407 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:09:56.837036: | processing signal PLUTO_SIGCHLD Aug 26 13:09:56.837040: | waitpid returned ECHILD (no child processes left) Aug 26 13:09:56.837044: | spent 0.00394 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:09:56.862502: | spent 0.00265 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:56.862525: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:56.862531: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.862534: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:56.862536: | f6 0c 6f b6 d8 31 e3 f4 50 80 a6 c2 ba 82 17 97 Aug 26 13:09:56.862539: | 9a ff d0 57 e3 f8 55 2e e8 58 11 5a f2 cf 5f a5 Aug 26 13:09:56.862542: | a5 f8 38 55 0c b2 b9 58 aa 11 7f d9 19 96 4c 21 Aug 26 13:09:56.862544: | 0e ef f9 0c ce 61 af 9f 2f bc 12 97 71 da 01 26 Aug 26 13:09:56.862547: | 0a 6e c6 10 a1 2f 38 7b 1f ae c2 d0 02 11 df f7 Aug 26 13:09:56.862550: | 1a 72 b0 64 03 60 81 ba d1 ed c3 95 d7 af 0d 72 Aug 26 13:09:56.862552: | 43 f0 e8 3d c7 c8 e0 97 94 47 21 36 80 e9 f9 d0 Aug 26 13:09:56.862555: | f1 60 5c 6a 89 e0 b9 6f 2a 9b 24 a8 b7 db 62 8a Aug 26 13:09:56.862558: | 11 04 53 33 29 cb f8 29 98 97 be f3 0b d2 2f 17 Aug 26 13:09:56.862561: | 57 07 4b ec 4b 7c 22 68 6a 02 9a 45 7f 8d 20 90 Aug 26 13:09:56.862563: | 87 ab 5c 3e 35 3d 8a 7f f6 d9 a4 3d d0 1f 2c 60 Aug 26 13:09:56.862566: | f3 9e c8 ef bc 64 22 d3 f6 5d 49 0a 1a e2 18 3c Aug 26 13:09:56.862569: | 15 68 b5 36 a2 d2 d1 86 bc 83 4e 2d 4f 3f 80 35 Aug 26 13:09:56.862572: | ff 36 8c 30 72 8d 4f 71 69 bf 5b c8 56 30 b5 6b Aug 26 13:09:56.862574: | db a5 34 df fb 7d 98 9a 60 15 b6 5c 0a ab 8a 9e Aug 26 13:09:56.862577: | 6c 70 e9 37 73 61 75 34 73 f1 72 84 a3 02 2d a3 Aug 26 13:09:56.862580: | fe 25 53 db c9 85 19 92 a3 26 2f b8 a3 a2 98 5c Aug 26 13:09:56.862582: | bb da ac 04 e7 59 94 14 80 5b 08 23 b6 65 20 91 Aug 26 13:09:56.862585: | b5 2c 09 c0 b7 90 7c d6 f9 c8 93 90 2b b5 2f 90 Aug 26 13:09:56.862588: | 04 ac 87 13 1c 09 05 6d 12 6d 3a b1 2b ee 61 b7 Aug 26 13:09:56.862590: | 61 a4 36 ed 1d e7 ea ae 1b ae a0 36 1f 49 3b 67 Aug 26 13:09:56.862593: | 8c 7f a7 bb a9 16 d7 55 b6 1a 07 04 eb f7 f7 68 Aug 26 13:09:56.862596: | 2e 41 52 cd a9 f6 d7 8d 77 7d e0 26 f8 90 a2 fc Aug 26 13:09:56.862599: | 15 b0 24 26 c2 08 57 09 41 95 eb e5 6d a0 d8 56 Aug 26 13:09:56.862601: | e0 8b 49 ae e2 b5 fd d6 3b 75 73 5f af 2c e6 45 Aug 26 13:09:56.862604: | 67 d1 9f c4 14 85 f9 d8 b9 54 b3 87 7c ee f9 7b Aug 26 13:09:56.862607: | e8 95 eb 0a a6 c3 4d c6 1d c0 1c 69 a4 2c b7 63 Aug 26 13:09:56.862610: | ba 37 fb ee 11 3f f8 bd a4 a6 8a 38 8c 6d aa 5a Aug 26 13:09:56.862612: | 76 f2 93 40 a4 73 49 46 c3 4d a7 f9 29 f0 0a dc Aug 26 13:09:56.862615: | c1 28 58 b2 b2 9c 6b ac 7b fa 94 ef d6 e0 6c 22 Aug 26 13:09:56.862618: | 5f 65 79 cf d7 ac bf 41 8a 8f 1e 82 7c 96 18 d3 Aug 26 13:09:56.862620: | bc 38 8f d1 60 c7 0b 60 75 39 8f 3f 56 e4 48 51 Aug 26 13:09:56.862623: | 98 ea 3e 29 73 de 81 2d 42 e7 e1 f2 dd 27 6f 04 Aug 26 13:09:56.862626: | b8 73 78 8d a9 2b 10 c7 15 18 65 65 88 ab 83 e6 Aug 26 13:09:56.862628: | b6 6e ec 2c 24 25 80 9d b0 58 dd bc 90 47 d6 31 Aug 26 13:09:56.862631: | 10 85 17 67 02 49 d4 74 f2 1f ae cd d5 a5 28 c9 Aug 26 13:09:56.862636: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:56.862641: | **parse ISAKMP Message: Aug 26 13:09:56.862644: | initiator cookie: Aug 26 13:09:56.862647: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:56.862650: | responder cookie: Aug 26 13:09:56.862652: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.862656: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:56.862659: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:56.862662: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:56.862667: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:56.862671: | Message ID: 2 (0x2) Aug 26 13:09:56.862676: | length: 608 (0x260) Aug 26 13:09:56.862680: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:09:56.862684: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:09:56.862689: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:09:56.862696: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:56.862700: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:09:56.862705: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:09:56.862709: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:09:56.862713: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 13:09:56.862716: | unpacking clear payload Aug 26 13:09:56.862719: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:09:56.862723: | ***parse IKEv2 Encryption Payload: Aug 26 13:09:56.862726: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:09:56.862729: | flags: none (0x0) Aug 26 13:09:56.862732: | length: 580 (0x244) Aug 26 13:09:56.862735: | processing payload: ISAKMP_NEXT_v2SK (len=576) Aug 26 13:09:56.862740: | Message ID: start-responder #2 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 13:09:56.862743: | #2 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:09:56.862777: | data for hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.862782: | data for hmac: 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:56.862785: | data for hmac: f6 0c 6f b6 d8 31 e3 f4 50 80 a6 c2 ba 82 17 97 Aug 26 13:09:56.862788: | data for hmac: 9a ff d0 57 e3 f8 55 2e e8 58 11 5a f2 cf 5f a5 Aug 26 13:09:56.862791: | data for hmac: a5 f8 38 55 0c b2 b9 58 aa 11 7f d9 19 96 4c 21 Aug 26 13:09:56.862794: | data for hmac: 0e ef f9 0c ce 61 af 9f 2f bc 12 97 71 da 01 26 Aug 26 13:09:56.862796: | data for hmac: 0a 6e c6 10 a1 2f 38 7b 1f ae c2 d0 02 11 df f7 Aug 26 13:09:56.862800: | data for hmac: 1a 72 b0 64 03 60 81 ba d1 ed c3 95 d7 af 0d 72 Aug 26 13:09:56.862802: | data for hmac: 43 f0 e8 3d c7 c8 e0 97 94 47 21 36 80 e9 f9 d0 Aug 26 13:09:56.862805: | data for hmac: f1 60 5c 6a 89 e0 b9 6f 2a 9b 24 a8 b7 db 62 8a Aug 26 13:09:56.862808: | data for hmac: 11 04 53 33 29 cb f8 29 98 97 be f3 0b d2 2f 17 Aug 26 13:09:56.862810: | data for hmac: 57 07 4b ec 4b 7c 22 68 6a 02 9a 45 7f 8d 20 90 Aug 26 13:09:56.862813: | data for hmac: 87 ab 5c 3e 35 3d 8a 7f f6 d9 a4 3d d0 1f 2c 60 Aug 26 13:09:56.862816: | data for hmac: f3 9e c8 ef bc 64 22 d3 f6 5d 49 0a 1a e2 18 3c Aug 26 13:09:56.862819: | data for hmac: 15 68 b5 36 a2 d2 d1 86 bc 83 4e 2d 4f 3f 80 35 Aug 26 13:09:56.862822: | data for hmac: ff 36 8c 30 72 8d 4f 71 69 bf 5b c8 56 30 b5 6b Aug 26 13:09:56.862824: | data for hmac: db a5 34 df fb 7d 98 9a 60 15 b6 5c 0a ab 8a 9e Aug 26 13:09:56.862827: | data for hmac: 6c 70 e9 37 73 61 75 34 73 f1 72 84 a3 02 2d a3 Aug 26 13:09:56.862830: | data for hmac: fe 25 53 db c9 85 19 92 a3 26 2f b8 a3 a2 98 5c Aug 26 13:09:56.862833: | data for hmac: bb da ac 04 e7 59 94 14 80 5b 08 23 b6 65 20 91 Aug 26 13:09:56.862836: | data for hmac: b5 2c 09 c0 b7 90 7c d6 f9 c8 93 90 2b b5 2f 90 Aug 26 13:09:56.862839: | data for hmac: 04 ac 87 13 1c 09 05 6d 12 6d 3a b1 2b ee 61 b7 Aug 26 13:09:56.862841: | data for hmac: 61 a4 36 ed 1d e7 ea ae 1b ae a0 36 1f 49 3b 67 Aug 26 13:09:56.862844: | data for hmac: 8c 7f a7 bb a9 16 d7 55 b6 1a 07 04 eb f7 f7 68 Aug 26 13:09:56.862847: | data for hmac: 2e 41 52 cd a9 f6 d7 8d 77 7d e0 26 f8 90 a2 fc Aug 26 13:09:56.862850: | data for hmac: 15 b0 24 26 c2 08 57 09 41 95 eb e5 6d a0 d8 56 Aug 26 13:09:56.862855: | data for hmac: e0 8b 49 ae e2 b5 fd d6 3b 75 73 5f af 2c e6 45 Aug 26 13:09:56.862858: | data for hmac: 67 d1 9f c4 14 85 f9 d8 b9 54 b3 87 7c ee f9 7b Aug 26 13:09:56.862860: | data for hmac: e8 95 eb 0a a6 c3 4d c6 1d c0 1c 69 a4 2c b7 63 Aug 26 13:09:56.862863: | data for hmac: ba 37 fb ee 11 3f f8 bd a4 a6 8a 38 8c 6d aa 5a Aug 26 13:09:56.862866: | data for hmac: 76 f2 93 40 a4 73 49 46 c3 4d a7 f9 29 f0 0a dc Aug 26 13:09:56.862869: | data for hmac: c1 28 58 b2 b2 9c 6b ac 7b fa 94 ef d6 e0 6c 22 Aug 26 13:09:56.862872: | data for hmac: 5f 65 79 cf d7 ac bf 41 8a 8f 1e 82 7c 96 18 d3 Aug 26 13:09:56.862875: | data for hmac: bc 38 8f d1 60 c7 0b 60 75 39 8f 3f 56 e4 48 51 Aug 26 13:09:56.862877: | data for hmac: 98 ea 3e 29 73 de 81 2d 42 e7 e1 f2 dd 27 6f 04 Aug 26 13:09:56.862880: | data for hmac: b8 73 78 8d a9 2b 10 c7 15 18 65 65 88 ab 83 e6 Aug 26 13:09:56.862883: | data for hmac: b6 6e ec 2c 24 25 80 9d b0 58 dd bc 90 47 d6 31 Aug 26 13:09:56.862886: | calculated auth: 10 85 17 67 02 49 d4 74 f2 1f ae cd d5 a5 28 c9 Aug 26 13:09:56.862889: | provided auth: 10 85 17 67 02 49 d4 74 f2 1f ae cd d5 a5 28 c9 Aug 26 13:09:56.862891: | authenticator matched Aug 26 13:09:56.862904: | #2 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Aug 26 13:09:56.862909: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:09:56.862912: | **parse IKEv2 Security Association Payload: Aug 26 13:09:56.862915: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:09:56.862918: | flags: none (0x0) Aug 26 13:09:56.862921: | length: 52 (0x34) Aug 26 13:09:56.862924: | processing payload: ISAKMP_NEXT_v2SA (len=48) Aug 26 13:09:56.862927: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:09:56.862930: | **parse IKEv2 Nonce Payload: Aug 26 13:09:56.862932: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:09:56.862935: | flags: none (0x0) Aug 26 13:09:56.862938: | length: 36 (0x24) Aug 26 13:09:56.862941: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:09:56.862943: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:09:56.862946: | **parse IKEv2 Key Exchange Payload: Aug 26 13:09:56.862950: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:09:56.862952: | flags: none (0x0) Aug 26 13:09:56.862955: | length: 392 (0x188) Aug 26 13:09:56.862958: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:09:56.862961: | processing payload: ISAKMP_NEXT_v2KE (len=384) Aug 26 13:09:56.862964: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:09:56.862967: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:09:56.862970: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:09:56.862973: | flags: none (0x0) Aug 26 13:09:56.862975: | length: 24 (0x18) Aug 26 13:09:56.862978: | number of TS: 1 (0x1) Aug 26 13:09:56.862981: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:09:56.862984: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:09:56.862987: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:09:56.862990: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:56.862993: | flags: none (0x0) Aug 26 13:09:56.862995: | length: 24 (0x18) Aug 26 13:09:56.862998: | number of TS: 1 (0x1) Aug 26 13:09:56.863001: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:09:56.863005: | state #2 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Aug 26 13:09:56.863008: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:09:56.863014: | #2 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:09:56.863019: | creating state object #6 at 0x55fb0639a4d0 Aug 26 13:09:56.863023: | State DB: adding IKEv2 state #6 in UNDEFINED Aug 26 13:09:56.863031: | pstats #6 ikev2.child started Aug 26 13:09:56.863035: | duplicating state object #2 "north-eastnets/0x2" as #6 for IPSEC SA Aug 26 13:09:56.863042: | #6 setting local endpoint to 192.1.3.33:500 from #2.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:09:56.863055: | Message ID: init_child #2.#6; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:09:56.863059: | child state #6: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Aug 26 13:09:56.863066: | "north-eastnets/0x2" #2 received Child SA Request CREATE_CHILD_SA from 192.1.2.23:500 Child "north-eastnets/0x2" #6 in STATE_V2_CREATE_R will process it further Aug 26 13:09:56.863071: | Message ID: switch-from #2 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Aug 26 13:09:56.863076: | Message ID: switch-to #2.#6 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Aug 26 13:09:56.863080: | forcing ST #2 to CHILD #2.#6 in FSM processor Aug 26 13:09:56.863082: | Now let's proceed with state specific processing Aug 26 13:09:56.863085: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:09:56.863095: | using existing local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 13:09:56.863099: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 1 local proposals Aug 26 13:09:56.863103: | local proposal 1 type ENCR has 1 transforms Aug 26 13:09:56.863107: | local proposal 1 type PRF has 0 transforms Aug 26 13:09:56.863110: | local proposal 1 type INTEG has 1 transforms Aug 26 13:09:56.863112: | local proposal 1 type DH has 1 transforms Aug 26 13:09:56.863115: | local proposal 1 type ESN has 1 transforms Aug 26 13:09:56.863119: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:09:56.863123: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:09:56.863126: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:56.863129: | length: 48 (0x30) Aug 26 13:09:56.863132: | prop #: 1 (0x1) Aug 26 13:09:56.863135: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:09:56.863137: | spi size: 4 (0x4) Aug 26 13:09:56.863140: | # transforms: 4 (0x4) Aug 26 13:09:56.863144: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:09:56.863147: | remote SPI 6a b2 7b 1b Aug 26 13:09:56.863151: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Aug 26 13:09:56.863154: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.863157: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.863159: | length: 12 (0xc) Aug 26 13:09:56.863162: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:56.863165: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:56.863168: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:09:56.863172: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:56.863174: | length/value: 128 (0x80) Aug 26 13:09:56.863179: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:09:56.863183: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.863186: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.863189: | length: 8 (0x8) Aug 26 13:09:56.863191: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:56.863194: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:09:56.863198: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 13:09:56.863201: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.863204: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:56.863207: | length: 8 (0x8) Aug 26 13:09:56.863210: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:09:56.863213: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:09:56.863219: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:09:56.863223: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:56.863226: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:56.863228: | length: 8 (0x8) Aug 26 13:09:56.863231: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:09:56.863234: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:09:56.863238: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:09:56.863242: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Aug 26 13:09:56.863248: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Aug 26 13:09:56.863251: | remote proposal 1 matches local proposal 1 Aug 26 13:09:56.863258: "north-eastnets/0x2" #2: proposal 1:ESP:SPI=6ab27b1b;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Aug 26 13:09:56.863264: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=6ab27b1b;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 13:09:56.863268: | converting proposal to internal trans attrs Aug 26 13:09:56.863273: | updating #6's .st_oakley with preserved PRF, but why update? Aug 26 13:09:56.863279: | Child SA TS Request has child->sa == md->st; so using child connection Aug 26 13:09:56.863283: | TSi: parsing 1 traffic selectors Aug 26 13:09:56.863286: | ***parse IKEv2 Traffic Selector: Aug 26 13:09:56.863325: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.863329: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.863332: | length: 16 (0x10) Aug 26 13:09:56.863334: | start port: 0 (0x0) Aug 26 13:09:56.863337: | end port: 65535 (0xffff) Aug 26 13:09:56.863339: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:09:56.863342: | TS low c0 00 02 00 Aug 26 13:09:56.863345: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:09:56.863347: | TS high c0 00 02 ff Aug 26 13:09:56.863350: | TSi: parsed 1 traffic selectors Aug 26 13:09:56.863352: | TSr: parsing 1 traffic selectors Aug 26 13:09:56.863355: | ***parse IKEv2 Traffic Selector: Aug 26 13:09:56.863357: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:56.863360: | IP Protocol ID: 0 (0x0) Aug 26 13:09:56.863362: | length: 16 (0x10) Aug 26 13:09:56.863364: | start port: 0 (0x0) Aug 26 13:09:56.863367: | end port: 65535 (0xffff) Aug 26 13:09:56.863369: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:09:56.863372: | TS low c0 00 03 00 Aug 26 13:09:56.863374: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:09:56.863377: | TS high c0 00 03 ff Aug 26 13:09:56.863379: | TSr: parsed 1 traffic selectors Aug 26 13:09:56.863381: | looking for best SPD in current connection Aug 26 13:09:56.863387: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0/0 R=192.0.3.0/24:0/0 to their: Aug 26 13:09:56.863393: | TSi[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.863399: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.2.0-192.0.2.255: NO Aug 26 13:09:56.863402: | looking for better host pair Aug 26 13:09:56.863407: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Aug 26 13:09:56.863412: | checking hostpair 192.0.3.0/24 -> 192.0.22.0/24 is found Aug 26 13:09:56.863415: | investigating connection "north-eastnets/0x2" as a better match Aug 26 13:09:56.863419: | match_id a=@east Aug 26 13:09:56.863421: | b=@east Aug 26 13:09:56.863424: | results matched Aug 26 13:09:56.863429: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0/0 R=192.0.3.0/24:0/0 to their: Aug 26 13:09:56.863435: | TSi[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.863441: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.2.0-192.0.2.255: NO Aug 26 13:09:56.863444: | investigating connection "north-eastnets/0x1" as a better match Aug 26 13:09:56.863446: | match_id a=@east Aug 26 13:09:56.863449: | b=@east Aug 26 13:09:56.863451: | results matched Aug 26 13:09:56.863457: | evaluating our conn="north-eastnets/0x1" I=192.0.2.0/24:0/0 R=192.0.3.0/24:0/0 to their: Aug 26 13:09:56.863461: | TSi[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.863468: | match address end->client=192.0.2.0/24 == TSi[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:09:56.863472: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:09:56.863475: | TSi[0] port match: YES fitness 65536 Aug 26 13:09:56.863478: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:09:56.863482: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:56.863487: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:56.863493: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:09:56.863497: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:09:56.863500: | TSr[0] port match: YES fitness 65536 Aug 26 13:09:56.863503: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:09:56.863507: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:56.863509: | best fit so far: TSi[0] TSr[0] Aug 26 13:09:56.863513: | protocol fitness found better match d north-eastnets/0x1, TSi[0],TSr[0] Aug 26 13:09:56.863519: | in connection_discard for connection north-eastnets/0x2 Aug 26 13:09:56.863522: | printing contents struct traffic_selector Aug 26 13:09:56.863525: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:09:56.863528: | ipprotoid: 0 Aug 26 13:09:56.863531: | port range: 0-65535 Aug 26 13:09:56.863535: | ip range: 192.0.3.0-192.0.3.255 Aug 26 13:09:56.863538: | printing contents struct traffic_selector Aug 26 13:09:56.863541: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:09:56.863543: | ipprotoid: 0 Aug 26 13:09:56.863546: | port range: 0-65535 Aug 26 13:09:56.863550: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:09:56.863555: | adding Child Responder KE and nonce nr work-order 6 for state #6 Aug 26 13:09:56.863558: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb06386d40 Aug 26 13:09:56.863563: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #6 Aug 26 13:09:56.863567: | libevent_malloc: new ptr-libevent@0x7feddc003060 size 128 Aug 26 13:09:56.863579: | #6 spent 0.456 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Aug 26 13:09:56.863587: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:56.863592: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:56.863596: | #6 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:09:56.863599: | suspending state #6 and saving MD Aug 26 13:09:56.863600: | crypto helper 5 resuming Aug 26 13:09:56.863619: | crypto helper 5 starting work-order 6 for state #6 Aug 26 13:09:56.863625: | crypto helper 5 doing build KE and nonce (Child Responder KE and nonce nr); request ID 6 Aug 26 13:09:56.863628: | crypto helper is pausing for 1 seconds Aug 26 13:09:56.863602: | #6 is busy; has a suspended MD Aug 26 13:09:56.863643: | [RE]START processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:09:56.863648: | "north-eastnets/0x1" #6 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:09:56.863656: | stop processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:56.863663: | #2 spent 1.09 milliseconds in ikev2_process_packet() Aug 26 13:09:56.863669: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:56.863673: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:56.863676: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:56.863681: | spent 1.1 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:56.912939: | spent 0 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:56.912964: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:56.912968: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.912971: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:56.912973: | f6 0c 6f b6 d8 31 e3 f4 50 80 a6 c2 ba 82 17 97 Aug 26 13:09:56.912976: | 9a ff d0 57 e3 f8 55 2e e8 58 11 5a f2 cf 5f a5 Aug 26 13:09:56.912978: | a5 f8 38 55 0c b2 b9 58 aa 11 7f d9 19 96 4c 21 Aug 26 13:09:56.912981: | 0e ef f9 0c ce 61 af 9f 2f bc 12 97 71 da 01 26 Aug 26 13:09:56.912984: | 0a 6e c6 10 a1 2f 38 7b 1f ae c2 d0 02 11 df f7 Aug 26 13:09:56.912986: | 1a 72 b0 64 03 60 81 ba d1 ed c3 95 d7 af 0d 72 Aug 26 13:09:56.912989: | 43 f0 e8 3d c7 c8 e0 97 94 47 21 36 80 e9 f9 d0 Aug 26 13:09:56.912991: | f1 60 5c 6a 89 e0 b9 6f 2a 9b 24 a8 b7 db 62 8a Aug 26 13:09:56.912994: | 11 04 53 33 29 cb f8 29 98 97 be f3 0b d2 2f 17 Aug 26 13:09:56.912996: | 57 07 4b ec 4b 7c 22 68 6a 02 9a 45 7f 8d 20 90 Aug 26 13:09:56.912999: | 87 ab 5c 3e 35 3d 8a 7f f6 d9 a4 3d d0 1f 2c 60 Aug 26 13:09:56.913002: | f3 9e c8 ef bc 64 22 d3 f6 5d 49 0a 1a e2 18 3c Aug 26 13:09:56.913004: | 15 68 b5 36 a2 d2 d1 86 bc 83 4e 2d 4f 3f 80 35 Aug 26 13:09:56.913007: | ff 36 8c 30 72 8d 4f 71 69 bf 5b c8 56 30 b5 6b Aug 26 13:09:56.913009: | db a5 34 df fb 7d 98 9a 60 15 b6 5c 0a ab 8a 9e Aug 26 13:09:56.913012: | 6c 70 e9 37 73 61 75 34 73 f1 72 84 a3 02 2d a3 Aug 26 13:09:56.913014: | fe 25 53 db c9 85 19 92 a3 26 2f b8 a3 a2 98 5c Aug 26 13:09:56.913017: | bb da ac 04 e7 59 94 14 80 5b 08 23 b6 65 20 91 Aug 26 13:09:56.913019: | b5 2c 09 c0 b7 90 7c d6 f9 c8 93 90 2b b5 2f 90 Aug 26 13:09:56.913022: | 04 ac 87 13 1c 09 05 6d 12 6d 3a b1 2b ee 61 b7 Aug 26 13:09:56.913025: | 61 a4 36 ed 1d e7 ea ae 1b ae a0 36 1f 49 3b 67 Aug 26 13:09:56.913027: | 8c 7f a7 bb a9 16 d7 55 b6 1a 07 04 eb f7 f7 68 Aug 26 13:09:56.913030: | 2e 41 52 cd a9 f6 d7 8d 77 7d e0 26 f8 90 a2 fc Aug 26 13:09:56.913032: | 15 b0 24 26 c2 08 57 09 41 95 eb e5 6d a0 d8 56 Aug 26 13:09:56.913035: | e0 8b 49 ae e2 b5 fd d6 3b 75 73 5f af 2c e6 45 Aug 26 13:09:56.913037: | 67 d1 9f c4 14 85 f9 d8 b9 54 b3 87 7c ee f9 7b Aug 26 13:09:56.913040: | e8 95 eb 0a a6 c3 4d c6 1d c0 1c 69 a4 2c b7 63 Aug 26 13:09:56.913042: | ba 37 fb ee 11 3f f8 bd a4 a6 8a 38 8c 6d aa 5a Aug 26 13:09:56.913045: | 76 f2 93 40 a4 73 49 46 c3 4d a7 f9 29 f0 0a dc Aug 26 13:09:56.913047: | c1 28 58 b2 b2 9c 6b ac 7b fa 94 ef d6 e0 6c 22 Aug 26 13:09:56.913050: | 5f 65 79 cf d7 ac bf 41 8a 8f 1e 82 7c 96 18 d3 Aug 26 13:09:56.913053: | bc 38 8f d1 60 c7 0b 60 75 39 8f 3f 56 e4 48 51 Aug 26 13:09:56.913055: | 98 ea 3e 29 73 de 81 2d 42 e7 e1 f2 dd 27 6f 04 Aug 26 13:09:56.913058: | b8 73 78 8d a9 2b 10 c7 15 18 65 65 88 ab 83 e6 Aug 26 13:09:56.913060: | b6 6e ec 2c 24 25 80 9d b0 58 dd bc 90 47 d6 31 Aug 26 13:09:56.913063: | 10 85 17 67 02 49 d4 74 f2 1f ae cd d5 a5 28 c9 Aug 26 13:09:56.913068: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:56.913073: | **parse ISAKMP Message: Aug 26 13:09:56.913076: | initiator cookie: Aug 26 13:09:56.913079: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:56.913081: | responder cookie: Aug 26 13:09:56.913086: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.913090: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:56.913093: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:56.913096: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:56.913099: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:56.913102: | Message ID: 2 (0x2) Aug 26 13:09:56.913104: | length: 608 (0x260) Aug 26 13:09:56.913107: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:09:56.913111: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:09:56.913116: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:09:56.913122: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:56.913126: | State DB: found IKEv2 state #6 in V2_CREATE_R (find_v2_sa_by_responder_wip) Aug 26 13:09:56.913131: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:56.913136: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:56.913139: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:09:56.913143: "north-eastnets/0x1" #6: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_CREATE_R Aug 26 13:09:56.913147: | stop processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:56.913153: | #2 spent 0.201 milliseconds in ikev2_process_packet() Aug 26 13:09:56.913157: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:56.913160: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:56.913164: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:56.913168: | spent 0.216 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:56.964328: | spent 0.00265 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:56.964349: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:56.964354: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.964358: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:56.964360: | f6 0c 6f b6 d8 31 e3 f4 50 80 a6 c2 ba 82 17 97 Aug 26 13:09:56.964363: | 9a ff d0 57 e3 f8 55 2e e8 58 11 5a f2 cf 5f a5 Aug 26 13:09:56.964366: | a5 f8 38 55 0c b2 b9 58 aa 11 7f d9 19 96 4c 21 Aug 26 13:09:56.964368: | 0e ef f9 0c ce 61 af 9f 2f bc 12 97 71 da 01 26 Aug 26 13:09:56.964371: | 0a 6e c6 10 a1 2f 38 7b 1f ae c2 d0 02 11 df f7 Aug 26 13:09:56.964374: | 1a 72 b0 64 03 60 81 ba d1 ed c3 95 d7 af 0d 72 Aug 26 13:09:56.964376: | 43 f0 e8 3d c7 c8 e0 97 94 47 21 36 80 e9 f9 d0 Aug 26 13:09:56.964379: | f1 60 5c 6a 89 e0 b9 6f 2a 9b 24 a8 b7 db 62 8a Aug 26 13:09:56.964382: | 11 04 53 33 29 cb f8 29 98 97 be f3 0b d2 2f 17 Aug 26 13:09:56.964385: | 57 07 4b ec 4b 7c 22 68 6a 02 9a 45 7f 8d 20 90 Aug 26 13:09:56.964387: | 87 ab 5c 3e 35 3d 8a 7f f6 d9 a4 3d d0 1f 2c 60 Aug 26 13:09:56.964390: | f3 9e c8 ef bc 64 22 d3 f6 5d 49 0a 1a e2 18 3c Aug 26 13:09:56.964393: | 15 68 b5 36 a2 d2 d1 86 bc 83 4e 2d 4f 3f 80 35 Aug 26 13:09:56.964396: | ff 36 8c 30 72 8d 4f 71 69 bf 5b c8 56 30 b5 6b Aug 26 13:09:56.964398: | db a5 34 df fb 7d 98 9a 60 15 b6 5c 0a ab 8a 9e Aug 26 13:09:56.964401: | 6c 70 e9 37 73 61 75 34 73 f1 72 84 a3 02 2d a3 Aug 26 13:09:56.964404: | fe 25 53 db c9 85 19 92 a3 26 2f b8 a3 a2 98 5c Aug 26 13:09:56.964407: | bb da ac 04 e7 59 94 14 80 5b 08 23 b6 65 20 91 Aug 26 13:09:56.964409: | b5 2c 09 c0 b7 90 7c d6 f9 c8 93 90 2b b5 2f 90 Aug 26 13:09:56.964412: | 04 ac 87 13 1c 09 05 6d 12 6d 3a b1 2b ee 61 b7 Aug 26 13:09:56.964415: | 61 a4 36 ed 1d e7 ea ae 1b ae a0 36 1f 49 3b 67 Aug 26 13:09:56.964420: | 8c 7f a7 bb a9 16 d7 55 b6 1a 07 04 eb f7 f7 68 Aug 26 13:09:56.964423: | 2e 41 52 cd a9 f6 d7 8d 77 7d e0 26 f8 90 a2 fc Aug 26 13:09:56.964426: | 15 b0 24 26 c2 08 57 09 41 95 eb e5 6d a0 d8 56 Aug 26 13:09:56.964428: | e0 8b 49 ae e2 b5 fd d6 3b 75 73 5f af 2c e6 45 Aug 26 13:09:56.964431: | 67 d1 9f c4 14 85 f9 d8 b9 54 b3 87 7c ee f9 7b Aug 26 13:09:56.964434: | e8 95 eb 0a a6 c3 4d c6 1d c0 1c 69 a4 2c b7 63 Aug 26 13:09:56.964437: | ba 37 fb ee 11 3f f8 bd a4 a6 8a 38 8c 6d aa 5a Aug 26 13:09:56.964439: | 76 f2 93 40 a4 73 49 46 c3 4d a7 f9 29 f0 0a dc Aug 26 13:09:56.964442: | c1 28 58 b2 b2 9c 6b ac 7b fa 94 ef d6 e0 6c 22 Aug 26 13:09:56.964445: | 5f 65 79 cf d7 ac bf 41 8a 8f 1e 82 7c 96 18 d3 Aug 26 13:09:56.964448: | bc 38 8f d1 60 c7 0b 60 75 39 8f 3f 56 e4 48 51 Aug 26 13:09:56.964450: | 98 ea 3e 29 73 de 81 2d 42 e7 e1 f2 dd 27 6f 04 Aug 26 13:09:56.964453: | b8 73 78 8d a9 2b 10 c7 15 18 65 65 88 ab 83 e6 Aug 26 13:09:56.964455: | b6 6e ec 2c 24 25 80 9d b0 58 dd bc 90 47 d6 31 Aug 26 13:09:56.964458: | 10 85 17 67 02 49 d4 74 f2 1f ae cd d5 a5 28 c9 Aug 26 13:09:56.964463: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:56.964468: | **parse ISAKMP Message: Aug 26 13:09:56.964472: | initiator cookie: Aug 26 13:09:56.964475: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:56.964478: | responder cookie: Aug 26 13:09:56.964480: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:56.964484: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:56.964487: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:56.964490: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:56.964494: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:56.964496: | Message ID: 2 (0x2) Aug 26 13:09:56.964499: | length: 608 (0x260) Aug 26 13:09:56.964503: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:09:56.964507: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:09:56.964512: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:09:56.964519: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:56.964523: | State DB: found IKEv2 state #6 in V2_CREATE_R (find_v2_sa_by_responder_wip) Aug 26 13:09:56.964529: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:56.964534: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:56.964538: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:09:56.964542: "north-eastnets/0x1" #6: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_CREATE_R Aug 26 13:09:56.964547: | stop processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:56.964553: | #2 spent 0.212 milliseconds in ikev2_process_packet() Aug 26 13:09:56.964558: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:56.964562: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:56.964565: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:56.964570: | spent 0.229 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:57.064697: | spent 0.0028 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:57.064720: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:57.064726: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:57.064729: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:57.064732: | f6 0c 6f b6 d8 31 e3 f4 50 80 a6 c2 ba 82 17 97 Aug 26 13:09:57.064737: | 9a ff d0 57 e3 f8 55 2e e8 58 11 5a f2 cf 5f a5 Aug 26 13:09:57.064740: | a5 f8 38 55 0c b2 b9 58 aa 11 7f d9 19 96 4c 21 Aug 26 13:09:57.064743: | 0e ef f9 0c ce 61 af 9f 2f bc 12 97 71 da 01 26 Aug 26 13:09:57.064745: | 0a 6e c6 10 a1 2f 38 7b 1f ae c2 d0 02 11 df f7 Aug 26 13:09:57.064748: | 1a 72 b0 64 03 60 81 ba d1 ed c3 95 d7 af 0d 72 Aug 26 13:09:57.064751: | 43 f0 e8 3d c7 c8 e0 97 94 47 21 36 80 e9 f9 d0 Aug 26 13:09:57.064753: | f1 60 5c 6a 89 e0 b9 6f 2a 9b 24 a8 b7 db 62 8a Aug 26 13:09:57.064756: | 11 04 53 33 29 cb f8 29 98 97 be f3 0b d2 2f 17 Aug 26 13:09:57.064759: | 57 07 4b ec 4b 7c 22 68 6a 02 9a 45 7f 8d 20 90 Aug 26 13:09:57.064762: | 87 ab 5c 3e 35 3d 8a 7f f6 d9 a4 3d d0 1f 2c 60 Aug 26 13:09:57.064765: | f3 9e c8 ef bc 64 22 d3 f6 5d 49 0a 1a e2 18 3c Aug 26 13:09:57.064767: | 15 68 b5 36 a2 d2 d1 86 bc 83 4e 2d 4f 3f 80 35 Aug 26 13:09:57.064770: | ff 36 8c 30 72 8d 4f 71 69 bf 5b c8 56 30 b5 6b Aug 26 13:09:57.064773: | db a5 34 df fb 7d 98 9a 60 15 b6 5c 0a ab 8a 9e Aug 26 13:09:57.064775: | 6c 70 e9 37 73 61 75 34 73 f1 72 84 a3 02 2d a3 Aug 26 13:09:57.064778: | fe 25 53 db c9 85 19 92 a3 26 2f b8 a3 a2 98 5c Aug 26 13:09:57.064781: | bb da ac 04 e7 59 94 14 80 5b 08 23 b6 65 20 91 Aug 26 13:09:57.064784: | b5 2c 09 c0 b7 90 7c d6 f9 c8 93 90 2b b5 2f 90 Aug 26 13:09:57.064786: | 04 ac 87 13 1c 09 05 6d 12 6d 3a b1 2b ee 61 b7 Aug 26 13:09:57.064789: | 61 a4 36 ed 1d e7 ea ae 1b ae a0 36 1f 49 3b 67 Aug 26 13:09:57.064792: | 8c 7f a7 bb a9 16 d7 55 b6 1a 07 04 eb f7 f7 68 Aug 26 13:09:57.064794: | 2e 41 52 cd a9 f6 d7 8d 77 7d e0 26 f8 90 a2 fc Aug 26 13:09:57.064797: | 15 b0 24 26 c2 08 57 09 41 95 eb e5 6d a0 d8 56 Aug 26 13:09:57.064800: | e0 8b 49 ae e2 b5 fd d6 3b 75 73 5f af 2c e6 45 Aug 26 13:09:57.064803: | 67 d1 9f c4 14 85 f9 d8 b9 54 b3 87 7c ee f9 7b Aug 26 13:09:57.064805: | e8 95 eb 0a a6 c3 4d c6 1d c0 1c 69 a4 2c b7 63 Aug 26 13:09:57.064808: | ba 37 fb ee 11 3f f8 bd a4 a6 8a 38 8c 6d aa 5a Aug 26 13:09:57.064811: | 76 f2 93 40 a4 73 49 46 c3 4d a7 f9 29 f0 0a dc Aug 26 13:09:57.064813: | c1 28 58 b2 b2 9c 6b ac 7b fa 94 ef d6 e0 6c 22 Aug 26 13:09:57.064816: | 5f 65 79 cf d7 ac bf 41 8a 8f 1e 82 7c 96 18 d3 Aug 26 13:09:57.064819: | bc 38 8f d1 60 c7 0b 60 75 39 8f 3f 56 e4 48 51 Aug 26 13:09:57.064822: | 98 ea 3e 29 73 de 81 2d 42 e7 e1 f2 dd 27 6f 04 Aug 26 13:09:57.064824: | b8 73 78 8d a9 2b 10 c7 15 18 65 65 88 ab 83 e6 Aug 26 13:09:57.064827: | b6 6e ec 2c 24 25 80 9d b0 58 dd bc 90 47 d6 31 Aug 26 13:09:57.064830: | 10 85 17 67 02 49 d4 74 f2 1f ae cd d5 a5 28 c9 Aug 26 13:09:57.064835: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:57.064840: | **parse ISAKMP Message: Aug 26 13:09:57.064844: | initiator cookie: Aug 26 13:09:57.064847: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:57.064850: | responder cookie: Aug 26 13:09:57.064852: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:57.064855: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:57.064859: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:57.064862: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:57.064865: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:57.064868: | Message ID: 2 (0x2) Aug 26 13:09:57.064871: | length: 608 (0x260) Aug 26 13:09:57.064875: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:09:57.064879: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:09:57.064884: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:09:57.064892: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:57.064897: | State DB: found IKEv2 state #6 in V2_CREATE_R (find_v2_sa_by_responder_wip) Aug 26 13:09:57.064902: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:57.064910: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:57.064913: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:09:57.064918: "north-eastnets/0x1" #6: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_CREATE_R Aug 26 13:09:57.064923: | stop processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:57.064929: | #2 spent 0.218 milliseconds in ikev2_process_packet() Aug 26 13:09:57.064934: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:57.064938: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:57.064942: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:57.064946: | spent 0.236 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:57.266606: | spent 0.00288 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:57.266891: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:57.266897: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:57.266900: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:57.266903: | f6 0c 6f b6 d8 31 e3 f4 50 80 a6 c2 ba 82 17 97 Aug 26 13:09:57.266905: | 9a ff d0 57 e3 f8 55 2e e8 58 11 5a f2 cf 5f a5 Aug 26 13:09:57.266908: | a5 f8 38 55 0c b2 b9 58 aa 11 7f d9 19 96 4c 21 Aug 26 13:09:57.266911: | 0e ef f9 0c ce 61 af 9f 2f bc 12 97 71 da 01 26 Aug 26 13:09:57.266913: | 0a 6e c6 10 a1 2f 38 7b 1f ae c2 d0 02 11 df f7 Aug 26 13:09:57.266916: | 1a 72 b0 64 03 60 81 ba d1 ed c3 95 d7 af 0d 72 Aug 26 13:09:57.266919: | 43 f0 e8 3d c7 c8 e0 97 94 47 21 36 80 e9 f9 d0 Aug 26 13:09:57.266922: | f1 60 5c 6a 89 e0 b9 6f 2a 9b 24 a8 b7 db 62 8a Aug 26 13:09:57.266924: | 11 04 53 33 29 cb f8 29 98 97 be f3 0b d2 2f 17 Aug 26 13:09:57.266927: | 57 07 4b ec 4b 7c 22 68 6a 02 9a 45 7f 8d 20 90 Aug 26 13:09:57.266930: | 87 ab 5c 3e 35 3d 8a 7f f6 d9 a4 3d d0 1f 2c 60 Aug 26 13:09:57.266932: | f3 9e c8 ef bc 64 22 d3 f6 5d 49 0a 1a e2 18 3c Aug 26 13:09:57.266935: | 15 68 b5 36 a2 d2 d1 86 bc 83 4e 2d 4f 3f 80 35 Aug 26 13:09:57.266938: | ff 36 8c 30 72 8d 4f 71 69 bf 5b c8 56 30 b5 6b Aug 26 13:09:57.266941: | db a5 34 df fb 7d 98 9a 60 15 b6 5c 0a ab 8a 9e Aug 26 13:09:57.266943: | 6c 70 e9 37 73 61 75 34 73 f1 72 84 a3 02 2d a3 Aug 26 13:09:57.266946: | fe 25 53 db c9 85 19 92 a3 26 2f b8 a3 a2 98 5c Aug 26 13:09:57.266949: | bb da ac 04 e7 59 94 14 80 5b 08 23 b6 65 20 91 Aug 26 13:09:57.266952: | b5 2c 09 c0 b7 90 7c d6 f9 c8 93 90 2b b5 2f 90 Aug 26 13:09:57.266954: | 04 ac 87 13 1c 09 05 6d 12 6d 3a b1 2b ee 61 b7 Aug 26 13:09:57.266957: | 61 a4 36 ed 1d e7 ea ae 1b ae a0 36 1f 49 3b 67 Aug 26 13:09:57.266960: | 8c 7f a7 bb a9 16 d7 55 b6 1a 07 04 eb f7 f7 68 Aug 26 13:09:57.266962: | 2e 41 52 cd a9 f6 d7 8d 77 7d e0 26 f8 90 a2 fc Aug 26 13:09:57.266965: | 15 b0 24 26 c2 08 57 09 41 95 eb e5 6d a0 d8 56 Aug 26 13:09:57.266968: | e0 8b 49 ae e2 b5 fd d6 3b 75 73 5f af 2c e6 45 Aug 26 13:09:57.266970: | 67 d1 9f c4 14 85 f9 d8 b9 54 b3 87 7c ee f9 7b Aug 26 13:09:57.266973: | e8 95 eb 0a a6 c3 4d c6 1d c0 1c 69 a4 2c b7 63 Aug 26 13:09:57.266976: | ba 37 fb ee 11 3f f8 bd a4 a6 8a 38 8c 6d aa 5a Aug 26 13:09:57.266979: | 76 f2 93 40 a4 73 49 46 c3 4d a7 f9 29 f0 0a dc Aug 26 13:09:57.266981: | c1 28 58 b2 b2 9c 6b ac 7b fa 94 ef d6 e0 6c 22 Aug 26 13:09:57.266984: | 5f 65 79 cf d7 ac bf 41 8a 8f 1e 82 7c 96 18 d3 Aug 26 13:09:57.266987: | bc 38 8f d1 60 c7 0b 60 75 39 8f 3f 56 e4 48 51 Aug 26 13:09:57.266990: | 98 ea 3e 29 73 de 81 2d 42 e7 e1 f2 dd 27 6f 04 Aug 26 13:09:57.266992: | b8 73 78 8d a9 2b 10 c7 15 18 65 65 88 ab 83 e6 Aug 26 13:09:57.266998: | b6 6e ec 2c 24 25 80 9d b0 58 dd bc 90 47 d6 31 Aug 26 13:09:57.267001: | 10 85 17 67 02 49 d4 74 f2 1f ae cd d5 a5 28 c9 Aug 26 13:09:57.267006: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:57.267011: | **parse ISAKMP Message: Aug 26 13:09:57.267014: | initiator cookie: Aug 26 13:09:57.267017: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:57.267020: | responder cookie: Aug 26 13:09:57.267022: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:57.267026: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:57.267030: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:57.267033: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:57.267036: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:57.267039: | Message ID: 2 (0x2) Aug 26 13:09:57.267042: | length: 608 (0x260) Aug 26 13:09:57.267045: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:09:57.267049: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:09:57.267054: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:09:57.267061: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:57.267066: | State DB: found IKEv2 state #6 in V2_CREATE_R (find_v2_sa_by_responder_wip) Aug 26 13:09:57.267072: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:57.267077: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:57.267080: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:09:57.267084: "north-eastnets/0x1" #6: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_CREATE_R Aug 26 13:09:57.267090: | stop processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:57.267096: | #2 spent 0.477 milliseconds in ikev2_process_packet() Aug 26 13:09:57.267101: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:57.267105: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:57.267109: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:57.267114: | spent 0.495 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:57.651824: | crypto helper 4 finished build KE and nonce (Child Initiator KE and nonce ni); request ID 5 time elapsed 1.002305 seconds Aug 26 13:09:57.651852: | (#4) spent 2.27 milliseconds in crypto helper computing work-order 5: Child Initiator KE and nonce ni (pcr) Aug 26 13:09:57.651858: | crypto helper 4 sending results from work-order 5 for state #4 to event queue Aug 26 13:09:57.651862: | scheduling resume sending helper answer for #4 Aug 26 13:09:57.651867: | libevent_malloc: new ptr-libevent@0x7fede0005780 size 128 Aug 26 13:09:57.651878: | crypto helper 4 waiting (nothing to do) Aug 26 13:09:57.651892: | processing resume sending helper answer for #4 Aug 26 13:09:57.651903: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in resume_handler() at server.c:797) Aug 26 13:09:57.651908: | crypto helper 4 replies to request ID 5 Aug 26 13:09:57.651911: | calling continuation function 0x55fb048b9b50 Aug 26 13:09:57.651916: | ikev2_child_outI_continue for #4 STATE_V2_CREATE_I0 Aug 26 13:09:57.651920: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:09:57.651924: | libevent_free: release ptr-libevent@0x55fb0638e950 Aug 26 13:09:57.651927: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638d2a0 Aug 26 13:09:57.651931: | event_schedule: new EVENT_SA_REPLACE-pe@0x55fb0638d2a0 Aug 26 13:09:57.651936: | inserting event EVENT_SA_REPLACE, timeout in 200 seconds for #4 Aug 26 13:09:57.651939: | libevent_malloc: new ptr-libevent@0x55fb0638e950 size 128 Aug 26 13:09:57.651951: | Message ID: #1 wakeing IKE SA (unack 0); initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Aug 26 13:09:57.651955: | scheduling callback v2_msgid_schedule_next_initiator (#1) Aug 26 13:09:57.651959: | libevent_malloc: new ptr-libevent@0x55fb0639a3a0 size 128 Aug 26 13:09:57.651965: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:57.651969: | #4 complete_v2_state_transition() V2_CREATE_I0->V2_CREATE_I with status STF_SUSPEND Aug 26 13:09:57.651973: | suspending state #4 and saving MD Aug 26 13:09:57.651976: | #4 is busy; has a suspended MD Aug 26 13:09:57.651981: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:09:57.651985: | "north-eastnets/0x2" #4 complete v2 state STATE_V2_CREATE_I0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:09:57.651990: | resume sending helper answer for #4 suppresed complete_v2_state_transition() Aug 26 13:09:57.651996: | #4 spent 0.0866 milliseconds in resume sending helper answer Aug 26 13:09:57.652001: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in resume_handler() at server.c:833) Aug 26 13:09:57.652005: | libevent_free: release ptr-libevent@0x7fede0005780 Aug 26 13:09:57.652011: | processing callback v2_msgid_schedule_next_initiator for #1 Aug 26 13:09:57.652016: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in callback_handler() at server.c:904) Aug 26 13:09:57.652023: | Message ID: #1.#4 resuming SA using IKE SA (unack 0); initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Aug 26 13:09:57.652029: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in initiate_next() at ikev2_msgid.c:553) Aug 26 13:09:57.652033: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in initiate_next() at ikev2_msgid.c:553) Aug 26 13:09:57.652057: | **emit ISAKMP Message: Aug 26 13:09:57.652062: | initiator cookie: Aug 26 13:09:57.652065: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:57.652068: | responder cookie: Aug 26 13:09:57.652071: | ed ec 45 23 73 d7 1a d3 Aug 26 13:09:57.652074: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:09:57.652077: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:57.652081: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:57.652084: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:57.652087: | Message ID: 2 (0x2) Aug 26 13:09:57.652091: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:09:57.652095: | ***emit IKEv2 Encryption Payload: Aug 26 13:09:57.652098: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:57.652101: | flags: none (0x0) Aug 26 13:09:57.652105: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:09:57.652108: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:09:57.652112: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:09:57.652135: | netlink_get_spi: allocated 0x49dd5118 for esp.0@192.1.3.33 Aug 26 13:09:57.652139: | Emitting ikev2_proposals ... Aug 26 13:09:57.652143: | ****emit IKEv2 Security Association Payload: Aug 26 13:09:57.652146: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:57.652149: | flags: none (0x0) Aug 26 13:09:57.652153: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:09:57.652156: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:09:57.652160: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:09:57.652165: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:57.652169: | prop #: 1 (0x1) Aug 26 13:09:57.652172: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:09:57.652174: | spi size: 4 (0x4) Aug 26 13:09:57.652177: | # transforms: 4 (0x4) Aug 26 13:09:57.652180: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:09:57.652184: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:09:57.652188: | our spi 49 dd 51 18 Aug 26 13:09:57.652191: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:57.652194: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:57.652197: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:57.652200: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:57.652203: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:57.652206: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:09:57.652210: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:57.652213: | length/value: 128 (0x80) Aug 26 13:09:57.652216: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:09:57.652219: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:57.652222: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:57.652224: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:57.652228: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:09:57.652231: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:57.652235: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:57.652238: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:57.652241: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:57.652244: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:57.652246: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:09:57.652249: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:09:57.652253: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:57.652256: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:57.652259: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:57.652262: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:57.652265: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:57.652268: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:09:57.652271: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:09:57.652274: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:57.652277: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:57.652280: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:57.652283: | emitting length of IKEv2 Proposal Substructure Payload: 48 Aug 26 13:09:57.652287: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:09:57.652295: | emitting length of IKEv2 Security Association Payload: 52 Aug 26 13:09:57.652298: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:09:57.652301: | ****emit IKEv2 Nonce Payload: Aug 26 13:09:57.652304: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:57.652309: | flags: none (0x0) Aug 26 13:09:57.652313: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:09:57.652316: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:09:57.652319: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:09:57.652323: | IKEv2 nonce 09 ba 26 42 c3 74 e3 c5 8b 48 64 40 bf 47 da 79 Aug 26 13:09:57.652325: | IKEv2 nonce 65 ab 68 a1 00 d5 af b4 bf 63 20 0a be 76 99 29 Aug 26 13:09:57.652328: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:09:57.652331: | ****emit IKEv2 Key Exchange Payload: Aug 26 13:09:57.652334: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:57.652336: | flags: none (0x0) Aug 26 13:09:57.652339: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:09:57.652342: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:09:57.652346: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:09:57.652349: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:09:57.652352: | ikev2 g^x 58 3a 90 91 50 d1 1e 2d 9c 59 b1 f9 d3 1d a7 b9 Aug 26 13:09:57.652355: | ikev2 g^x 20 f6 da c3 ab e1 63 17 0c a1 f1 39 a3 17 16 28 Aug 26 13:09:57.652358: | ikev2 g^x 29 5b 43 e0 fb 52 c0 de 73 76 8e 13 e8 8b 6d 95 Aug 26 13:09:57.652360: | ikev2 g^x 10 1f c8 c9 29 6c 61 93 bf 8f 59 87 b4 4e 01 fc Aug 26 13:09:57.652363: | ikev2 g^x b3 7b 6e f0 e0 8c fc 6c c3 63 f2 4e 28 81 9d 32 Aug 26 13:09:57.652366: | ikev2 g^x 94 21 b7 fb 71 59 06 e5 41 da 21 55 bc 9f c7 6e Aug 26 13:09:57.652368: | ikev2 g^x 86 fe 65 75 40 46 5e 31 fb 17 e2 d6 4e 6f 45 61 Aug 26 13:09:57.652371: | ikev2 g^x a2 05 87 b0 a3 75 bc d5 f7 8c 39 01 53 32 61 24 Aug 26 13:09:57.652374: | ikev2 g^x 4f 55 5c 26 57 4f 0e 0f dc 7b ab 77 54 59 28 f7 Aug 26 13:09:57.652377: | ikev2 g^x 6d 18 cc fd 4a a2 c6 f8 4e dc 13 bf d5 0a 7d cf Aug 26 13:09:57.652380: | ikev2 g^x bf d5 df 28 55 0b 8e 8a 6e 24 15 ae e6 f0 60 2d Aug 26 13:09:57.652382: | ikev2 g^x 77 ee d1 46 b9 0f 77 25 a5 77 b8 17 a2 a2 ad cb Aug 26 13:09:57.652385: | ikev2 g^x 91 f2 0c 2e 4b 14 a1 90 72 28 40 bb 35 e1 89 1b Aug 26 13:09:57.652387: | ikev2 g^x 2b 72 dc 23 70 c1 b6 73 0e 81 8d 93 f1 ec a5 80 Aug 26 13:09:57.652390: | ikev2 g^x 93 dc 34 07 91 0a 43 6c b4 46 e5 10 b0 42 0f 9c Aug 26 13:09:57.652392: | ikev2 g^x e0 2b d2 1e 0b cb 9f 88 7e 7d 4c 20 7b 54 e9 57 Aug 26 13:09:57.652395: | ikev2 g^x 10 7c b9 a2 35 5f a9 3c 93 0b 24 2d 68 07 20 32 Aug 26 13:09:57.652398: | ikev2 g^x 82 f8 35 15 c5 a5 fe 29 53 54 4d be 94 2a 93 8d Aug 26 13:09:57.652400: | ikev2 g^x d0 63 0a fe 39 af 32 f2 05 09 f2 ea 03 dd 72 24 Aug 26 13:09:57.652403: | ikev2 g^x 7e 43 7a ee 8e 08 51 32 e8 6a 8d 51 4b 1e e0 d6 Aug 26 13:09:57.652405: | ikev2 g^x de 14 d2 cd 13 2d ab 97 84 a2 22 fb c7 b5 6c 07 Aug 26 13:09:57.652408: | ikev2 g^x b3 1c db cc b5 ce 35 33 25 fd ec 4a 9a 34 38 a7 Aug 26 13:09:57.652410: | ikev2 g^x 55 1a 83 29 e1 8f b3 30 2a e3 b4 c7 a3 e1 57 4d Aug 26 13:09:57.652413: | ikev2 g^x 4c 2e 3a b6 6a f3 7c 3a 9e 21 a5 29 23 26 36 f3 Aug 26 13:09:57.652417: | emitting length of IKEv2 Key Exchange Payload: 392 Aug 26 13:09:57.652420: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:09:57.652423: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:57.652426: | flags: none (0x0) Aug 26 13:09:57.652429: | number of TS: 1 (0x1) Aug 26 13:09:57.652434: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:09:57.652437: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:57.652441: | *****emit IKEv2 Traffic Selector: Aug 26 13:09:57.652444: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:57.652447: | IP Protocol ID: 0 (0x0) Aug 26 13:09:57.652450: | start port: 0 (0x0) Aug 26 13:09:57.652452: | end port: 65535 (0xffff) Aug 26 13:09:57.652456: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:09:57.652458: | ipv4 start c0 00 03 00 Aug 26 13:09:57.652461: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:09:57.652463: | ipv4 end c0 00 03 ff Aug 26 13:09:57.652466: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:09:57.652469: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:09:57.652471: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:09:57.652474: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:57.652477: | flags: none (0x0) Aug 26 13:09:57.652479: | number of TS: 1 (0x1) Aug 26 13:09:57.652482: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:09:57.652485: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:57.652487: | *****emit IKEv2 Traffic Selector: Aug 26 13:09:57.652489: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:57.652492: | IP Protocol ID: 0 (0x0) Aug 26 13:09:57.652494: | start port: 0 (0x0) Aug 26 13:09:57.652496: | end port: 65535 (0xffff) Aug 26 13:09:57.652499: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:09:57.652501: | ipv4 start c0 00 16 00 Aug 26 13:09:57.652504: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:09:57.652506: | ipv4 end c0 00 16 ff Aug 26 13:09:57.652508: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:09:57.652511: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:09:57.652513: | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE Aug 26 13:09:57.652516: | adding 16 bytes of padding (including 1 byte padding-length) Aug 26 13:09:57.652520: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652523: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652526: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652529: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652532: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652535: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652537: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652540: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652543: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652546: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652549: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652552: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652555: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652558: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652560: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652563: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:57.652566: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:09:57.652571: | emitting length of IKEv2 Encryption Payload: 580 Aug 26 13:09:57.652573: | emitting length of ISAKMP Message: 608 Aug 26 13:09:57.652616: | data being hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:57.652621: | data being hmac: 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:57.652623: | data being hmac: ac 43 71 bd 80 b0 7a 7f 7d 06 2b 59 bb 3b b8 f3 Aug 26 13:09:57.652626: | data being hmac: 1a f5 e8 b9 71 e2 23 ce 50 5d d3 d8 78 da 44 ec Aug 26 13:09:57.652628: | data being hmac: 45 55 28 71 ec e8 ca 9b f3 65 ca a7 aa af 72 32 Aug 26 13:09:57.652631: | data being hmac: 4e 87 0c 32 28 05 89 48 22 6b d4 73 d1 2d 0f 47 Aug 26 13:09:57.652633: | data being hmac: ec 84 35 e8 f5 9b 46 80 e2 a1 20 6b 36 3f 66 7c Aug 26 13:09:57.652636: | data being hmac: 01 12 47 9f cf 3a ef 28 b5 0a 2e 34 68 5b 0d e3 Aug 26 13:09:57.652638: | data being hmac: 75 83 09 4f 45 d7 62 1f c0 c4 2c 23 2f e8 1e 9b Aug 26 13:09:57.652641: | data being hmac: 2d b8 a1 19 c9 93 9f 57 5c 49 87 ac 0b 8d 64 3d Aug 26 13:09:57.652643: | data being hmac: 54 83 4a c5 8e f2 6d 98 86 94 b0 b8 bf 1b 21 9f Aug 26 13:09:57.652646: | data being hmac: 91 8d a1 33 1a b8 67 04 4e 43 a9 a8 75 d9 c2 d6 Aug 26 13:09:57.652648: | data being hmac: e0 87 42 e2 ea 27 ec 9e 72 fd 54 6b 4c 5b 3a d5 Aug 26 13:09:57.652651: | data being hmac: 87 7c 30 9d 91 e1 db ec 16 51 00 96 36 5d f9 da Aug 26 13:09:57.652653: | data being hmac: 76 ea 7f 83 b4 34 d7 47 f4 53 eb 6f 53 2d 09 a2 Aug 26 13:09:57.652656: | data being hmac: 50 af 83 66 f6 8f 36 88 16 49 1c 63 8c b1 8a 19 Aug 26 13:09:57.652659: | data being hmac: 94 df 91 66 72 c3 91 e4 b6 55 e8 c8 a1 40 4a cf Aug 26 13:09:57.652661: | data being hmac: e4 6c 30 86 9f b2 cb d0 c7 57 11 ec 57 fa d9 76 Aug 26 13:09:57.652664: | data being hmac: 27 58 a2 45 7f 72 13 38 da 9e 4e 1a 94 d5 6f 48 Aug 26 13:09:57.652667: | data being hmac: c7 e0 eb 2a ff 19 cd b6 09 03 d7 30 9c 83 22 3f Aug 26 13:09:57.652669: | data being hmac: df 92 ff b2 a5 87 42 01 b1 b3 8c 2e ee c8 e5 54 Aug 26 13:09:57.652672: | data being hmac: 0c 84 bd db a2 4d d1 a3 17 47 35 d5 16 42 c7 22 Aug 26 13:09:57.652675: | data being hmac: a8 9f 64 ba 3a 6a 87 cf 4f ba 81 99 c7 d8 23 3c Aug 26 13:09:57.652677: | data being hmac: 0e 7c b9 3f 86 bd 13 68 56 d2 ad f9 e3 56 ca f7 Aug 26 13:09:57.652680: | data being hmac: 91 25 05 11 0f 55 11 e2 09 99 d5 37 a1 71 d0 e9 Aug 26 13:09:57.652683: | data being hmac: 3f 7e 6d 49 90 2a df db d3 5f 9e 2d 47 ad 31 3f Aug 26 13:09:57.652685: | data being hmac: 74 39 13 f3 45 6e 39 c7 05 ad 90 29 ba 2f 78 81 Aug 26 13:09:57.652688: | data being hmac: a0 a6 46 71 c6 34 a2 ef 40 c1 69 18 fc de b1 59 Aug 26 13:09:57.652692: | data being hmac: 1c bd 37 4c ee 96 b1 f8 2d 7a c5 cc eb 6f 5c f8 Aug 26 13:09:57.652695: | data being hmac: 91 d7 c0 a8 b1 9b 8b 35 65 32 d0 fd 9d 49 d7 a8 Aug 26 13:09:57.652697: | data being hmac: 75 7e 1a 00 7d 63 55 2c a8 a7 07 5c 33 11 3e cb Aug 26 13:09:57.652700: | data being hmac: 89 54 86 da eb f3 6c 03 91 ba ac 21 21 dc 93 8d Aug 26 13:09:57.652703: | data being hmac: fe 99 f9 63 4b 5f 71 3a a6 a2 60 80 fa 24 76 a7 Aug 26 13:09:57.652706: | data being hmac: 86 47 ff 09 dd 45 0c 8b 26 59 af b2 84 60 b2 52 Aug 26 13:09:57.652709: | data being hmac: a2 b9 da ac 6b 91 8e 20 b0 eb f2 d5 17 20 92 e4 Aug 26 13:09:57.652712: | data being hmac: 67 b4 8a eb 6b 3f 64 5d 41 58 98 00 ff a4 e5 d3 Aug 26 13:09:57.652715: | data being hmac: 96 89 da 11 08 e1 63 18 c4 33 8d 0c ab 0f f6 f8 Aug 26 13:09:57.652717: | out calculated auth: Aug 26 13:09:57.652720: | 00 19 cb ba fc ff e0 98 7a f6 b4 66 9b ad df f9 Aug 26 13:09:57.652727: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:57.652731: | #4 complete_v2_state_transition() V2_CREATE_I0->V2_CREATE_I with status STF_OK Aug 26 13:09:57.652735: | IKEv2: transition from state STATE_V2_CREATE_I0 to state STATE_V2_CREATE_I Aug 26 13:09:57.652741: | child state #4: V2_CREATE_I0(established IKE SA) => V2_CREATE_I(established IKE SA) Aug 26 13:09:57.652745: | Message ID: updating counters for #4 to 4294967295 after switching state Aug 26 13:09:57.652748: | Message ID: IKE #1 skipping update_recv as MD is fake Aug 26 13:09:57.652753: | Message ID: sent #1.#4 request 2; ike: initiator.sent=1->2 initiator.recv=1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->2 wip.responder=-1 Aug 26 13:09:57.652758: "north-eastnets/0x2" #4: STATE_V2_CREATE_I: sent IPsec Child req wait response Aug 26 13:09:57.652773: | sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.33:500) Aug 26 13:09:57.652781: | sending 608 bytes for STATE_V2_CREATE_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:09:57.652785: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:57.652788: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:57.652790: | ac 43 71 bd 80 b0 7a 7f 7d 06 2b 59 bb 3b b8 f3 Aug 26 13:09:57.652793: | 1a f5 e8 b9 71 e2 23 ce 50 5d d3 d8 78 da 44 ec Aug 26 13:09:57.652796: | 45 55 28 71 ec e8 ca 9b f3 65 ca a7 aa af 72 32 Aug 26 13:09:57.652798: | 4e 87 0c 32 28 05 89 48 22 6b d4 73 d1 2d 0f 47 Aug 26 13:09:57.652801: | ec 84 35 e8 f5 9b 46 80 e2 a1 20 6b 36 3f 66 7c Aug 26 13:09:57.652804: | 01 12 47 9f cf 3a ef 28 b5 0a 2e 34 68 5b 0d e3 Aug 26 13:09:57.652806: | 75 83 09 4f 45 d7 62 1f c0 c4 2c 23 2f e8 1e 9b Aug 26 13:09:57.652809: | 2d b8 a1 19 c9 93 9f 57 5c 49 87 ac 0b 8d 64 3d Aug 26 13:09:57.652812: | 54 83 4a c5 8e f2 6d 98 86 94 b0 b8 bf 1b 21 9f Aug 26 13:09:57.652814: | 91 8d a1 33 1a b8 67 04 4e 43 a9 a8 75 d9 c2 d6 Aug 26 13:09:57.652817: | e0 87 42 e2 ea 27 ec 9e 72 fd 54 6b 4c 5b 3a d5 Aug 26 13:09:57.652820: | 87 7c 30 9d 91 e1 db ec 16 51 00 96 36 5d f9 da Aug 26 13:09:57.652822: | 76 ea 7f 83 b4 34 d7 47 f4 53 eb 6f 53 2d 09 a2 Aug 26 13:09:57.652825: | 50 af 83 66 f6 8f 36 88 16 49 1c 63 8c b1 8a 19 Aug 26 13:09:57.652828: | 94 df 91 66 72 c3 91 e4 b6 55 e8 c8 a1 40 4a cf Aug 26 13:09:57.652830: | e4 6c 30 86 9f b2 cb d0 c7 57 11 ec 57 fa d9 76 Aug 26 13:09:57.652833: | 27 58 a2 45 7f 72 13 38 da 9e 4e 1a 94 d5 6f 48 Aug 26 13:09:57.652836: | c7 e0 eb 2a ff 19 cd b6 09 03 d7 30 9c 83 22 3f Aug 26 13:09:57.652839: | df 92 ff b2 a5 87 42 01 b1 b3 8c 2e ee c8 e5 54 Aug 26 13:09:57.652841: | 0c 84 bd db a2 4d d1 a3 17 47 35 d5 16 42 c7 22 Aug 26 13:09:57.652844: | a8 9f 64 ba 3a 6a 87 cf 4f ba 81 99 c7 d8 23 3c Aug 26 13:09:57.652846: | 0e 7c b9 3f 86 bd 13 68 56 d2 ad f9 e3 56 ca f7 Aug 26 13:09:57.652849: | 91 25 05 11 0f 55 11 e2 09 99 d5 37 a1 71 d0 e9 Aug 26 13:09:57.652851: | 3f 7e 6d 49 90 2a df db d3 5f 9e 2d 47 ad 31 3f Aug 26 13:09:57.652853: | 74 39 13 f3 45 6e 39 c7 05 ad 90 29 ba 2f 78 81 Aug 26 13:09:57.652856: | a0 a6 46 71 c6 34 a2 ef 40 c1 69 18 fc de b1 59 Aug 26 13:09:57.652858: | 1c bd 37 4c ee 96 b1 f8 2d 7a c5 cc eb 6f 5c f8 Aug 26 13:09:57.652861: | 91 d7 c0 a8 b1 9b 8b 35 65 32 d0 fd 9d 49 d7 a8 Aug 26 13:09:57.652863: | 75 7e 1a 00 7d 63 55 2c a8 a7 07 5c 33 11 3e cb Aug 26 13:09:57.652865: | 89 54 86 da eb f3 6c 03 91 ba ac 21 21 dc 93 8d Aug 26 13:09:57.652868: | fe 99 f9 63 4b 5f 71 3a a6 a2 60 80 fa 24 76 a7 Aug 26 13:09:57.652870: | 86 47 ff 09 dd 45 0c 8b 26 59 af b2 84 60 b2 52 Aug 26 13:09:57.652873: | a2 b9 da ac 6b 91 8e 20 b0 eb f2 d5 17 20 92 e4 Aug 26 13:09:57.652875: | 67 b4 8a eb 6b 3f 64 5d 41 58 98 00 ff a4 e5 d3 Aug 26 13:09:57.652878: | 96 89 da 11 08 e1 63 18 c4 33 8d 0c ab 0f f6 f8 Aug 26 13:09:57.652880: | 00 19 cb ba fc ff e0 98 7a f6 b4 66 9b ad df f9 Aug 26 13:09:57.652893: | state #4 requesting EVENT_SA_REPLACE to be deleted Aug 26 13:09:57.652899: | libevent_free: release ptr-libevent@0x55fb0638e950 Aug 26 13:09:57.652902: | free_event_entry: release EVENT_SA_REPLACE-pe@0x55fb0638d2a0 Aug 26 13:09:57.652905: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=50ms Aug 26 13:09:57.652914: | event_schedule: new EVENT_RETRANSMIT-pe@0x55fb0638d2a0 Aug 26 13:09:57.652919: | inserting event EVENT_RETRANSMIT, timeout in 0.05 seconds for #4 Aug 26 13:09:57.652922: | libevent_malloc: new ptr-libevent@0x55fb0638e950 size 128 Aug 26 13:09:57.652928: | #4 STATE_V2_CREATE_I: retransmits: first event in 0.05 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 10283.39538 Aug 26 13:09:57.652934: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in initiate_next() at ikev2_msgid.c:557) Aug 26 13:09:57.652940: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in initiate_next() at ikev2_msgid.c:557) Aug 26 13:09:57.652946: | #1 spent 0.922 milliseconds in callback v2_msgid_schedule_next_initiator Aug 26 13:09:57.652951: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in callback_handler() at server.c:908) Aug 26 13:09:57.652955: | libevent_free: release ptr-libevent@0x55fb0639a3a0 Aug 26 13:09:57.660917: | spent 0.00408 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:57.660944: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:57.660952: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:57.660956: | 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:57.660959: | 66 aa ca a6 8f 35 63 01 1e f4 43 8a 46 75 85 95 Aug 26 13:09:57.660962: | d3 38 82 87 d0 e7 38 a9 13 ba c7 5b 79 62 28 5b Aug 26 13:09:57.660966: | ca a4 24 c6 e9 df 84 70 e9 7f 56 a0 d4 b9 ce f5 Aug 26 13:09:57.660969: | b5 72 5e a9 7d e9 80 d7 15 b9 15 1a 3e bd 95 8f Aug 26 13:09:57.660972: | 37 12 3a ba 83 45 d8 15 63 0b 27 10 6c 06 2c 3c Aug 26 13:09:57.660976: | 4d bc 4d 85 b5 12 8f 1b 39 59 98 d3 20 4b c9 07 Aug 26 13:09:57.660979: | 27 37 bb 10 e1 2b da f9 cd 70 d2 8b 84 53 2f 02 Aug 26 13:09:57.660982: | 63 29 10 49 90 11 c1 22 4c 13 24 22 f6 72 5c 38 Aug 26 13:09:57.660985: | 6f 7d e8 35 9b cf 13 1b 74 c3 f5 bc 2f f6 71 d9 Aug 26 13:09:57.660988: | 55 be da 8e 28 29 7d e1 cc 08 a5 0c 78 18 d3 ba Aug 26 13:09:57.660990: | b4 dc 13 d4 93 e0 5f 34 b6 2c c3 c8 6f d8 c0 c6 Aug 26 13:09:57.660992: | 9a 66 58 57 77 fd 9e 85 35 7e d2 34 0a 48 ab 76 Aug 26 13:09:57.660994: | 0a e6 d3 54 86 4e 22 88 64 f5 bd d3 bb 9e 9a 49 Aug 26 13:09:57.660996: | 40 de 86 7e 0d 16 d4 0d 15 d2 80 c9 f8 0c 11 1a Aug 26 13:09:57.660997: | 8a 17 22 63 29 be 65 d1 19 3b 4c 3c 8f 44 8a 0c Aug 26 13:09:57.660999: | 38 6b fd c1 4d 6e a0 20 38 75 c7 bb 63 9d c8 84 Aug 26 13:09:57.661001: | 34 dd 97 2e 0c c5 c8 a4 df 33 ea 7d 4b 20 1c 4f Aug 26 13:09:57.661002: | bf 5f 1f 2a 65 18 a8 8b 9b a8 62 93 01 0e 02 e5 Aug 26 13:09:57.661004: | 66 18 f4 10 f9 61 8f 7b b8 42 b7 87 30 05 00 74 Aug 26 13:09:57.661005: | b1 46 40 d5 ce 50 6b b9 d6 ad ac 64 45 00 0d 68 Aug 26 13:09:57.661007: | b7 1d 97 3f 51 ca d7 c6 31 a0 72 30 b8 a4 1b de Aug 26 13:09:57.661009: | c9 97 f8 e2 88 f1 4a 1f 3a 11 c9 80 7c 8c ce 3c Aug 26 13:09:57.661010: | 3a 6e 16 29 36 14 e1 07 d5 2f 21 ce 20 0e e6 7b Aug 26 13:09:57.661012: | af 31 0f 86 b7 e6 da 36 20 25 1d 14 bf 4e 33 62 Aug 26 13:09:57.661014: | 00 39 71 fe 76 fd 82 6f b9 6d 96 f0 fe 1a 5e 4a Aug 26 13:09:57.661015: | e2 a4 41 88 6a 2f 2d 02 01 84 86 59 25 ff 83 c2 Aug 26 13:09:57.661017: | 94 6b 6e 38 74 88 55 b5 e1 2d 98 1a 07 3c 30 01 Aug 26 13:09:57.661019: | 72 c1 d7 13 b5 a0 a0 68 49 b0 6d eb 60 58 a5 9b Aug 26 13:09:57.661020: | e0 15 e3 08 b1 14 51 37 73 bb 21 79 48 2e 29 f2 Aug 26 13:09:57.661022: | 1a 61 b7 0f f6 cc 44 b7 7f 81 a3 f6 2a ec 69 99 Aug 26 13:09:57.661023: | 9b 55 cb 46 fd cf bd c4 ab b8 a3 d3 4a 58 17 32 Aug 26 13:09:57.661025: | f0 8e 41 b8 6d 37 c2 61 d3 b6 50 d8 dc f3 86 61 Aug 26 13:09:57.661027: | e1 47 97 44 1c ba 5c c4 61 0d f3 3e c1 40 c3 c7 Aug 26 13:09:57.661028: | 6f 24 15 f9 b7 93 d7 da b7 16 9c 56 4c b6 c1 41 Aug 26 13:09:57.661033: | 45 52 c9 09 60 52 e2 f2 63 5d 36 9c af 41 8a 3b Aug 26 13:09:57.661034: | 71 58 dc 86 5f de ce 84 46 a0 2c 74 4a 35 91 3f Aug 26 13:09:57.661038: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:57.661041: | **parse ISAKMP Message: Aug 26 13:09:57.661043: | initiator cookie: Aug 26 13:09:57.661045: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:09:57.661047: | responder cookie: Aug 26 13:09:57.661048: | ed ec 45 23 73 d7 1a d3 Aug 26 13:09:57.661050: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:57.661053: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:57.661054: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:57.661056: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:09:57.661058: | Message ID: 2 (0x2) Aug 26 13:09:57.661060: | length: 608 (0x260) Aug 26 13:09:57.661062: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:09:57.661065: | I am the IKE SA Original Initiator receiving an IKEv2 CREATE_CHILD_SA response Aug 26 13:09:57.661068: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Aug 26 13:09:57.661073: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:57.661076: | State DB: found IKEv2 state #4 in V2_CREATE_I (find_v2_sa_by_initiator_wip) Aug 26 13:09:57.661079: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:57.661082: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:57.661084: | #4 is idle Aug 26 13:09:57.661085: | #4 idle Aug 26 13:09:57.661087: | unpacking clear payload Aug 26 13:09:57.661089: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:09:57.661091: | ***parse IKEv2 Encryption Payload: Aug 26 13:09:57.661093: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:09:57.661095: | flags: none (0x0) Aug 26 13:09:57.661097: | length: 580 (0x244) Aug 26 13:09:57.661099: | processing payload: ISAKMP_NEXT_v2SK (len=576) Aug 26 13:09:57.661101: | #4 in state V2_CREATE_I: sent IPsec Child req wait response Aug 26 13:09:57.661127: | data for hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:09:57.661130: | data for hmac: 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:57.661132: | data for hmac: 66 aa ca a6 8f 35 63 01 1e f4 43 8a 46 75 85 95 Aug 26 13:09:57.661134: | data for hmac: d3 38 82 87 d0 e7 38 a9 13 ba c7 5b 79 62 28 5b Aug 26 13:09:57.661135: | data for hmac: ca a4 24 c6 e9 df 84 70 e9 7f 56 a0 d4 b9 ce f5 Aug 26 13:09:57.661137: | data for hmac: b5 72 5e a9 7d e9 80 d7 15 b9 15 1a 3e bd 95 8f Aug 26 13:09:57.661139: | data for hmac: 37 12 3a ba 83 45 d8 15 63 0b 27 10 6c 06 2c 3c Aug 26 13:09:57.661140: | data for hmac: 4d bc 4d 85 b5 12 8f 1b 39 59 98 d3 20 4b c9 07 Aug 26 13:09:57.661142: | data for hmac: 27 37 bb 10 e1 2b da f9 cd 70 d2 8b 84 53 2f 02 Aug 26 13:09:57.661144: | data for hmac: 63 29 10 49 90 11 c1 22 4c 13 24 22 f6 72 5c 38 Aug 26 13:09:57.661146: | data for hmac: 6f 7d e8 35 9b cf 13 1b 74 c3 f5 bc 2f f6 71 d9 Aug 26 13:09:57.661147: | data for hmac: 55 be da 8e 28 29 7d e1 cc 08 a5 0c 78 18 d3 ba Aug 26 13:09:57.661149: | data for hmac: b4 dc 13 d4 93 e0 5f 34 b6 2c c3 c8 6f d8 c0 c6 Aug 26 13:09:57.661151: | data for hmac: 9a 66 58 57 77 fd 9e 85 35 7e d2 34 0a 48 ab 76 Aug 26 13:09:57.661152: | data for hmac: 0a e6 d3 54 86 4e 22 88 64 f5 bd d3 bb 9e 9a 49 Aug 26 13:09:57.661154: | data for hmac: 40 de 86 7e 0d 16 d4 0d 15 d2 80 c9 f8 0c 11 1a Aug 26 13:09:57.661156: | data for hmac: 8a 17 22 63 29 be 65 d1 19 3b 4c 3c 8f 44 8a 0c Aug 26 13:09:57.661157: | data for hmac: 38 6b fd c1 4d 6e a0 20 38 75 c7 bb 63 9d c8 84 Aug 26 13:09:57.661159: | data for hmac: 34 dd 97 2e 0c c5 c8 a4 df 33 ea 7d 4b 20 1c 4f Aug 26 13:09:57.661166: | data for hmac: bf 5f 1f 2a 65 18 a8 8b 9b a8 62 93 01 0e 02 e5 Aug 26 13:09:57.661171: | data for hmac: 66 18 f4 10 f9 61 8f 7b b8 42 b7 87 30 05 00 74 Aug 26 13:09:57.661174: | data for hmac: b1 46 40 d5 ce 50 6b b9 d6 ad ac 64 45 00 0d 68 Aug 26 13:09:57.661177: | data for hmac: b7 1d 97 3f 51 ca d7 c6 31 a0 72 30 b8 a4 1b de Aug 26 13:09:57.661180: | data for hmac: c9 97 f8 e2 88 f1 4a 1f 3a 11 c9 80 7c 8c ce 3c Aug 26 13:09:57.661182: | data for hmac: 3a 6e 16 29 36 14 e1 07 d5 2f 21 ce 20 0e e6 7b Aug 26 13:09:57.661185: | data for hmac: af 31 0f 86 b7 e6 da 36 20 25 1d 14 bf 4e 33 62 Aug 26 13:09:57.661187: | data for hmac: 00 39 71 fe 76 fd 82 6f b9 6d 96 f0 fe 1a 5e 4a Aug 26 13:09:57.661190: | data for hmac: e2 a4 41 88 6a 2f 2d 02 01 84 86 59 25 ff 83 c2 Aug 26 13:09:57.661192: | data for hmac: 94 6b 6e 38 74 88 55 b5 e1 2d 98 1a 07 3c 30 01 Aug 26 13:09:57.661195: | data for hmac: 72 c1 d7 13 b5 a0 a0 68 49 b0 6d eb 60 58 a5 9b Aug 26 13:09:57.661198: | data for hmac: e0 15 e3 08 b1 14 51 37 73 bb 21 79 48 2e 29 f2 Aug 26 13:09:57.661201: | data for hmac: 1a 61 b7 0f f6 cc 44 b7 7f 81 a3 f6 2a ec 69 99 Aug 26 13:09:57.661204: | data for hmac: 9b 55 cb 46 fd cf bd c4 ab b8 a3 d3 4a 58 17 32 Aug 26 13:09:57.661207: | data for hmac: f0 8e 41 b8 6d 37 c2 61 d3 b6 50 d8 dc f3 86 61 Aug 26 13:09:57.661209: | data for hmac: e1 47 97 44 1c ba 5c c4 61 0d f3 3e c1 40 c3 c7 Aug 26 13:09:57.661212: | data for hmac: 6f 24 15 f9 b7 93 d7 da b7 16 9c 56 4c b6 c1 41 Aug 26 13:09:57.661215: | data for hmac: 45 52 c9 09 60 52 e2 f2 63 5d 36 9c af 41 8a 3b Aug 26 13:09:57.661217: | calculated auth: 71 58 dc 86 5f de ce 84 46 a0 2c 74 4a 35 91 3f Aug 26 13:09:57.661220: | provided auth: 71 58 dc 86 5f de ce 84 46 a0 2c 74 4a 35 91 3f Aug 26 13:09:57.661223: | authenticator matched Aug 26 13:09:57.661237: | #4 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Aug 26 13:09:57.661240: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:09:57.661244: | **parse IKEv2 Security Association Payload: Aug 26 13:09:57.661247: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:09:57.661249: | flags: none (0x0) Aug 26 13:09:57.661252: | length: 52 (0x34) Aug 26 13:09:57.661255: | processing payload: ISAKMP_NEXT_v2SA (len=48) Aug 26 13:09:57.661258: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:09:57.661260: | **parse IKEv2 Nonce Payload: Aug 26 13:09:57.661263: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:09:57.661265: | flags: none (0x0) Aug 26 13:09:57.661267: | length: 36 (0x24) Aug 26 13:09:57.661270: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:09:57.661273: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:09:57.661275: | **parse IKEv2 Key Exchange Payload: Aug 26 13:09:57.661278: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:09:57.661280: | flags: none (0x0) Aug 26 13:09:57.661282: | length: 392 (0x188) Aug 26 13:09:57.661285: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:09:57.661287: | processing payload: ISAKMP_NEXT_v2KE (len=384) Aug 26 13:09:57.661303: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:09:57.661306: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:09:57.661309: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:09:57.661311: | flags: none (0x0) Aug 26 13:09:57.661314: | length: 24 (0x18) Aug 26 13:09:57.661317: | number of TS: 1 (0x1) Aug 26 13:09:57.661320: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:09:57.661323: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:09:57.661326: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:09:57.661329: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:57.661331: | flags: none (0x0) Aug 26 13:09:57.661334: | length: 24 (0x18) Aug 26 13:09:57.661337: | number of TS: 1 (0x1) Aug 26 13:09:57.661339: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:09:57.661347: | selected state microcode Process CREATE_CHILD_SA IPsec SA Response Aug 26 13:09:57.661353: | #1 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:09:57.661357: | forcing ST #4 to CHILD #1.#4 in FSM processor Aug 26 13:09:57.661359: | Now let's proceed with state specific processing Aug 26 13:09:57.661362: | calling processor Process CREATE_CHILD_SA IPsec SA Response Aug 26 13:09:57.661372: | using existing local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA initiator accepting remote ESP/AH proposal): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 13:09:57.661375: | Comparing remote proposals against CREATE_CHILD_SA initiator accepting remote ESP/AH proposal 1 local proposals Aug 26 13:09:57.661380: | local proposal 1 type ENCR has 1 transforms Aug 26 13:09:57.661382: | local proposal 1 type PRF has 0 transforms Aug 26 13:09:57.661385: | local proposal 1 type INTEG has 1 transforms Aug 26 13:09:57.661388: | local proposal 1 type DH has 1 transforms Aug 26 13:09:57.661390: | local proposal 1 type ESN has 1 transforms Aug 26 13:09:57.661393: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:09:57.661396: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:09:57.661399: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:57.661401: | length: 48 (0x30) Aug 26 13:09:57.661403: | prop #: 1 (0x1) Aug 26 13:09:57.661406: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:09:57.661408: | spi size: 4 (0x4) Aug 26 13:09:57.661410: | # transforms: 4 (0x4) Aug 26 13:09:57.661413: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:09:57.661415: | remote SPI df c4 d2 d5 Aug 26 13:09:57.661418: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Aug 26 13:09:57.661421: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:57.661423: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:57.661426: | length: 12 (0xc) Aug 26 13:09:57.661428: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:57.661430: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:57.661433: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:09:57.661435: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:57.661438: | length/value: 128 (0x80) Aug 26 13:09:57.661442: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:09:57.661444: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:57.661446: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:57.661448: | length: 8 (0x8) Aug 26 13:09:57.661451: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:57.661453: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:09:57.661456: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 13:09:57.661459: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:57.661461: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:57.661463: | length: 8 (0x8) Aug 26 13:09:57.661466: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:09:57.661468: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:09:57.661471: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:09:57.661473: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:09:57.661476: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:57.661478: | length: 8 (0x8) Aug 26 13:09:57.661480: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:09:57.661482: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:09:57.661485: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:09:57.661489: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Aug 26 13:09:57.661495: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Aug 26 13:09:57.661498: | remote proposal 1 matches local proposal 1 Aug 26 13:09:57.661500: | remote accepted the proposal 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Aug 26 13:09:57.661505: | CREATE_CHILD_SA initiator accepting remote ESP/AH proposal ikev2_proposal: 1:ESP:SPI=dfc4d2d5;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 13:09:57.661508: | converting proposal to internal trans attrs Aug 26 13:09:57.661513: | updating #4's .st_oakley with preserved PRF, but why update? Aug 26 13:09:57.661519: | adding ikev2 Child SA initiator pfs=yes work-order 7 for state #4 Aug 26 13:09:57.661522: | state #4 requesting EVENT_RETRANSMIT to be deleted Aug 26 13:09:57.661525: | #4 STATE_V2_CREATE_I: retransmits: cleared Aug 26 13:09:57.661530: | libevent_free: release ptr-libevent@0x55fb0638e950 Aug 26 13:09:57.661532: | free_event_entry: release EVENT_RETRANSMIT-pe@0x55fb0638d2a0 Aug 26 13:09:57.661535: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638d2a0 Aug 26 13:09:57.661539: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Aug 26 13:09:57.661542: | libevent_malloc: new ptr-libevent@0x55fb0638e950 size 128 Aug 26 13:09:57.661559: | crypto helper 6 resuming Aug 26 13:09:57.661564: | crypto helper 6 starting work-order 7 for state #4 Aug 26 13:09:57.661568: | crypto helper 6 doing crypto (ikev2 Child SA initiator pfs=yes); request ID 7 Aug 26 13:09:57.661571: | crypto helper is pausing for 1 seconds Aug 26 13:09:57.661578: | #4 spent 0.186 milliseconds in processing: Process CREATE_CHILD_SA IPsec SA Response in ikev2_process_state_packet() Aug 26 13:09:57.661584: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:57.661587: | #4 complete_v2_state_transition() V2_CREATE_I->V2_IPSEC_I with status STF_SUSPEND Aug 26 13:09:57.661590: | suspending state #4 and saving MD Aug 26 13:09:57.661592: | #4 is busy; has a suspended MD Aug 26 13:09:57.661596: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:09:57.661599: | "north-eastnets/0x2" #4 complete v2 state STATE_V2_CREATE_I transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:09:57.661603: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:57.661607: | #1 spent 0.643 milliseconds in ikev2_process_packet() Aug 26 13:09:57.661611: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:57.661614: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:57.661616: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:57.661620: | spent 0.656 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:57.669130: | spent 0.00303 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:57.669156: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:57.669160: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:57.669162: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:57.669164: | f6 0c 6f b6 d8 31 e3 f4 50 80 a6 c2 ba 82 17 97 Aug 26 13:09:57.669166: | 9a ff d0 57 e3 f8 55 2e e8 58 11 5a f2 cf 5f a5 Aug 26 13:09:57.669167: | a5 f8 38 55 0c b2 b9 58 aa 11 7f d9 19 96 4c 21 Aug 26 13:09:57.669169: | 0e ef f9 0c ce 61 af 9f 2f bc 12 97 71 da 01 26 Aug 26 13:09:57.669171: | 0a 6e c6 10 a1 2f 38 7b 1f ae c2 d0 02 11 df f7 Aug 26 13:09:57.669172: | 1a 72 b0 64 03 60 81 ba d1 ed c3 95 d7 af 0d 72 Aug 26 13:09:57.669174: | 43 f0 e8 3d c7 c8 e0 97 94 47 21 36 80 e9 f9 d0 Aug 26 13:09:57.669178: | f1 60 5c 6a 89 e0 b9 6f 2a 9b 24 a8 b7 db 62 8a Aug 26 13:09:57.669180: | 11 04 53 33 29 cb f8 29 98 97 be f3 0b d2 2f 17 Aug 26 13:09:57.669181: | 57 07 4b ec 4b 7c 22 68 6a 02 9a 45 7f 8d 20 90 Aug 26 13:09:57.669183: | 87 ab 5c 3e 35 3d 8a 7f f6 d9 a4 3d d0 1f 2c 60 Aug 26 13:09:57.669184: | f3 9e c8 ef bc 64 22 d3 f6 5d 49 0a 1a e2 18 3c Aug 26 13:09:57.669186: | 15 68 b5 36 a2 d2 d1 86 bc 83 4e 2d 4f 3f 80 35 Aug 26 13:09:57.669188: | ff 36 8c 30 72 8d 4f 71 69 bf 5b c8 56 30 b5 6b Aug 26 13:09:57.669189: | db a5 34 df fb 7d 98 9a 60 15 b6 5c 0a ab 8a 9e Aug 26 13:09:57.669191: | 6c 70 e9 37 73 61 75 34 73 f1 72 84 a3 02 2d a3 Aug 26 13:09:57.669193: | fe 25 53 db c9 85 19 92 a3 26 2f b8 a3 a2 98 5c Aug 26 13:09:57.669194: | bb da ac 04 e7 59 94 14 80 5b 08 23 b6 65 20 91 Aug 26 13:09:57.669196: | b5 2c 09 c0 b7 90 7c d6 f9 c8 93 90 2b b5 2f 90 Aug 26 13:09:57.669198: | 04 ac 87 13 1c 09 05 6d 12 6d 3a b1 2b ee 61 b7 Aug 26 13:09:57.669199: | 61 a4 36 ed 1d e7 ea ae 1b ae a0 36 1f 49 3b 67 Aug 26 13:09:57.669201: | 8c 7f a7 bb a9 16 d7 55 b6 1a 07 04 eb f7 f7 68 Aug 26 13:09:57.669203: | 2e 41 52 cd a9 f6 d7 8d 77 7d e0 26 f8 90 a2 fc Aug 26 13:09:57.669204: | 15 b0 24 26 c2 08 57 09 41 95 eb e5 6d a0 d8 56 Aug 26 13:09:57.669206: | e0 8b 49 ae e2 b5 fd d6 3b 75 73 5f af 2c e6 45 Aug 26 13:09:57.669208: | 67 d1 9f c4 14 85 f9 d8 b9 54 b3 87 7c ee f9 7b Aug 26 13:09:57.669209: | e8 95 eb 0a a6 c3 4d c6 1d c0 1c 69 a4 2c b7 63 Aug 26 13:09:57.669211: | ba 37 fb ee 11 3f f8 bd a4 a6 8a 38 8c 6d aa 5a Aug 26 13:09:57.669212: | 76 f2 93 40 a4 73 49 46 c3 4d a7 f9 29 f0 0a dc Aug 26 13:09:57.669214: | c1 28 58 b2 b2 9c 6b ac 7b fa 94 ef d6 e0 6c 22 Aug 26 13:09:57.669216: | 5f 65 79 cf d7 ac bf 41 8a 8f 1e 82 7c 96 18 d3 Aug 26 13:09:57.669217: | bc 38 8f d1 60 c7 0b 60 75 39 8f 3f 56 e4 48 51 Aug 26 13:09:57.669219: | 98 ea 3e 29 73 de 81 2d 42 e7 e1 f2 dd 27 6f 04 Aug 26 13:09:57.669221: | b8 73 78 8d a9 2b 10 c7 15 18 65 65 88 ab 83 e6 Aug 26 13:09:57.669222: | b6 6e ec 2c 24 25 80 9d b0 58 dd bc 90 47 d6 31 Aug 26 13:09:57.669224: | 10 85 17 67 02 49 d4 74 f2 1f ae cd d5 a5 28 c9 Aug 26 13:09:57.669228: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:57.669231: | **parse ISAKMP Message: Aug 26 13:09:57.669233: | initiator cookie: Aug 26 13:09:57.669235: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:57.669237: | responder cookie: Aug 26 13:09:57.669239: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:57.669241: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:57.669243: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:57.669245: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:57.669247: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:57.669249: | Message ID: 2 (0x2) Aug 26 13:09:57.669251: | length: 608 (0x260) Aug 26 13:09:57.669253: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:09:57.669255: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:09:57.669258: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:09:57.669263: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:57.669266: | State DB: found IKEv2 state #6 in V2_CREATE_R (find_v2_sa_by_responder_wip) Aug 26 13:09:57.669270: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:57.669273: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:57.669275: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:09:57.669277: "north-eastnets/0x1" #6: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_CREATE_R Aug 26 13:09:57.669282: | stop processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:57.669286: | #2 spent 0.142 milliseconds in ikev2_process_packet() Aug 26 13:09:57.669293: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:57.669299: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:57.669302: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:57.669306: | spent 0.16 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:57.865909: | crypto helper 5 finished build KE and nonce (Child Responder KE and nonce nr); request ID 6 time elapsed 1.002281 seconds Aug 26 13:09:57.865938: | (#6) spent 2.25 milliseconds in crypto helper computing work-order 6: Child Responder KE and nonce nr (pcr) Aug 26 13:09:57.865943: | crypto helper 5 sending results from work-order 6 for state #6 to event queue Aug 26 13:09:57.865947: | scheduling resume sending helper answer for #6 Aug 26 13:09:57.865952: | libevent_malloc: new ptr-libevent@0x7fedd4005780 size 128 Aug 26 13:09:57.865963: | crypto helper 5 waiting (nothing to do) Aug 26 13:09:57.865975: | processing resume sending helper answer for #6 Aug 26 13:09:57.865990: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in resume_handler() at server.c:797) Aug 26 13:09:57.865996: | crypto helper 5 replies to request ID 6 Aug 26 13:09:57.866000: | calling continuation function 0x55fb048b9b50 Aug 26 13:09:57.866003: | ikev2_child_inIoutR_continue for #6 STATE_V2_CREATE_R Aug 26 13:09:57.866013: | adding DHv2 for child sa work-order 8 for state #6 Aug 26 13:09:57.866017: | state #6 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:09:57.866022: | libevent_free: release ptr-libevent@0x7feddc003060 Aug 26 13:09:57.866025: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb06386d40 Aug 26 13:09:57.866029: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb06386d40 Aug 26 13:09:57.866033: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #6 Aug 26 13:09:57.866037: | libevent_malloc: new ptr-libevent@0x7feddc003060 size 128 Aug 26 13:09:57.866048: | [RE]START processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:57.866052: | crypto helper 0 resuming Aug 26 13:09:57.866053: | #6 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:09:57.866064: | crypto helper 0 starting work-order 8 for state #6 Aug 26 13:09:57.866070: | suspending state #6 and saving MD Aug 26 13:09:57.866078: | crypto helper 0 doing crypto (DHv2 for child sa); request ID 8 Aug 26 13:09:57.866084: | #6 is busy; has a suspended MD Aug 26 13:09:57.866090: | crypto helper is pausing for 1 seconds Aug 26 13:09:57.866100: | [RE]START processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:09:57.866106: | "north-eastnets/0x1" #6 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:09:57.866110: | resume sending helper answer for #6 suppresed complete_v2_state_transition() and stole MD Aug 26 13:09:57.866117: | #6 spent 0.111 milliseconds in resume sending helper answer Aug 26 13:09:57.866123: | stop processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in resume_handler() at server.c:833) Aug 26 13:09:57.866127: | libevent_free: release ptr-libevent@0x7fedd4005780 Aug 26 13:09:58.469537: | spent 0.00315 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:09:58.469564: | *received 608 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:09:58.469569: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:58.469572: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:58.469575: | f6 0c 6f b6 d8 31 e3 f4 50 80 a6 c2 ba 82 17 97 Aug 26 13:09:58.469581: | 9a ff d0 57 e3 f8 55 2e e8 58 11 5a f2 cf 5f a5 Aug 26 13:09:58.469584: | a5 f8 38 55 0c b2 b9 58 aa 11 7f d9 19 96 4c 21 Aug 26 13:09:58.469587: | 0e ef f9 0c ce 61 af 9f 2f bc 12 97 71 da 01 26 Aug 26 13:09:58.469590: | 0a 6e c6 10 a1 2f 38 7b 1f ae c2 d0 02 11 df f7 Aug 26 13:09:58.469592: | 1a 72 b0 64 03 60 81 ba d1 ed c3 95 d7 af 0d 72 Aug 26 13:09:58.469595: | 43 f0 e8 3d c7 c8 e0 97 94 47 21 36 80 e9 f9 d0 Aug 26 13:09:58.469598: | f1 60 5c 6a 89 e0 b9 6f 2a 9b 24 a8 b7 db 62 8a Aug 26 13:09:58.469600: | 11 04 53 33 29 cb f8 29 98 97 be f3 0b d2 2f 17 Aug 26 13:09:58.469603: | 57 07 4b ec 4b 7c 22 68 6a 02 9a 45 7f 8d 20 90 Aug 26 13:09:58.469606: | 87 ab 5c 3e 35 3d 8a 7f f6 d9 a4 3d d0 1f 2c 60 Aug 26 13:09:58.469608: | f3 9e c8 ef bc 64 22 d3 f6 5d 49 0a 1a e2 18 3c Aug 26 13:09:58.469611: | 15 68 b5 36 a2 d2 d1 86 bc 83 4e 2d 4f 3f 80 35 Aug 26 13:09:58.469614: | ff 36 8c 30 72 8d 4f 71 69 bf 5b c8 56 30 b5 6b Aug 26 13:09:58.469617: | db a5 34 df fb 7d 98 9a 60 15 b6 5c 0a ab 8a 9e Aug 26 13:09:58.469619: | 6c 70 e9 37 73 61 75 34 73 f1 72 84 a3 02 2d a3 Aug 26 13:09:58.469622: | fe 25 53 db c9 85 19 92 a3 26 2f b8 a3 a2 98 5c Aug 26 13:09:58.469625: | bb da ac 04 e7 59 94 14 80 5b 08 23 b6 65 20 91 Aug 26 13:09:58.469628: | b5 2c 09 c0 b7 90 7c d6 f9 c8 93 90 2b b5 2f 90 Aug 26 13:09:58.469630: | 04 ac 87 13 1c 09 05 6d 12 6d 3a b1 2b ee 61 b7 Aug 26 13:09:58.469633: | 61 a4 36 ed 1d e7 ea ae 1b ae a0 36 1f 49 3b 67 Aug 26 13:09:58.469636: | 8c 7f a7 bb a9 16 d7 55 b6 1a 07 04 eb f7 f7 68 Aug 26 13:09:58.469638: | 2e 41 52 cd a9 f6 d7 8d 77 7d e0 26 f8 90 a2 fc Aug 26 13:09:58.469641: | 15 b0 24 26 c2 08 57 09 41 95 eb e5 6d a0 d8 56 Aug 26 13:09:58.469643: | e0 8b 49 ae e2 b5 fd d6 3b 75 73 5f af 2c e6 45 Aug 26 13:09:58.469646: | 67 d1 9f c4 14 85 f9 d8 b9 54 b3 87 7c ee f9 7b Aug 26 13:09:58.469649: | e8 95 eb 0a a6 c3 4d c6 1d c0 1c 69 a4 2c b7 63 Aug 26 13:09:58.469651: | ba 37 fb ee 11 3f f8 bd a4 a6 8a 38 8c 6d aa 5a Aug 26 13:09:58.469654: | 76 f2 93 40 a4 73 49 46 c3 4d a7 f9 29 f0 0a dc Aug 26 13:09:58.469657: | c1 28 58 b2 b2 9c 6b ac 7b fa 94 ef d6 e0 6c 22 Aug 26 13:09:58.469660: | 5f 65 79 cf d7 ac bf 41 8a 8f 1e 82 7c 96 18 d3 Aug 26 13:09:58.469662: | bc 38 8f d1 60 c7 0b 60 75 39 8f 3f 56 e4 48 51 Aug 26 13:09:58.469665: | 98 ea 3e 29 73 de 81 2d 42 e7 e1 f2 dd 27 6f 04 Aug 26 13:09:58.469668: | b8 73 78 8d a9 2b 10 c7 15 18 65 65 88 ab 83 e6 Aug 26 13:09:58.469671: | b6 6e ec 2c 24 25 80 9d b0 58 dd bc 90 47 d6 31 Aug 26 13:09:58.469673: | 10 85 17 67 02 49 d4 74 f2 1f ae cd d5 a5 28 c9 Aug 26 13:09:58.469679: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:09:58.469684: | **parse ISAKMP Message: Aug 26 13:09:58.469687: | initiator cookie: Aug 26 13:09:58.469690: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:58.469693: | responder cookie: Aug 26 13:09:58.469696: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:58.469699: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:09:58.469703: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:58.469706: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:58.469709: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:09:58.469712: | Message ID: 2 (0x2) Aug 26 13:09:58.469715: | length: 608 (0x260) Aug 26 13:09:58.469718: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:09:58.469722: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:09:58.469727: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:09:58.469735: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:09:58.469739: | State DB: found IKEv2 state #6 in V2_CREATE_R (find_v2_sa_by_responder_wip) Aug 26 13:09:58.469745: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:58.469752: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:09:58.469756: | #2 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:09:58.469760: "north-eastnets/0x1" #6: discarding packet received during asynchronous work (DNS or crypto) in STATE_V2_CREATE_R Aug 26 13:09:58.469765: | stop processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:09:58.469771: | #2 spent 0.217 milliseconds in ikev2_process_packet() Aug 26 13:09:58.469776: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:09:58.469781: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:09:58.469784: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:09:58.469789: | spent 0.235 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:09:58.663872: | crypto helper 6 finished crypto (ikev2 Child SA initiator pfs=yes); request ID 7 time elapsed 1.002301 seconds Aug 26 13:09:58.663900: | (#4) spent 2.27 milliseconds in crypto helper computing work-order 7: ikev2 Child SA initiator pfs=yes (dh) Aug 26 13:09:58.663906: | crypto helper 6 sending results from work-order 7 for state #4 to event queue Aug 26 13:09:58.663910: | scheduling resume sending helper answer for #4 Aug 26 13:09:58.663915: | libevent_malloc: new ptr-libevent@0x7fedd8001100 size 128 Aug 26 13:09:58.663927: | crypto helper 6 waiting (nothing to do) Aug 26 13:09:58.663939: | processing resume sending helper answer for #4 Aug 26 13:09:58.663954: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in resume_handler() at server.c:797) Aug 26 13:09:58.663960: | crypto helper 6 replies to request ID 7 Aug 26 13:09:58.663964: | calling continuation function 0x55fb048ba9d0 Aug 26 13:09:58.663969: | ikev2_child_inR_continue for #4 STATE_V2_CREATE_I Aug 26 13:09:58.663973: | TSi: parsing 1 traffic selectors Aug 26 13:09:58.663977: | ***parse IKEv2 Traffic Selector: Aug 26 13:09:58.663981: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:58.663984: | IP Protocol ID: 0 (0x0) Aug 26 13:09:58.663987: | length: 16 (0x10) Aug 26 13:09:58.663990: | start port: 0 (0x0) Aug 26 13:09:58.663993: | end port: 65535 (0xffff) Aug 26 13:09:58.663997: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:09:58.664000: | TS low c0 00 03 00 Aug 26 13:09:58.664003: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:09:58.664006: | TS high c0 00 03 ff Aug 26 13:09:58.664009: | TSi: parsed 1 traffic selectors Aug 26 13:09:58.664012: | TSr: parsing 1 traffic selectors Aug 26 13:09:58.664015: | ***parse IKEv2 Traffic Selector: Aug 26 13:09:58.664018: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:58.664021: | IP Protocol ID: 0 (0x0) Aug 26 13:09:58.664023: | length: 16 (0x10) Aug 26 13:09:58.664026: | start port: 0 (0x0) Aug 26 13:09:58.664029: | end port: 65535 (0xffff) Aug 26 13:09:58.664032: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:09:58.664034: | TS low c0 00 16 00 Aug 26 13:09:58.664037: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:09:58.664040: | TS high c0 00 16 ff Aug 26 13:09:58.664043: | TSr: parsed 1 traffic selectors Aug 26 13:09:58.664050: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0/0 R=192.0.22.0/24:0/0 to their: Aug 26 13:09:58.664056: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:58.664064: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:09:58.664069: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:09:58.664072: | TSi[0] port match: YES fitness 65536 Aug 26 13:09:58.664075: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:09:58.664084: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:58.664089: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:09:58.664096: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Aug 26 13:09:58.664100: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:09:58.664103: | TSr[0] port match: YES fitness 65536 Aug 26 13:09:58.664106: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:09:58.664109: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:09:58.664113: | best fit so far: TSi[0] TSr[0] Aug 26 13:09:58.664116: | found an acceptable TSi/TSr Traffic Selector Aug 26 13:09:58.664118: | printing contents struct traffic_selector Aug 26 13:09:58.664121: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Aug 26 13:09:58.664124: | ipprotoid: 0 Aug 26 13:09:58.664127: | port range: 0-65535 Aug 26 13:09:58.664131: | ip range: 192.0.3.0-192.0.3.255 Aug 26 13:09:58.664134: | printing contents struct traffic_selector Aug 26 13:09:58.664137: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Aug 26 13:09:58.664139: | ipprotoid: 0 Aug 26 13:09:58.664142: | port range: 0-65535 Aug 26 13:09:58.664146: | ip range: 192.0.22.0-192.0.22.255 Aug 26 13:09:58.664152: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Aug 26 13:09:58.664530: | install_ipsec_sa() for #4: inbound and outbound Aug 26 13:09:58.664540: | could_route called for north-eastnets/0x2 (kind=CK_PERMANENT) Aug 26 13:09:58.664544: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:09:58.664548: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:09:58.664551: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 13:09:58.664554: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:09:58.664557: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:09:58.664563: | route owner of "north-eastnets/0x2" erouted: self; eroute owner: self Aug 26 13:09:58.664568: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 13:09:58.664572: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 13:09:58.664576: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 13:09:58.664581: | setting IPsec SA replay-window to 32 Aug 26 13:09:58.664585: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Aug 26 13:09:58.664588: | netlink: enabling tunnel mode Aug 26 13:09:58.664592: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:09:58.664595: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:09:58.665065: | netlink response for Add SA esp.dfc4d2d5@192.1.2.23 included non-error error Aug 26 13:09:58.665073: | set up outgoing SA, ref=0/0 Aug 26 13:09:58.665077: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 13:09:58.665080: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 13:09:58.665083: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 13:09:58.665088: | setting IPsec SA replay-window to 32 Aug 26 13:09:58.665091: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Aug 26 13:09:58.665094: | netlink: enabling tunnel mode Aug 26 13:09:58.665098: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:09:58.665101: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:09:58.665149: | netlink response for Add SA esp.49dd5118@192.1.3.33 included non-error error Aug 26 13:09:58.665155: | set up incoming SA, ref=0/0 Aug 26 13:09:58.665158: | sr for #4: erouted Aug 26 13:09:58.665161: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:09:58.665164: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:09:58.665168: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:09:58.665171: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 13:09:58.665180: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:09:58.665183: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:09:58.665188: | route owner of "north-eastnets/0x2" erouted: self; eroute owner: self Aug 26 13:09:58.665193: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:north-eastnets/0x2 esr:{(nil)} ro:north-eastnets/0x2 rosr:{(nil)} and state: #4 Aug 26 13:09:58.665197: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 13:09:58.665206: | eroute_connection replace eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.0@192.1.2.23>tun.0@192.1.2.23 (raw_eroute) Aug 26 13:09:58.665211: | IPsec Sa SPD priority set to 1042407 Aug 26 13:09:58.665239: | raw_eroute result=success Aug 26 13:09:58.665244: | route_and_eroute: firewall_notified: true Aug 26 13:09:58.665249: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x55fb0637f470,sr=0x55fb0637f470} to #4 (was #5) (newest_ipsec_sa=#5) Aug 26 13:09:58.665319: | #1 spent 0.78 milliseconds in install_ipsec_sa() Aug 26 13:09:58.665328: | inR2: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #4 (was #5) (spd.eroute=#4) cloned from #1 Aug 26 13:09:58.665332: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:09:58.665337: | libevent_free: release ptr-libevent@0x55fb0638e950 Aug 26 13:09:58.665341: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638d2a0 Aug 26 13:09:58.665348: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:58.665353: | #4 complete_v2_state_transition() V2_CREATE_I->V2_IPSEC_I with status STF_OK Aug 26 13:09:58.665357: | IKEv2: transition from state STATE_V2_CREATE_I to state STATE_V2_IPSEC_I Aug 26 13:09:58.665361: | child state #4: V2_CREATE_I(established IKE SA) => V2_IPSEC_I(established CHILD SA) Aug 26 13:09:58.665365: | Message ID: updating counters for #4 to 2 after switching state Aug 26 13:09:58.665371: | Message ID: recv #1.#4 response 2; ike: initiator.sent=2 initiator.recv=1->2 responder.sent=-1 responder.recv=-1; child: wip.initiator=2->-1 wip.responder=-1 Aug 26 13:09:58.665376: | Message ID: #1.#4 skipping update_send as nothing to send; initiator.sent=2 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Aug 26 13:09:58.665380: | pstats #4 ikev2.child established Aug 26 13:09:58.665389: "north-eastnets/0x2" #4: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.22.0-192.0.22.255:0-65535 0] Aug 26 13:09:58.665402: | NAT-T: encaps is 'auto' Aug 26 13:09:58.665408: "north-eastnets/0x2" #4: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xdfc4d2d5 <0x49dd5118 xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Aug 26 13:09:58.665414: | releasing whack for #4 (sock=fd@25) Aug 26 13:09:58.665421: | close_any(fd@25) (in release_whack() at state.c:654) Aug 26 13:09:58.665425: | releasing whack and unpending for parent #1 Aug 26 13:09:58.665428: | unpending state #1 connection "north-eastnets/0x2" Aug 26 13:09:58.665434: | #4 will start re-keying in 27838 seconds with margin of 962 seconds (attempting re-key) Aug 26 13:09:58.665437: | event_schedule: new EVENT_SA_REKEY-pe@0x55fb0638d2a0 Aug 26 13:09:58.665442: | inserting event EVENT_SA_REKEY, timeout in 27838 seconds for #4 Aug 26 13:09:58.665445: | libevent_malloc: new ptr-libevent@0x55fb0638e950 size 128 Aug 26 13:09:58.665452: | #4 spent 1.47 milliseconds in resume sending helper answer Aug 26 13:09:58.665458: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in resume_handler() at server.c:833) Aug 26 13:09:58.665462: | libevent_free: release ptr-libevent@0x7fedd8001100 Aug 26 13:09:58.868556: | crypto helper 0 finished crypto (DHv2 for child sa); request ID 8 time elapsed 1.002474 seconds Aug 26 13:09:58.868576: | (#6) spent 2.16 milliseconds in crypto helper computing work-order 8: DHv2 for child sa (dh) Aug 26 13:09:58.868584: | crypto helper 0 sending results from work-order 8 for state #6 to event queue Aug 26 13:09:58.868588: | scheduling resume sending helper answer for #6 Aug 26 13:09:58.868594: | libevent_malloc: new ptr-libevent@0x7fedec006b50 size 128 Aug 26 13:09:58.868606: | crypto helper 0 waiting (nothing to do) Aug 26 13:09:58.868622: | processing resume sending helper answer for #6 Aug 26 13:09:58.868632: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in resume_handler() at server.c:797) Aug 26 13:09:58.868637: | crypto helper 0 replies to request ID 8 Aug 26 13:09:58.868641: | calling continuation function 0x55fb048ba9d0 Aug 26 13:09:58.868646: | ikev2_child_inIoutR_continue_continue for #6 STATE_V2_CREATE_R Aug 26 13:09:58.868654: | **emit ISAKMP Message: Aug 26 13:09:58.868658: | initiator cookie: Aug 26 13:09:58.868662: | a9 6d 2c db 22 7f 10 cd Aug 26 13:09:58.868665: | responder cookie: Aug 26 13:09:58.868668: | a9 27 21 0d a1 26 af 75 Aug 26 13:09:58.868672: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:09:58.868676: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:09:58.868680: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:09:58.868684: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:09:58.868688: | Message ID: 2 (0x2) Aug 26 13:09:58.868692: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:09:58.868696: | ***emit IKEv2 Encryption Payload: Aug 26 13:09:58.868700: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:58.868703: | flags: none (0x0) Aug 26 13:09:58.868709: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:09:58.868713: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:09:58.868718: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:09:58.868743: | netlink_get_spi: allocated 0xd0d5dcfa for esp.0@192.1.3.33 Aug 26 13:09:58.868748: | Emitting ikev2_proposal ... Aug 26 13:09:58.868752: | ****emit IKEv2 Security Association Payload: Aug 26 13:09:58.868755: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:58.868759: | flags: none (0x0) Aug 26 13:09:58.868763: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:09:58.868768: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:09:58.868772: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:09:58.868776: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:09:58.868780: | prop #: 1 (0x1) Aug 26 13:09:58.868783: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:09:58.868786: | spi size: 4 (0x4) Aug 26 13:09:58.868789: | # transforms: 4 (0x4) Aug 26 13:09:58.868793: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:09:58.868798: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:09:58.868801: | our spi d0 d5 dc fa Aug 26 13:09:58.868805: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:58.868808: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:58.868811: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:09:58.868815: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:09:58.868819: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:58.868822: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:09:58.868826: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:09:58.868830: | length/value: 128 (0x80) Aug 26 13:09:58.868835: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:09:58.868841: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:58.868847: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:58.868850: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:09:58.868853: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:09:58.868856: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:58.868859: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:58.868862: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:58.868865: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:58.868868: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:58.868871: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:09:58.868874: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:09:58.868878: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:58.868881: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:58.868884: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:58.868887: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:09:58.868890: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:09:58.868893: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:09:58.868896: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:09:58.868899: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:09:58.868903: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:09:58.868906: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:09:58.868909: | emitting length of IKEv2 Proposal Substructure Payload: 48 Aug 26 13:09:58.868912: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:09:58.868915: | emitting length of IKEv2 Security Association Payload: 52 Aug 26 13:09:58.868918: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:09:58.868921: | ****emit IKEv2 Nonce Payload: Aug 26 13:09:58.868924: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:58.868927: | flags: none (0x0) Aug 26 13:09:58.868930: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:09:58.868934: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:09:58.868937: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:09:58.868940: | IKEv2 nonce 62 2b 22 33 36 53 e6 af 6e 49 e2 4e 2c b9 26 21 Aug 26 13:09:58.868943: | IKEv2 nonce 90 9c 95 2d e2 cb f1 f9 5a 38 65 58 c9 01 4a ec Aug 26 13:09:58.868946: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:09:58.868950: | ****emit IKEv2 Key Exchange Payload: Aug 26 13:09:58.868953: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:58.868955: | flags: none (0x0) Aug 26 13:09:58.868959: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:09:58.868962: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:09:58.868965: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:09:58.868969: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:09:58.868972: | ikev2 g^x 31 fb 92 ec 35 12 d1 39 1a cc e6 02 ee cd 17 2b Aug 26 13:09:58.868977: | ikev2 g^x 11 37 b6 76 dc a0 75 19 35 23 75 16 7a e7 b6 e0 Aug 26 13:09:58.868980: | ikev2 g^x dd e1 1e 3c be f3 bf d6 70 00 a6 15 80 be 80 2b Aug 26 13:09:58.868982: | ikev2 g^x e7 0f ca 1e 91 6a 87 83 10 9b bd d1 eb 88 aa 13 Aug 26 13:09:58.868985: | ikev2 g^x 46 34 25 d3 0a 36 e0 17 eb 04 53 06 20 80 2e d3 Aug 26 13:09:58.868987: | ikev2 g^x d4 51 57 3c bd 04 2d 9a a3 c2 d5 2b aa db ef 77 Aug 26 13:09:58.868990: | ikev2 g^x 49 81 55 7e 04 3d 58 06 0d 57 1e a7 af 2a a5 71 Aug 26 13:09:58.868992: | ikev2 g^x a8 36 e7 6b c8 2e 9d 90 e5 a3 f6 bf e0 08 56 73 Aug 26 13:09:58.868995: | ikev2 g^x de 8b a1 1f b5 3f 82 a7 3c 57 6e 1b 4b 8a 01 c6 Aug 26 13:09:58.868997: | ikev2 g^x 46 10 c8 8b 42 89 6d f6 2d d2 3d 07 30 a3 04 2f Aug 26 13:09:58.869000: | ikev2 g^x 02 76 60 5d 20 21 1d 1b 48 5f ad 9d fa 17 0e 57 Aug 26 13:09:58.869002: | ikev2 g^x c4 60 da 10 9b 35 39 78 48 5f 8b 90 2e c2 7a 25 Aug 26 13:09:58.869004: | ikev2 g^x 80 cf b8 db 9d 5b ad 49 9c fb c3 fd 09 57 a5 4b Aug 26 13:09:58.869007: | ikev2 g^x 3c 6b ae 81 0f 58 f2 01 a3 3d 38 de 7c 1e e6 8c Aug 26 13:09:58.869010: | ikev2 g^x 35 3c 15 4d 27 f0 ce 1f d5 13 91 e5 97 3a f5 77 Aug 26 13:09:58.869013: | ikev2 g^x 18 10 29 3e 56 5e 78 5b cd 7f df 7d ed 76 01 17 Aug 26 13:09:58.869015: | ikev2 g^x ea 65 88 da 45 ef 80 e2 5c 83 9d 2c 39 6a 1f 23 Aug 26 13:09:58.869018: | ikev2 g^x ae 25 35 3f 52 83 71 1a 9b bb e1 5c b5 90 fa 04 Aug 26 13:09:58.869020: | ikev2 g^x 05 c5 39 a9 0f ac a3 9d 77 97 0e ba e3 1d 8d ed Aug 26 13:09:58.869023: | ikev2 g^x 35 e0 7d e8 d8 eb 34 cb b4 65 3c ee 8c 4f 43 32 Aug 26 13:09:58.869025: | ikev2 g^x 05 1b c1 3f b1 e7 a9 02 4e 84 2e e9 e8 f8 e6 ae Aug 26 13:09:58.869028: | ikev2 g^x 9e 79 77 ad 00 47 b9 e3 5a 78 37 85 77 67 83 40 Aug 26 13:09:58.869031: | ikev2 g^x 8a 60 cd 5d 6c e2 4e 11 13 23 98 d1 70 c6 7e 18 Aug 26 13:09:58.869033: | ikev2 g^x 07 24 54 95 03 d9 0f 6d 6f 0d ba 9e 67 f7 9f 23 Aug 26 13:09:58.869036: | emitting length of IKEv2 Key Exchange Payload: 392 Aug 26 13:09:58.869039: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:09:58.869042: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:58.869045: | flags: none (0x0) Aug 26 13:09:58.869048: | number of TS: 1 (0x1) Aug 26 13:09:58.869051: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:09:58.869055: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:58.869058: | *****emit IKEv2 Traffic Selector: Aug 26 13:09:58.869061: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:58.869064: | IP Protocol ID: 0 (0x0) Aug 26 13:09:58.869067: | start port: 0 (0x0) Aug 26 13:09:58.869070: | end port: 65535 (0xffff) Aug 26 13:09:58.869073: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:09:58.869076: | ipv4 start c0 00 02 00 Aug 26 13:09:58.869079: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:09:58.869082: | ipv4 end c0 00 02 ff Aug 26 13:09:58.869085: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:09:58.869087: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:09:58.869090: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:09:58.869093: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:09:58.869096: | flags: none (0x0) Aug 26 13:09:58.869098: | number of TS: 1 (0x1) Aug 26 13:09:58.869101: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:09:58.869104: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:09:58.869107: | *****emit IKEv2 Traffic Selector: Aug 26 13:09:58.869111: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:09:58.869114: | IP Protocol ID: 0 (0x0) Aug 26 13:09:58.869116: | start port: 0 (0x0) Aug 26 13:09:58.869119: | end port: 65535 (0xffff) Aug 26 13:09:58.869122: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:09:58.869125: | ipv4 start c0 00 03 00 Aug 26 13:09:58.869128: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:09:58.869130: | ipv4 end c0 00 03 ff Aug 26 13:09:58.869133: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:09:58.869135: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:09:58.869138: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:09:58.869143: | integ=sha2_512: .key_size=64 encrypt=aes: .key_size=16 .salt_size=0 keymat_len=80 Aug 26 13:09:58.869455: | install_ipsec_sa() for #6: inbound and outbound Aug 26 13:09:58.869465: | could_route called for north-eastnets/0x1 (kind=CK_PERMANENT) Aug 26 13:09:58.869468: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:09:58.869472: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 13:09:58.869474: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 13:09:58.869477: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 13:09:58.869480: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:09:58.869484: | route owner of "north-eastnets/0x1" erouted: self; eroute owner: self Aug 26 13:09:58.869488: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 13:09:58.869491: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 13:09:58.869494: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 13:09:58.869498: | setting IPsec SA replay-window to 32 Aug 26 13:09:58.869501: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Aug 26 13:09:58.869505: | netlink: enabling tunnel mode Aug 26 13:09:58.869508: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:09:58.869511: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:09:58.869586: | netlink response for Add SA esp.6ab27b1b@192.1.2.23 included non-error error Aug 26 13:09:58.869590: | set up outgoing SA, ref=0/0 Aug 26 13:09:58.869594: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Aug 26 13:09:58.869597: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Aug 26 13:09:58.869599: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Aug 26 13:09:58.869603: | setting IPsec SA replay-window to 32 Aug 26 13:09:58.869606: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Aug 26 13:09:58.869608: | netlink: enabling tunnel mode Aug 26 13:09:58.869611: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:09:58.869613: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:09:58.869654: | netlink response for Add SA esp.d0d5dcfa@192.1.3.33 included non-error error Aug 26 13:09:58.869658: | set up incoming SA, ref=0/0 Aug 26 13:09:58.869661: | sr for #6: erouted Aug 26 13:09:58.869664: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:09:58.869667: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:09:58.869670: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 13:09:58.869673: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 13:09:58.869676: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 13:09:58.869679: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:09:58.869683: | route owner of "north-eastnets/0x1" erouted: self; eroute owner: self Aug 26 13:09:58.869686: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:north-eastnets/0x1 esr:{(nil)} ro:north-eastnets/0x1 rosr:{(nil)} and state: #6 Aug 26 13:09:58.869690: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 13:09:58.869700: | eroute_connection replace eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.0@192.1.2.23>tun.0@192.1.2.23 (raw_eroute) Aug 26 13:09:58.869704: | IPsec Sa SPD priority set to 1042407 Aug 26 13:09:58.869730: | raw_eroute result=success Aug 26 13:09:58.869733: | route_and_eroute: firewall_notified: true Aug 26 13:09:58.869737: | route_and_eroute: instance "north-eastnets/0x1", setting eroute_owner {spd=0x55fb0637ea10,sr=0x55fb0637ea10} to #6 (was #3) (newest_ipsec_sa=#3) Aug 26 13:09:58.869793: | #2 spent 0.337 milliseconds in install_ipsec_sa() Aug 26 13:09:58.869800: | ISAKMP_v2_CREATE_CHILD_SA: instance north-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #6 (was #3) (spd.eroute=#6) cloned from #2 Aug 26 13:09:58.869803: | adding 16 bytes of padding (including 1 byte padding-length) Aug 26 13:09:58.869807: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869810: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869813: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869816: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869820: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869823: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869826: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869829: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869832: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869835: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869837: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869840: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869843: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869847: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869849: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869852: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:09:58.869855: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:09:58.869858: | emitting length of IKEv2 Encryption Payload: 580 Aug 26 13:09:58.869861: | emitting length of ISAKMP Message: 608 Aug 26 13:09:58.869889: | data being hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:58.869894: | data being hmac: 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:58.869896: | data being hmac: 3a c5 13 df 3a eb a1 f9 18 4a 10 a3 da 3f 39 bf Aug 26 13:09:58.869899: | data being hmac: 1e d6 6c 83 dd a8 01 4a 85 e3 ac 0f fc ae 9d a9 Aug 26 13:09:58.869901: | data being hmac: 94 b5 10 4c de b3 05 68 b6 e8 81 6e 6c 68 e6 cc Aug 26 13:09:58.869904: | data being hmac: 7a 97 08 3c d1 e7 1d 5a 0f ae 95 5a 5b fe 06 a4 Aug 26 13:09:58.869906: | data being hmac: f6 c1 b5 82 97 fe e4 85 4b 64 22 25 d0 bf 79 29 Aug 26 13:09:58.869909: | data being hmac: a8 c5 ea d5 2e e9 0c c2 60 21 bf 26 4f 0c 66 bd Aug 26 13:09:58.869911: | data being hmac: c1 c2 bc f2 c3 14 e7 42 07 93 14 7f ea 71 d5 35 Aug 26 13:09:58.869914: | data being hmac: 78 a2 f0 d2 74 50 b6 35 7f d6 94 c0 e8 0b 53 7b Aug 26 13:09:58.869916: | data being hmac: 21 95 2c 67 e9 6a 33 7b bc 7c d9 8e d2 75 9b 07 Aug 26 13:09:58.869919: | data being hmac: db cf 9f 8d d5 76 39 55 0e e1 74 60 57 7c cf 66 Aug 26 13:09:58.869921: | data being hmac: 8a c8 b8 62 b6 a1 37 90 80 82 16 df 9b f1 84 8c Aug 26 13:09:58.869923: | data being hmac: ce 30 8e 4e ff 2f fa e0 b3 a8 15 47 75 c2 9c 6c Aug 26 13:09:58.869928: | data being hmac: 31 3c 19 5e 6e 4d 27 e7 cc b3 42 f1 5a a7 15 41 Aug 26 13:09:58.869931: | data being hmac: 54 e2 c3 77 6a db 86 53 c4 12 26 d3 19 80 d3 ba Aug 26 13:09:58.869933: | data being hmac: 84 a5 0d 44 fb bb 21 f3 2f c6 f1 a0 58 61 52 55 Aug 26 13:09:58.869936: | data being hmac: 58 a7 4a 53 8f 69 36 c6 e1 06 aa fc 61 e5 cc 84 Aug 26 13:09:58.869938: | data being hmac: 87 08 e0 8d 32 4f 0f fa b8 1e 7d ce fc 68 7b 9d Aug 26 13:09:58.869941: | data being hmac: 6b 6e 48 b5 53 fc 1e a9 cc b9 29 fb 92 6a 90 31 Aug 26 13:09:58.869943: | data being hmac: e8 f6 81 3a 30 84 78 2c d7 51 58 d9 e7 d0 a0 3a Aug 26 13:09:58.869946: | data being hmac: e8 eb 46 7c 2c 89 fb de 41 9b f7 ec d4 ce 1e b2 Aug 26 13:09:58.869948: | data being hmac: 98 ce c3 5d 9c 5b 95 ff 2f 69 23 3c f3 0b d2 7e Aug 26 13:09:58.869950: | data being hmac: 81 8a f2 7a ec 93 cc b9 7a 8e 25 37 3e d9 2e 79 Aug 26 13:09:58.869953: | data being hmac: c7 e2 38 bb b1 7b b7 39 80 ff d7 f8 e9 cf 93 4b Aug 26 13:09:58.869955: | data being hmac: 86 1a 75 54 cf 4d 47 0f 25 d7 23 97 8b f1 d0 a3 Aug 26 13:09:58.869958: | data being hmac: 2b 3d 9b 4a 19 04 e8 88 5c 45 dc 13 2f f8 96 53 Aug 26 13:09:58.869960: | data being hmac: c4 4a d4 2b 52 15 3c bf f4 e3 aa de 0b 0c 53 08 Aug 26 13:09:58.869963: | data being hmac: a5 71 a5 7e 7c 63 67 86 e4 70 83 db b5 39 6a 52 Aug 26 13:09:58.869965: | data being hmac: 2c c3 80 44 ff ce 7c 84 b1 1e 38 da 9e c5 fd ee Aug 26 13:09:58.869968: | data being hmac: 2a af 30 86 4d 5c 54 a0 32 6b 0d ad 0d 11 f2 3d Aug 26 13:09:58.869970: | data being hmac: 66 57 14 44 b4 eb a4 25 a2 22 28 38 6f 9e 2d ab Aug 26 13:09:58.869973: | data being hmac: 1d c7 18 08 c4 11 96 1a 00 fe bf 19 dd 9e 47 1d Aug 26 13:09:58.869975: | data being hmac: 22 ae 2d ed 1d 6c 96 43 23 c8 3a 68 c0 e0 68 f6 Aug 26 13:09:58.869978: | data being hmac: cd 09 66 61 92 fd 50 36 88 32 72 ce 6a 6c 75 51 Aug 26 13:09:58.869980: | data being hmac: 4c 46 19 09 7f c3 df a3 ad d6 43 26 85 b8 b6 5b Aug 26 13:09:58.869983: | data being hmac: 70 f3 2b 56 bc e9 8c 9c 70 48 ac 5c 93 18 59 bb Aug 26 13:09:58.869985: | out calculated auth: Aug 26 13:09:58.869988: | 79 1f 6a d5 91 49 61 a9 59 d0 82 51 16 55 69 fc Aug 26 13:09:58.869998: "north-eastnets/0x1" #6: negotiated new IPsec SA [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] Aug 26 13:09:58.870006: | [RE]START processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:09:58.870011: | #6 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_OK Aug 26 13:09:58.870014: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Aug 26 13:09:58.870018: | child state #6: V2_CREATE_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Aug 26 13:09:58.870022: | Message ID: updating counters for #6 to 2 after switching state Aug 26 13:09:58.870028: | Message ID: recv #2.#6 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Aug 26 13:09:58.870034: | Message ID: sent #2.#6 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:09:58.870037: | pstats #6 ikev2.child established Aug 26 13:09:58.870045: "north-eastnets/0x1" #6: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] Aug 26 13:09:58.870050: | NAT-T: encaps is 'auto' Aug 26 13:09:58.870055: "north-eastnets/0x1" #6: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x6ab27b1b <0xd0d5dcfa xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Aug 26 13:09:58.870062: | sending V2 new request packet to 192.1.2.23:500 (from 192.1.3.33:500) Aug 26 13:09:58.870069: | sending 608 bytes for STATE_V2_CREATE_R through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #2) Aug 26 13:09:58.870075: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:09:58.870078: | 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Aug 26 13:09:58.870080: | 3a c5 13 df 3a eb a1 f9 18 4a 10 a3 da 3f 39 bf Aug 26 13:09:58.870083: | 1e d6 6c 83 dd a8 01 4a 85 e3 ac 0f fc ae 9d a9 Aug 26 13:09:58.870086: | 94 b5 10 4c de b3 05 68 b6 e8 81 6e 6c 68 e6 cc Aug 26 13:09:58.870089: | 7a 97 08 3c d1 e7 1d 5a 0f ae 95 5a 5b fe 06 a4 Aug 26 13:09:58.870092: | f6 c1 b5 82 97 fe e4 85 4b 64 22 25 d0 bf 79 29 Aug 26 13:09:58.870095: | a8 c5 ea d5 2e e9 0c c2 60 21 bf 26 4f 0c 66 bd Aug 26 13:09:58.870098: | c1 c2 bc f2 c3 14 e7 42 07 93 14 7f ea 71 d5 35 Aug 26 13:09:58.870100: | 78 a2 f0 d2 74 50 b6 35 7f d6 94 c0 e8 0b 53 7b Aug 26 13:09:58.870103: | 21 95 2c 67 e9 6a 33 7b bc 7c d9 8e d2 75 9b 07 Aug 26 13:09:58.870105: | db cf 9f 8d d5 76 39 55 0e e1 74 60 57 7c cf 66 Aug 26 13:09:58.870108: | 8a c8 b8 62 b6 a1 37 90 80 82 16 df 9b f1 84 8c Aug 26 13:09:58.870111: | ce 30 8e 4e ff 2f fa e0 b3 a8 15 47 75 c2 9c 6c Aug 26 13:09:58.870114: | 31 3c 19 5e 6e 4d 27 e7 cc b3 42 f1 5a a7 15 41 Aug 26 13:09:58.870117: | 54 e2 c3 77 6a db 86 53 c4 12 26 d3 19 80 d3 ba Aug 26 13:09:58.870120: | 84 a5 0d 44 fb bb 21 f3 2f c6 f1 a0 58 61 52 55 Aug 26 13:09:58.870123: | 58 a7 4a 53 8f 69 36 c6 e1 06 aa fc 61 e5 cc 84 Aug 26 13:09:58.870126: | 87 08 e0 8d 32 4f 0f fa b8 1e 7d ce fc 68 7b 9d Aug 26 13:09:58.870129: | 6b 6e 48 b5 53 fc 1e a9 cc b9 29 fb 92 6a 90 31 Aug 26 13:09:58.870131: | e8 f6 81 3a 30 84 78 2c d7 51 58 d9 e7 d0 a0 3a Aug 26 13:09:58.870134: | e8 eb 46 7c 2c 89 fb de 41 9b f7 ec d4 ce 1e b2 Aug 26 13:09:58.870137: | 98 ce c3 5d 9c 5b 95 ff 2f 69 23 3c f3 0b d2 7e Aug 26 13:09:58.870140: | 81 8a f2 7a ec 93 cc b9 7a 8e 25 37 3e d9 2e 79 Aug 26 13:09:58.870143: | c7 e2 38 bb b1 7b b7 39 80 ff d7 f8 e9 cf 93 4b Aug 26 13:09:58.870146: | 86 1a 75 54 cf 4d 47 0f 25 d7 23 97 8b f1 d0 a3 Aug 26 13:09:58.870148: | 2b 3d 9b 4a 19 04 e8 88 5c 45 dc 13 2f f8 96 53 Aug 26 13:09:58.870151: | c4 4a d4 2b 52 15 3c bf f4 e3 aa de 0b 0c 53 08 Aug 26 13:09:58.870154: | a5 71 a5 7e 7c 63 67 86 e4 70 83 db b5 39 6a 52 Aug 26 13:09:58.870157: | 2c c3 80 44 ff ce 7c 84 b1 1e 38 da 9e c5 fd ee Aug 26 13:09:58.870160: | 2a af 30 86 4d 5c 54 a0 32 6b 0d ad 0d 11 f2 3d Aug 26 13:09:58.870162: | 66 57 14 44 b4 eb a4 25 a2 22 28 38 6f 9e 2d ab Aug 26 13:09:58.870165: | 1d c7 18 08 c4 11 96 1a 00 fe bf 19 dd 9e 47 1d Aug 26 13:09:58.870167: | 22 ae 2d ed 1d 6c 96 43 23 c8 3a 68 c0 e0 68 f6 Aug 26 13:09:58.870170: | cd 09 66 61 92 fd 50 36 88 32 72 ce 6a 6c 75 51 Aug 26 13:09:58.870173: | 4c 46 19 09 7f c3 df a3 ad d6 43 26 85 b8 b6 5b Aug 26 13:09:58.870176: | 70 f3 2b 56 bc e9 8c 9c 70 48 ac 5c 93 18 59 bb Aug 26 13:09:58.870178: | 79 1f 6a d5 91 49 61 a9 59 d0 82 51 16 55 69 fc Aug 26 13:09:58.871765: | releasing whack for #6 (sock=fd@-1) Aug 26 13:09:58.871777: | releasing whack and unpending for parent #2 Aug 26 13:09:58.871781: | unpending state #2 connection "north-eastnets/0x1" Aug 26 13:09:58.871787: | #6 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:09:58.871791: | state #6 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:09:58.871797: | libevent_free: release ptr-libevent@0x7feddc003060 Aug 26 13:09:58.871800: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb06386d40 Aug 26 13:09:58.871804: | event_schedule: new EVENT_SA_REKEY-pe@0x55fb06386d40 Aug 26 13:09:58.871808: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #6 Aug 26 13:09:58.871812: | libevent_malloc: new ptr-libevent@0x7feddc003060 size 128 Aug 26 13:09:58.871820: | #6 spent 2.05 milliseconds in resume sending helper answer Aug 26 13:09:58.871827: | stop processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in resume_handler() at server.c:833) Aug 26 13:09:58.871831: | libevent_free: release ptr-libevent@0x7fedec006b50 Aug 26 13:10:14.018314: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:10:14.018336: | expiring aged bare shunts from shunt table Aug 26 13:10:14.018345: | spent 0.00553 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:10:17.007590: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:17.007616: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:10:17.007622: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:17.007631: | get_sa_info esp.ea232af2@192.1.3.33 Aug 26 13:10:17.008031: | get_sa_info esp.2e93a512@192.1.2.23 Aug 26 13:10:17.008056: | get_sa_info esp.d0d5dcfa@192.1.3.33 Aug 26 13:10:17.008067: | get_sa_info esp.6ab27b1b@192.1.2.23 Aug 26 13:10:17.008081: | get_sa_info esp.49dd5118@192.1.3.33 Aug 26 13:10:17.008090: | get_sa_info esp.dfc4d2d5@192.1.2.23 Aug 26 13:10:17.008104: | get_sa_info esp.39ab502d@192.1.3.33 Aug 26 13:10:17.008113: | get_sa_info esp.7d9f9faa@192.1.2.23 Aug 26 13:10:17.008129: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:17.008137: | spent 0.557 milliseconds in whack Aug 26 13:10:17.302883: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:17.303378: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:17.303393: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:17.303552: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:10:17.303559: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:17.303572: | get_sa_info esp.ea232af2@192.1.3.33 Aug 26 13:10:17.303593: | get_sa_info esp.2e93a512@192.1.2.23 Aug 26 13:10:17.303616: | get_sa_info esp.d0d5dcfa@192.1.3.33 Aug 26 13:10:17.303630: | get_sa_info esp.6ab27b1b@192.1.2.23 Aug 26 13:10:17.303651: | get_sa_info esp.49dd5118@192.1.3.33 Aug 26 13:10:17.303659: | get_sa_info esp.dfc4d2d5@192.1.2.23 Aug 26 13:10:17.303672: | get_sa_info esp.39ab502d@192.1.3.33 Aug 26 13:10:17.303679: | get_sa_info esp.7d9f9faa@192.1.2.23 Aug 26 13:10:17.303699: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:17.303707: | spent 0.83 milliseconds in whack Aug 26 13:10:17.651029: | spent 0.00288 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:17.651476: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:17.651486: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.651490: | 2e 20 25 00 00 00 00 00 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.651492: | 85 c6 85 5d 01 ee 25 14 7a 25 4f e4 f0 52 8d 6f Aug 26 13:10:17.651494: | dd 83 7e 73 71 11 13 15 bb a3 1a d4 c6 3c 47 ad Aug 26 13:10:17.651496: | 50 cd 3a 5c 4f e5 f6 90 c3 b8 0b 22 bc 19 69 b8 Aug 26 13:10:17.651502: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:17.651506: | **parse ISAKMP Message: Aug 26 13:10:17.651508: | initiator cookie: Aug 26 13:10:17.651511: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:10:17.651514: | responder cookie: Aug 26 13:10:17.651516: | ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.651519: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:17.651522: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.651524: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.651527: | flags: none (0x0) Aug 26 13:10:17.651530: | Message ID: 0 (0x0) Aug 26 13:10:17.651532: | length: 80 (0x50) Aug 26 13:10:17.651535: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:10:17.651539: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Aug 26 13:10:17.651544: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Aug 26 13:10:17.651552: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:17.651556: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:17.651564: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:17.651567: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:10:17.651573: | Message ID: #1 not a duplicate - message is new; initiator.sent=2 initiator.recv=2 responder.sent=-1 responder.recv=-1 Aug 26 13:10:17.651575: | unpacking clear payload Aug 26 13:10:17.651578: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:17.651581: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:17.651583: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:10:17.651585: | flags: none (0x0) Aug 26 13:10:17.651588: | length: 52 (0x34) Aug 26 13:10:17.651590: | processing payload: ISAKMP_NEXT_v2SK (len=48) Aug 26 13:10:17.651594: | Message ID: start-responder #1 request 0; ike: initiator.sent=2 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:10:17.651597: | #1 in state PARENT_I3: PARENT SA established Aug 26 13:10:17.651622: | data for hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.651625: | data for hmac: 2e 20 25 00 00 00 00 00 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.651628: | data for hmac: 85 c6 85 5d 01 ee 25 14 7a 25 4f e4 f0 52 8d 6f Aug 26 13:10:17.651630: | data for hmac: dd 83 7e 73 71 11 13 15 bb a3 1a d4 c6 3c 47 ad Aug 26 13:10:17.651632: | calculated auth: 50 cd 3a 5c 4f e5 f6 90 c3 b8 0b 22 bc 19 69 b8 Aug 26 13:10:17.651635: | provided auth: 50 cd 3a 5c 4f e5 f6 90 c3 b8 0b 22 bc 19 69 b8 Aug 26 13:10:17.651637: | authenticator matched Aug 26 13:10:17.651645: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:10:17.651648: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:10:17.651651: | **parse IKEv2 Delete Payload: Aug 26 13:10:17.651653: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.651655: | flags: none (0x0) Aug 26 13:10:17.651658: | length: 12 (0xc) Aug 26 13:10:17.651660: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:17.651663: | SPI size: 4 (0x4) Aug 26 13:10:17.651665: | number of SPIs: 1 (0x1) Aug 26 13:10:17.651667: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:10:17.651670: | selected state microcode I3: INFORMATIONAL Request Aug 26 13:10:17.651672: | Now let's proceed with state specific processing Aug 26 13:10:17.651674: | calling processor I3: INFORMATIONAL Request Aug 26 13:10:17.651678: | an informational request should send a response Aug 26 13:10:17.651683: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:10:17.651686: | **emit ISAKMP Message: Aug 26 13:10:17.651689: | initiator cookie: Aug 26 13:10:17.651691: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:10:17.651693: | responder cookie: Aug 26 13:10:17.651695: | ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.651697: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:17.651700: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.651702: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.651705: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Aug 26 13:10:17.651707: | Message ID: 0 (0x0) Aug 26 13:10:17.651709: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:17.651712: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:17.651714: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.651717: | flags: none (0x0) Aug 26 13:10:17.651719: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:17.651722: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.651725: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:17.651732: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:10:17.651736: | SPI df c4 d2 d5 Aug 26 13:10:17.651739: | delete PROTO_v2_ESP SA(0xdfc4d2d5) Aug 26 13:10:17.651742: | v2 CHILD SA #4 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_I Aug 26 13:10:17.651745: | State DB: found IKEv2 state #4 in V2_IPSEC_I (find_v2_child_sa_by_outbound_spi) Aug 26 13:10:17.651747: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0xdfc4d2d5) Aug 26 13:10:17.651750: "north-eastnets/0x2" #1: received Delete SA payload: replace IPsec State #4 now Aug 26 13:10:17.651753: | state #4 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:17.651757: | libevent_free: release ptr-libevent@0x55fb0638e950 Aug 26 13:10:17.651760: | free_event_entry: release EVENT_SA_REKEY-pe@0x55fb0638d2a0 Aug 26 13:10:17.651763: | event_schedule: new EVENT_SA_REPLACE-pe@0x55fb0638d2a0 Aug 26 13:10:17.651766: | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #4 Aug 26 13:10:17.651769: | libevent_malloc: new ptr-libevent@0x55fb0638e950 size 128 Aug 26 13:10:17.651772: | ****emit IKEv2 Delete Payload: Aug 26 13:10:17.651775: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.651777: | flags: none (0x0) Aug 26 13:10:17.651779: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:17.651781: | SPI size: 4 (0x4) Aug 26 13:10:17.651784: | number of SPIs: 1 (0x1) Aug 26 13:10:17.651787: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:17.651789: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.651792: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:10:17.651794: | local SPIs 49 dd 51 18 Aug 26 13:10:17.651797: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:10:17.651799: | adding 4 bytes of padding (including 1 byte padding-length) Aug 26 13:10:17.651802: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.651805: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.651807: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.651810: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.651813: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:17.651815: | emitting length of IKEv2 Encryption Payload: 52 Aug 26 13:10:17.651817: | emitting length of ISAKMP Message: 80 Aug 26 13:10:17.651837: | data being hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.651841: | data being hmac: 2e 20 25 28 00 00 00 00 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.651843: | data being hmac: 27 f3 20 64 1f 44 ae 60 68 12 a7 df e4 f6 8b e5 Aug 26 13:10:17.651845: | data being hmac: 30 41 42 29 b0 39 17 bc 2f 3e 99 2b 71 b8 9c 34 Aug 26 13:10:17.651847: | out calculated auth: Aug 26 13:10:17.651850: | 45 db 3d cf f7 d8 1d b4 e5 79 3a ed 06 db ba a7 Aug 26 13:10:17.651856: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:10:17.651859: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.651861: | 2e 20 25 28 00 00 00 00 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.651863: | 27 f3 20 64 1f 44 ae 60 68 12 a7 df e4 f6 8b e5 Aug 26 13:10:17.651865: | 30 41 42 29 b0 39 17 bc 2f 3e 99 2b 71 b8 9c 34 Aug 26 13:10:17.651868: | 45 db 3d cf f7 d8 1d b4 e5 79 3a ed 06 db ba a7 Aug 26 13:10:17.651906: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=2 initiator.recv=2 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=0 Aug 26 13:10:17.651911: | Message ID: sent #1 response 0; ike: initiator.sent=2 initiator.recv=2 responder.sent=-1->0 responder.recv=-1 wip.initiator=-1 wip.responder=0 Aug 26 13:10:17.651919: | #1 spent 0.219 milliseconds in processing: I3: INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:10:17.651925: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:17.651929: | #1 complete_v2_state_transition() PARENT_I3->PARENT_I3 with status STF_OK Aug 26 13:10:17.651933: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:10:17.651938: | Message ID: recv #1 request 0; ike: initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:10:17.651944: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:10:17.651947: "north-eastnets/0x2" #1: STATE_PARENT_I3: PARENT SA established Aug 26 13:10:17.651953: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:17.651958: | #1 spent 0.866 milliseconds in ikev2_process_packet() Aug 26 13:10:17.651963: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:17.651967: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:17.651971: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:17.651976: | spent 0.884 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:17.651984: | timer_event_cb: processing event@0x55fb0638d2a0 Aug 26 13:10:17.651988: | handling event EVENT_SA_REPLACE for child state #4 Aug 26 13:10:17.651992: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in timer_event_cb() at timer.c:250) Aug 26 13:10:17.651997: | picked newest_ipsec_sa #4 for #4 Aug 26 13:10:17.652000: | replacing stale CHILD SA Aug 26 13:10:17.652005: | dup_any(fd@-1) -> fd@-1 (in ipsecdoi_replace() at ipsec_doi.c:351) Aug 26 13:10:17.652008: | FOR_EACH_STATE_... in find_phase1_state Aug 26 13:10:17.652013: | FOR_EACH_STATE_... in find_pending_phase2 Aug 26 13:10:17.652017: | creating state object #7 at 0x55fb0639bf80 Aug 26 13:10:17.652020: | State DB: adding IKEv2 state #7 in UNDEFINED Aug 26 13:10:17.652024: | pstats #7 ikev2.child started Aug 26 13:10:17.652028: | duplicating state object #2 "north-eastnets/0x2" as #7 for IPSEC SA Aug 26 13:10:17.652033: | #7 setting local endpoint to 192.1.3.33:500 from #2.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:10:17.652040: | Message ID: init_child #2.#7; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:17.652045: | suspend processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_initiate_child_sa() at ikev2_parent.c:5637) Aug 26 13:10:17.652050: | start processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5637) Aug 26 13:10:17.652054: | child state #7: UNDEFINED(ignore) => V2_REKEY_CHILD_I0(established IKE SA) Aug 26 13:10:17.652062: | using existing local ESP/AH proposals for north-eastnets/0x2 (ESP/AH initiator emitting proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 13:10:17.652068: | #7 schedule rekey initiate IPsec SA RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #4 using IKE# 2 pfs=MODP3072 Aug 26 13:10:17.652072: | event_schedule: new EVENT_v2_INITIATE_CHILD-pe@0x55fb06384420 Aug 26 13:10:17.652075: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #7 Aug 26 13:10:17.652079: | libevent_malloc: new ptr-libevent@0x7fedec006b50 size 128 Aug 26 13:10:17.652084: | RESET processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5737) Aug 26 13:10:17.652088: | event_schedule: new EVENT_SA_EXPIRE-pe@0x55fb0638d530 Aug 26 13:10:17.652091: | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #4 Aug 26 13:10:17.652095: | libevent_malloc: new ptr-libevent@0x55fb0639a3a0 size 128 Aug 26 13:10:17.652098: | libevent_free: release ptr-libevent@0x55fb0638e950 Aug 26 13:10:17.652101: | free_event_entry: release EVENT_SA_REPLACE-pe@0x55fb0638d2a0 Aug 26 13:10:17.652105: | #4 spent 0.12 milliseconds in timer_event_cb() EVENT_SA_REPLACE Aug 26 13:10:17.652108: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Aug 26 13:10:17.652113: | timer_event_cb: processing event@0x55fb06384420 Aug 26 13:10:17.652116: | handling event EVENT_v2_INITIATE_CHILD for child state #7 Aug 26 13:10:17.652121: | start processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Aug 26 13:10:17.652128: | adding Child Rekey Initiator KE and nonce ni work-order 9 for state #7 Aug 26 13:10:17.652132: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638d2a0 Aug 26 13:10:17.652135: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #7 Aug 26 13:10:17.652138: | libevent_malloc: new ptr-libevent@0x55fb0638e950 size 128 Aug 26 13:10:17.652157: | libevent_free: release ptr-libevent@0x7fedec006b50 Aug 26 13:10:17.652161: | free_event_entry: release EVENT_v2_INITIATE_CHILD-pe@0x55fb06384420 Aug 26 13:10:17.652162: | crypto helper 2 resuming Aug 26 13:10:17.652165: | #7 spent 0.0429 milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Aug 26 13:10:17.652180: | crypto helper 2 starting work-order 9 for state #7 Aug 26 13:10:17.652184: | stop processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:557) Aug 26 13:10:17.652186: | crypto helper 2 doing build KE and nonce (Child Rekey Initiator KE and nonce ni); request ID 9 Aug 26 13:10:17.652188: | timer_event_cb: processing event@0x55fb0638d530 Aug 26 13:10:17.652190: | crypto helper is pausing for 1 seconds Aug 26 13:10:17.652192: | handling event EVENT_SA_EXPIRE for child state #4 Aug 26 13:10:17.652200: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in timer_event_cb() at timer.c:250) Aug 26 13:10:17.652204: | picked newest_ipsec_sa #4 for #4 Aug 26 13:10:17.652207: | un-established partial CHILD SA timeout (SA expired) Aug 26 13:10:17.652209: | pstats #4 ikev2.child re-failed exchange-timeout Aug 26 13:10:17.652212: | pstats #4 ikev2.child deleted completed Aug 26 13:10:17.652215: | #4 spent 6.44 milliseconds in total Aug 26 13:10:17.652219: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23 (in delete_state() at state.c:879) Aug 26 13:10:17.652223: "north-eastnets/0x2" #4: deleting state (STATE_V2_IPSEC_I) aged 21.004s and NOT sending notification Aug 26 13:10:17.652226: | child state #4: V2_IPSEC_I(established CHILD SA) => delete Aug 26 13:10:17.652231: | get_sa_info esp.dfc4d2d5@192.1.2.23 Aug 26 13:10:17.652246: | get_sa_info esp.49dd5118@192.1.3.33 Aug 26 13:10:17.652254: "north-eastnets/0x2" #4: ESP traffic information: in=26MB out=26MB Aug 26 13:10:17.652258: | child state #4: V2_IPSEC_I(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:10:17.652560: | running updown command "ipsec _updown" for verb down Aug 26 13:10:17.652571: | command executing down-client Aug 26 13:10:17.652604: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566824998' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED= Aug 26 13:10:17.652612: | popen cmd is 1054 chars long Aug 26 13:10:17.652616: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Aug 26 13:10:17.652619: | cmd( 80):2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUT: Aug 26 13:10:17.652622: | cmd( 160):O_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' : Aug 26 13:10:17.652625: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Aug 26 13:10:17.652628: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@: Aug 26 13:10:17.652631: | cmd( 400):east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO: Aug 26 13:10:17.652634: | cmd( 480):_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Aug 26 13:10:17.652637: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566824998' PLUTO_CONN_POLICY: Aug 26 13:10:17.652640: | cmd( 640):='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PL: Aug 26 13:10:17.652643: | cmd( 720):UTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_I: Aug 26 13:10:17.652646: | cmd( 800):S_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BAN: Aug 26 13:10:17.652649: | cmd( 880):NER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFA: Aug 26 13:10:17.652652: | cmd( 960):CE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xdfc4d2d5 SPI_OUT=0x49dd5118 ipse: Aug 26 13:10:17.652655: | cmd(1040):c _updown 2>&1: Aug 26 13:10:17.662178: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:10:17.662203: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:17.662208: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 13:10:17.662212: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:17.667739: | delete esp.dfc4d2d5@192.1.2.23 Aug 26 13:10:17.667896: | netlink response for Del SA esp.dfc4d2d5@192.1.2.23 included non-error error Aug 26 13:10:17.667905: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 13:10:17.667915: | delete inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Aug 26 13:10:17.668090: | raw_eroute result=success Aug 26 13:10:17.668098: | delete esp.49dd5118@192.1.3.33 Aug 26 13:10:17.668189: | netlink response for Del SA esp.49dd5118@192.1.3.33 included non-error error Aug 26 13:10:17.668206: | in connection_discard for connection north-eastnets/0x2 Aug 26 13:10:17.668210: | State DB: deleting IKEv2 state #4 in CHILDSA_DEL Aug 26 13:10:17.668219: | child state #4: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:10:17.668261: | stop processing: state #4 from 192.1.2.23 (in delete_state() at state.c:1143) Aug 26 13:10:17.668284: | State DB: found IKEv2 state #3 in V2_IPSEC_I (v2_expire_unused_ike_sa) Aug 26 13:10:17.668287: | can't expire unused IKE SA #1; it has the child #3 Aug 26 13:10:17.668303: | libevent_free: release ptr-libevent@0x55fb0639a3a0 Aug 26 13:10:17.668308: | free_event_entry: release EVENT_SA_EXPIRE-pe@0x55fb0638d530 Aug 26 13:10:17.668311: | in statetime_stop() and could not find #4 Aug 26 13:10:17.668315: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Aug 26 13:10:17.668337: | spent 0.00256 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:17.668357: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:17.668361: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.668363: | 2e 20 25 00 00 00 00 01 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.668370: | 38 e7 9d fb 26 ea c9 76 00 9f bb d2 90 2a f4 9e Aug 26 13:10:17.668373: | 7c 39 3d 60 32 37 32 19 ac 1c 29 a6 a3 10 2c 6d Aug 26 13:10:17.668375: | 6e 80 a4 cc ee 86 a7 40 c6 ca 91 a6 70 f5 59 fa Aug 26 13:10:17.668382: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:17.668386: | **parse ISAKMP Message: Aug 26 13:10:17.668389: | initiator cookie: Aug 26 13:10:17.668392: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:10:17.668394: | responder cookie: Aug 26 13:10:17.668397: | ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.668400: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:17.668403: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.668406: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.668410: | flags: none (0x0) Aug 26 13:10:17.668413: | Message ID: 1 (0x1) Aug 26 13:10:17.668416: | length: 80 (0x50) Aug 26 13:10:17.668420: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:10:17.668423: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Aug 26 13:10:17.668427: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Aug 26 13:10:17.668434: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:17.668437: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:17.668442: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:17.668445: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:10:17.668450: | Message ID: #1 not a duplicate - message is new; initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=0 Aug 26 13:10:17.668453: | unpacking clear payload Aug 26 13:10:17.668456: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:17.668459: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:17.668462: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:10:17.668465: | flags: none (0x0) Aug 26 13:10:17.668467: | length: 52 (0x34) Aug 26 13:10:17.668470: | processing payload: ISAKMP_NEXT_v2SK (len=48) Aug 26 13:10:17.668476: | Message ID: start-responder #1 request 1; ike: initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:10:17.668480: | #1 in state PARENT_I3: PARENT SA established Aug 26 13:10:17.668521: | data for hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.668524: | data for hmac: 2e 20 25 00 00 00 00 01 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.668528: | data for hmac: 38 e7 9d fb 26 ea c9 76 00 9f bb d2 90 2a f4 9e Aug 26 13:10:17.668530: | data for hmac: 7c 39 3d 60 32 37 32 19 ac 1c 29 a6 a3 10 2c 6d Aug 26 13:10:17.668533: | calculated auth: 6e 80 a4 cc ee 86 a7 40 c6 ca 91 a6 70 f5 59 fa Aug 26 13:10:17.668536: | provided auth: 6e 80 a4 cc ee 86 a7 40 c6 ca 91 a6 70 f5 59 fa Aug 26 13:10:17.668539: | authenticator matched Aug 26 13:10:17.668554: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:10:17.668557: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:10:17.668560: | **parse IKEv2 Delete Payload: Aug 26 13:10:17.668563: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.668566: | flags: none (0x0) Aug 26 13:10:17.668568: | length: 12 (0xc) Aug 26 13:10:17.668571: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:17.668574: | SPI size: 4 (0x4) Aug 26 13:10:17.668577: | number of SPIs: 1 (0x1) Aug 26 13:10:17.668580: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:10:17.668583: | selected state microcode I3: INFORMATIONAL Request Aug 26 13:10:17.668585: | Now let's proceed with state specific processing Aug 26 13:10:17.668588: | calling processor I3: INFORMATIONAL Request Aug 26 13:10:17.668592: | an informational request should send a response Aug 26 13:10:17.668616: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:10:17.668624: | **emit ISAKMP Message: Aug 26 13:10:17.668627: | initiator cookie: Aug 26 13:10:17.668630: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:10:17.668633: | responder cookie: Aug 26 13:10:17.668635: | ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.668638: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:17.668641: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.668644: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.668647: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Aug 26 13:10:17.668650: | Message ID: 1 (0x1) Aug 26 13:10:17.668653: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:17.668657: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:17.668659: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.668662: | flags: none (0x0) Aug 26 13:10:17.668665: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:17.668669: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.668672: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:17.668685: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:10:17.668688: | SPI 2e 93 a5 12 Aug 26 13:10:17.668691: | delete PROTO_v2_ESP SA(0x2e93a512) Aug 26 13:10:17.668695: | v2 CHILD SA #3 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_I Aug 26 13:10:17.668698: | State DB: found IKEv2 state #3 in V2_IPSEC_I (find_v2_child_sa_by_outbound_spi) Aug 26 13:10:17.668701: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x2e93a512) Aug 26 13:10:17.668706: "north-eastnets/0x2" #1: received Delete SA payload: delete IPsec State #3 now Aug 26 13:10:17.668710: | pstats #3 ikev2.child deleted completed Aug 26 13:10:17.668714: | #3 spent 8.58 milliseconds in total Aug 26 13:10:17.668719: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.668724: | start processing: state #3 connection "north-eastnets/0x1" from 192.1.2.23 (in delete_state() at state.c:879) Aug 26 13:10:17.668728: "north-eastnets/0x1" #3: deleting other state #3 connection (STATE_V2_IPSEC_I) "north-eastnets/0x1" aged 21.241s and NOT sending notification Aug 26 13:10:17.668731: | child state #3: V2_IPSEC_I(established CHILD SA) => delete Aug 26 13:10:17.668736: | get_sa_info esp.2e93a512@192.1.2.23 Aug 26 13:10:17.668747: | get_sa_info esp.ea232af2@192.1.3.33 Aug 26 13:10:17.668756: "north-eastnets/0x1" #3: ESP traffic information: in=19MB out=19MB Aug 26 13:10:17.668760: | child state #3: V2_IPSEC_I(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:10:17.668764: | state #3 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:17.668770: | libevent_free: release ptr-libevent@0x55fb0638e6c0 Aug 26 13:10:17.668773: | free_event_entry: release EVENT_SA_REKEY-pe@0x55fb063849e0 Aug 26 13:10:17.668935: | delete esp.2e93a512@192.1.2.23 Aug 26 13:10:17.668968: | netlink response for Del SA esp.2e93a512@192.1.2.23 included non-error error Aug 26 13:10:17.668975: | delete esp.ea232af2@192.1.3.33 Aug 26 13:10:17.669001: | netlink response for Del SA esp.ea232af2@192.1.3.33 included non-error error Aug 26 13:10:17.669008: | in connection_discard for connection north-eastnets/0x1 Aug 26 13:10:17.669012: | State DB: deleting IKEv2 state #3 in CHILDSA_DEL Aug 26 13:10:17.669016: | child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:10:17.669022: | stop processing: state #3 from 192.1.2.23 (in delete_state() at state.c:1143) Aug 26 13:10:17.669027: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.669032: | ****emit IKEv2 Delete Payload: Aug 26 13:10:17.669036: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.669042: | flags: none (0x0) Aug 26 13:10:17.669045: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:17.669048: | SPI size: 4 (0x4) Aug 26 13:10:17.669051: | number of SPIs: 1 (0x1) Aug 26 13:10:17.669055: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:17.669058: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.669062: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:10:17.669065: | local SPIs ea 23 2a f2 Aug 26 13:10:17.669068: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:10:17.669072: | adding 4 bytes of padding (including 1 byte padding-length) Aug 26 13:10:17.669076: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.669079: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.669083: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.669086: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.669090: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:17.669093: | emitting length of IKEv2 Encryption Payload: 52 Aug 26 13:10:17.669096: | emitting length of ISAKMP Message: 80 Aug 26 13:10:17.669130: | data being hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.669135: | data being hmac: 2e 20 25 28 00 00 00 01 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.669138: | data being hmac: 0f 7b f4 65 71 1e 2b 74 4b d5 c4 d3 1f 28 0e bd Aug 26 13:10:17.669141: | data being hmac: 43 1f 54 fc 18 1b 68 ef 52 a5 f0 91 de 13 19 9d Aug 26 13:10:17.669144: | out calculated auth: Aug 26 13:10:17.669147: | 07 98 cc 19 f5 4d f8 c4 6c f0 75 3a 8d 52 da 9a Aug 26 13:10:17.669159: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:10:17.669163: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.669166: | 2e 20 25 28 00 00 00 01 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.669169: | 0f 7b f4 65 71 1e 2b 74 4b d5 c4 d3 1f 28 0e bd Aug 26 13:10:17.669172: | 43 1f 54 fc 18 1b 68 ef 52 a5 f0 91 de 13 19 9d Aug 26 13:10:17.669174: | 07 98 cc 19 f5 4d f8 c4 6c f0 75 3a 8d 52 da 9a Aug 26 13:10:17.669225: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=2 initiator.recv=2 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 Aug 26 13:10:17.669233: | Message ID: sent #1 response 1; ike: initiator.sent=2 initiator.recv=2 responder.sent=0->1 responder.recv=0 wip.initiator=-1 wip.responder=1 Aug 26 13:10:17.669240: | #1 spent 0.526 milliseconds in processing: I3: INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:10:17.669248: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:17.669252: | #1 complete_v2_state_transition() PARENT_I3->PARENT_I3 with status STF_OK Aug 26 13:10:17.669256: | Message ID: updating counters for #1 to 1 after switching state Aug 26 13:10:17.669261: | Message ID: recv #1 request 1; ike: initiator.sent=2 initiator.recv=2 responder.sent=1 responder.recv=0->1 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:10:17.669266: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=2 initiator.recv=2 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1 Aug 26 13:10:17.669270: "north-eastnets/0x2" #1: STATE_PARENT_I3: PARENT SA established Aug 26 13:10:17.669275: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:17.669283: | #1 spent 0.821 milliseconds in ikev2_process_packet() Aug 26 13:10:17.669294: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:17.669301: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:17.669305: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:17.669310: | spent 0.844 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:17.669314: | processing signal PLUTO_SIGCHLD Aug 26 13:10:17.669320: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:17.669324: | spent 0.00598 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:17.669335: | spent 0.00166 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:17.669347: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:17.669350: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.669353: | 2e 20 25 08 00 00 00 03 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.669355: | e8 5e e8 45 96 10 b5 e4 1f ff a0 5c eb 2a a5 98 Aug 26 13:10:17.669358: | 2d ec 8e f5 86 7d fc 11 83 88 39 3f 03 95 09 60 Aug 26 13:10:17.669360: | 22 18 a4 5a 65 36 fe dd 50 43 91 a2 61 aa 3d 74 Aug 26 13:10:17.669365: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:17.669369: | **parse ISAKMP Message: Aug 26 13:10:17.669372: | initiator cookie: Aug 26 13:10:17.669374: | a9 6d 2c db 22 7f 10 cd Aug 26 13:10:17.669377: | responder cookie: Aug 26 13:10:17.669380: | a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.669382: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:17.669386: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.669389: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.669391: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:17.669394: | Message ID: 3 (0x3) Aug 26 13:10:17.669397: | length: 80 (0x50) Aug 26 13:10:17.669400: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:10:17.669404: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:10:17.669408: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:10:17.669414: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:17.669418: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:17.669423: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:17.669426: | #2 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 Aug 26 13:10:17.669430: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 Aug 26 13:10:17.669433: | unpacking clear payload Aug 26 13:10:17.669436: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:17.669440: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:17.669443: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:10:17.669446: | flags: none (0x0) Aug 26 13:10:17.669449: | length: 52 (0x34) Aug 26 13:10:17.669452: | processing payload: ISAKMP_NEXT_v2SK (len=48) Aug 26 13:10:17.669457: | Message ID: start-responder #2 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1->3 Aug 26 13:10:17.669461: | #2 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:10:17.669484: | data for hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.669489: | data for hmac: 2e 20 25 08 00 00 00 03 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.669492: | data for hmac: e8 5e e8 45 96 10 b5 e4 1f ff a0 5c eb 2a a5 98 Aug 26 13:10:17.669495: | data for hmac: 2d ec 8e f5 86 7d fc 11 83 88 39 3f 03 95 09 60 Aug 26 13:10:17.669498: | calculated auth: 22 18 a4 5a 65 36 fe dd 50 43 91 a2 61 aa 3d 74 Aug 26 13:10:17.669503: | provided auth: 22 18 a4 5a 65 36 fe dd 50 43 91 a2 61 aa 3d 74 Aug 26 13:10:17.669506: | authenticator matched Aug 26 13:10:17.669517: | #2 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:10:17.669521: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:10:17.669524: | **parse IKEv2 Delete Payload: Aug 26 13:10:17.669528: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.669531: | flags: none (0x0) Aug 26 13:10:17.669534: | length: 12 (0xc) Aug 26 13:10:17.669537: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:17.669540: | SPI size: 4 (0x4) Aug 26 13:10:17.669543: | number of SPIs: 1 (0x1) Aug 26 13:10:17.669546: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:10:17.669549: | selected state microcode R2: process INFORMATIONAL Request Aug 26 13:10:17.669552: | Now let's proceed with state specific processing Aug 26 13:10:17.669555: | calling processor R2: process INFORMATIONAL Request Aug 26 13:10:17.669559: | an informational request should send a response Aug 26 13:10:17.669565: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:10:17.669569: | **emit ISAKMP Message: Aug 26 13:10:17.669572: | initiator cookie: Aug 26 13:10:17.669574: | a9 6d 2c db 22 7f 10 cd Aug 26 13:10:17.669578: | responder cookie: Aug 26 13:10:17.669580: | a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.669584: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:17.669587: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.669590: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.669594: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:17.669597: | Message ID: 3 (0x3) Aug 26 13:10:17.669600: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:17.669604: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:17.669607: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.669610: | flags: none (0x0) Aug 26 13:10:17.669614: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:17.669617: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.669621: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:17.669631: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:10:17.669635: | SPI 7d 9f 9f aa Aug 26 13:10:17.669638: | delete PROTO_v2_ESP SA(0x7d9f9faa) Aug 26 13:10:17.669642: | v2 CHILD SA #5 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:10:17.669645: | State DB: found IKEv2 state #5 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:10:17.669649: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x7d9f9faa) Aug 26 13:10:17.669653: "north-eastnets/0x2" #2: received Delete SA payload: delete IPsec State #5 now Aug 26 13:10:17.669656: | pstats #5 ikev2.child deleted completed Aug 26 13:10:17.669662: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.669667: | start processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.669672: "north-eastnets/0x2" #5: deleting other state #5 (STATE_V2_IPSEC_R) aged 20.877s and NOT sending notification Aug 26 13:10:17.669675: | child state #5: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:10:17.669680: | get_sa_info esp.7d9f9faa@192.1.2.23 Aug 26 13:10:17.669692: | get_sa_info esp.39ab502d@192.1.3.33 Aug 26 13:10:17.669701: "north-eastnets/0x2" #5: ESP traffic information: in=5MB out=5MB Aug 26 13:10:17.669706: | child state #5: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:10:17.669710: | state #5 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:17.669714: | libevent_free: release ptr-libevent@0x55fb0639a310 Aug 26 13:10:17.669718: | free_event_entry: release EVENT_SA_REKEY-pe@0x55fb0638ae20 Aug 26 13:10:17.670304: | delete esp.7d9f9faa@192.1.2.23 Aug 26 13:10:17.670349: | netlink response for Del SA esp.7d9f9faa@192.1.2.23 included non-error error Aug 26 13:10:17.670355: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 13:10:17.670363: | delete inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Aug 26 13:10:17.670377: | raw_eroute result=success Aug 26 13:10:17.670382: | delete esp.39ab502d@192.1.3.33 Aug 26 13:10:17.670406: | netlink response for Del SA esp.39ab502d@192.1.3.33 included non-error error Aug 26 13:10:17.670413: | in connection_discard for connection north-eastnets/0x2 Aug 26 13:10:17.670417: | State DB: deleting IKEv2 state #5 in CHILDSA_DEL Aug 26 13:10:17.670421: | child state #5: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:10:17.670427: | stop processing: state #5 from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.670433: | resume processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.670444: | ****emit IKEv2 Delete Payload: Aug 26 13:10:17.670448: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.670451: | flags: none (0x0) Aug 26 13:10:17.670454: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:17.670456: | SPI size: 4 (0x4) Aug 26 13:10:17.670459: | number of SPIs: 1 (0x1) Aug 26 13:10:17.670463: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:17.670466: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.670470: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:10:17.670473: | local SPIs 39 ab 50 2d Aug 26 13:10:17.670475: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:10:17.670479: | adding 4 bytes of padding (including 1 byte padding-length) Aug 26 13:10:17.670483: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.670486: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.670490: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.670493: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.670496: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:17.670499: | emitting length of IKEv2 Encryption Payload: 52 Aug 26 13:10:17.670502: | emitting length of ISAKMP Message: 80 Aug 26 13:10:17.670536: | data being hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.670541: | data being hmac: 2e 20 25 20 00 00 00 03 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.670543: | data being hmac: aa fc dc 83 8a 81 f8 d6 ae ba 39 4f 84 1a 45 8b Aug 26 13:10:17.670546: | data being hmac: 04 b8 d3 7e f0 7a 73 a0 c3 29 47 9e a3 78 aa a3 Aug 26 13:10:17.670549: | out calculated auth: Aug 26 13:10:17.670552: | 92 b2 4d b1 90 b3 8c ff 86 b8 28 89 0c 5c 88 62 Aug 26 13:10:17.670561: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #2) Aug 26 13:10:17.670565: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.670567: | 2e 20 25 20 00 00 00 03 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.670570: | aa fc dc 83 8a 81 f8 d6 ae ba 39 4f 84 1a 45 8b Aug 26 13:10:17.670573: | 04 b8 d3 7e f0 7a 73 a0 c3 29 47 9e a3 78 aa a3 Aug 26 13:10:17.670575: | 92 b2 4d b1 90 b3 8c ff 86 b8 28 89 0c 5c 88 62 Aug 26 13:10:17.670624: | Message ID: #2 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=3 Aug 26 13:10:17.670633: | Message ID: sent #2 response 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2->3 responder.recv=2 wip.initiator=-1 wip.responder=3 Aug 26 13:10:17.670642: | #2 spent 0.531 milliseconds in processing: R2: process INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:10:17.670648: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:17.670652: | #2 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:10:17.670656: | Message ID: updating counters for #2 to 3 after switching state Aug 26 13:10:17.670661: | Message ID: recv #2 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=2->3 wip.initiator=-1 wip.responder=3->-1 Aug 26 13:10:17.670665: | Message ID: #2 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=-1 Aug 26 13:10:17.670669: "north-eastnets/0x2" #2: STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:10:17.670675: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:17.670680: | #2 spent 0.792 milliseconds in ikev2_process_packet() Aug 26 13:10:17.670685: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:17.670688: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:17.670692: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:17.670696: | spent 0.809 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:17.670708: | spent 0.00156 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:17.670719: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:17.670723: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.670725: | 2e 20 25 00 00 00 00 02 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.670728: | f4 ec b3 f4 0e 66 ff 8d 89 3b f7 1f 55 fd b5 c6 Aug 26 13:10:17.670730: | 7a ab e5 e7 6f 52 57 a8 2c a0 5b 19 01 3b 83 82 Aug 26 13:10:17.670733: | df 30 66 28 4d 29 f2 ce d5 18 6e 16 13 64 1f 06 Aug 26 13:10:17.670738: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:17.670742: | **parse ISAKMP Message: Aug 26 13:10:17.670745: | initiator cookie: Aug 26 13:10:17.670747: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:10:17.670750: | responder cookie: Aug 26 13:10:17.670752: | ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.670756: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:17.670759: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.670762: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.670764: | flags: none (0x0) Aug 26 13:10:17.670767: | Message ID: 2 (0x2) Aug 26 13:10:17.670770: | length: 80 (0x50) Aug 26 13:10:17.670773: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:10:17.670776: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Aug 26 13:10:17.670780: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Aug 26 13:10:17.670786: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:17.670790: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:17.670795: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:17.670798: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:10:17.670802: | Message ID: #1 not a duplicate - message is new; initiator.sent=2 initiator.recv=2 responder.sent=1 responder.recv=1 Aug 26 13:10:17.670805: | unpacking clear payload Aug 26 13:10:17.670808: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:17.670812: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:17.670815: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:10:17.670818: | flags: none (0x0) Aug 26 13:10:17.670821: | length: 52 (0x34) Aug 26 13:10:17.670824: | processing payload: ISAKMP_NEXT_v2SK (len=48) Aug 26 13:10:17.670828: | Message ID: start-responder #1 request 2; ike: initiator.sent=2 initiator.recv=2 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 13:10:17.670831: | #1 in state PARENT_I3: PARENT SA established Aug 26 13:10:17.670851: | data for hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.670855: | data for hmac: 2e 20 25 00 00 00 00 02 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.670858: | data for hmac: f4 ec b3 f4 0e 66 ff 8d 89 3b f7 1f 55 fd b5 c6 Aug 26 13:10:17.670861: | data for hmac: 7a ab e5 e7 6f 52 57 a8 2c a0 5b 19 01 3b 83 82 Aug 26 13:10:17.670864: | calculated auth: df 30 66 28 4d 29 f2 ce d5 18 6e 16 13 64 1f 06 Aug 26 13:10:17.670867: | provided auth: df 30 66 28 4d 29 f2 ce d5 18 6e 16 13 64 1f 06 Aug 26 13:10:17.670869: | authenticator matched Aug 26 13:10:17.670877: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:10:17.670880: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:10:17.670884: | **parse IKEv2 Delete Payload: Aug 26 13:10:17.670887: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.670889: | flags: none (0x0) Aug 26 13:10:17.670892: | length: 8 (0x8) Aug 26 13:10:17.670895: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:10:17.670898: | SPI size: 0 (0x0) Aug 26 13:10:17.670900: | number of SPIs: 0 (0x0) Aug 26 13:10:17.670903: | processing payload: ISAKMP_NEXT_v2D (len=0) Aug 26 13:10:17.670906: | selected state microcode I3: INFORMATIONAL Request Aug 26 13:10:17.670909: | Now let's proceed with state specific processing Aug 26 13:10:17.670911: | calling processor I3: INFORMATIONAL Request Aug 26 13:10:17.670915: | an informational request should send a response Aug 26 13:10:17.670920: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:10:17.670924: | **emit ISAKMP Message: Aug 26 13:10:17.670927: | initiator cookie: Aug 26 13:10:17.670930: | f4 b6 d6 b1 3a 28 54 37 Aug 26 13:10:17.670933: | responder cookie: Aug 26 13:10:17.670935: | ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.670938: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:17.670941: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.670944: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.670947: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Aug 26 13:10:17.670950: | Message ID: 2 (0x2) Aug 26 13:10:17.670953: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:17.670956: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:17.670959: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.670962: | flags: none (0x0) Aug 26 13:10:17.670966: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:17.670969: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.670973: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:17.670979: | adding 16 bytes of padding (including 1 byte padding-length) Aug 26 13:10:17.670983: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.670986: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.670989: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.670992: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.670995: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671001: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671005: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671008: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671011: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671014: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671017: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671020: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671024: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671027: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671030: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671033: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671036: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:17.671039: | emitting length of IKEv2 Encryption Payload: 52 Aug 26 13:10:17.671042: | emitting length of ISAKMP Message: 80 Aug 26 13:10:17.671063: | data being hmac: f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.671066: | data being hmac: 2e 20 25 28 00 00 00 02 00 00 00 50 00 00 00 34 Aug 26 13:10:17.671069: | data being hmac: 78 fc 5c 3d c8 28 b2 2f 4e 8a 40 e2 3a dc 92 2d Aug 26 13:10:17.671072: | data being hmac: b2 6b 3d e9 62 f9 7b 08 13 3c f4 05 4e 2f a8 3a Aug 26 13:10:17.671074: | out calculated auth: Aug 26 13:10:17.671077: | c0 51 0c e2 29 09 f7 58 dc 82 eb 48 13 73 c5 cf Aug 26 13:10:17.671085: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:10:17.671088: | f4 b6 d6 b1 3a 28 54 37 ed ec 45 23 73 d7 1a d3 Aug 26 13:10:17.671090: | 2e 20 25 28 00 00 00 02 00 00 00 50 00 00 00 34 Aug 26 13:10:17.671093: | 78 fc 5c 3d c8 28 b2 2f 4e 8a 40 e2 3a dc 92 2d Aug 26 13:10:17.671096: | b2 6b 3d e9 62 f9 7b 08 13 3c f4 05 4e 2f a8 3a Aug 26 13:10:17.671099: | c0 51 0c e2 29 09 f7 58 dc 82 eb 48 13 73 c5 cf Aug 26 13:10:17.671122: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=2 initiator.recv=2 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 13:10:17.671128: | Message ID: sent #1 response 2; ike: initiator.sent=2 initiator.recv=2 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 13:10:17.671131: | State DB: IKEv2 state not found (delete_my_family) Aug 26 13:10:17.671135: | parent state #1: PARENT_I3(established IKE SA) => IKESA_DEL(established IKE SA) Aug 26 13:10:17.671139: | pstats #1 ikev2.ike deleted completed Aug 26 13:10:17.671143: | #1 spent 40.5 milliseconds in total Aug 26 13:10:17.671149: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.671153: "north-eastnets/0x2" #1: deleting state (STATE_IKESA_DEL) aged 23.251s and NOT sending notification Aug 26 13:10:17.671156: | parent state #1: IKESA_DEL(established IKE SA) => delete Aug 26 13:10:17.671225: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:17.671233: | libevent_free: release ptr-libevent@0x55fb063818a0 Aug 26 13:10:17.671236: | free_event_entry: release EVENT_SA_REKEY-pe@0x55fb06381860 Aug 26 13:10:17.671240: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:10:17.671243: | picked newest_isakmp_sa #2 for #1 Aug 26 13:10:17.671246: | IKE delete_state() for #1 and connection 'north-eastnets/0x2' that is supposed to remain up; not a problem - have newer #2 Aug 26 13:10:17.671252: | in connection_discard for connection north-eastnets/0x2 Aug 26 13:10:17.671255: | State DB: deleting IKEv2 state #1 in IKESA_DEL Aug 26 13:10:17.671260: | parent state #1: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) Aug 26 13:10:17.671265: | unreference key: 0x55fb06309390 @east cnt 3-- Aug 26 13:10:17.671314: | stop processing: state #1 from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.671352: | in statetime_stop() and could not find #1 Aug 26 13:10:17.671356: | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:17.671361: | #0 complete_v2_state_transition() md.from_state=PARENT_I3 md.svm.state[from]=PARENT_I3 UNDEFINED->PARENT_I3 with status STF_OK Aug 26 13:10:17.671363: | STF_OK but no state object remains Aug 26 13:10:17.671367: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:17.671370: | in statetime_stop() and could not find #1 Aug 26 13:10:17.671375: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:17.671378: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:17.671381: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:17.671387: | spent 0.633 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:17.671396: | spent 0.0015 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:17.671407: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:17.671410: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.671413: | 2e 20 25 08 00 00 00 04 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.671415: | 68 c4 db 3c f9 a6 1f 60 23 79 5d 66 87 7c 23 de Aug 26 13:10:17.671418: | 1a 92 e6 4f d6 10 81 a5 49 f0 8a a7 61 26 a4 c3 Aug 26 13:10:17.671421: | 4b af 09 87 6f 75 d4 20 65 22 b3 92 8b 7e c0 94 Aug 26 13:10:17.671425: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:17.671428: | **parse ISAKMP Message: Aug 26 13:10:17.671431: | initiator cookie: Aug 26 13:10:17.671434: | a9 6d 2c db 22 7f 10 cd Aug 26 13:10:17.671437: | responder cookie: Aug 26 13:10:17.671440: | a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.671442: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:17.671445: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.671448: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.671451: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:17.671454: | Message ID: 4 (0x4) Aug 26 13:10:17.671457: | length: 80 (0x50) Aug 26 13:10:17.671460: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:10:17.671463: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:10:17.671467: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:10:17.671473: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:17.671476: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:17.671481: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:17.671484: | #2 st.st_msgid_lastrecv 3 md.hdr.isa_msgid 00000004 Aug 26 13:10:17.671488: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 Aug 26 13:10:17.671491: | unpacking clear payload Aug 26 13:10:17.671494: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:17.671497: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:17.671500: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:10:17.671503: | flags: none (0x0) Aug 26 13:10:17.671506: | length: 52 (0x34) Aug 26 13:10:17.671508: | processing payload: ISAKMP_NEXT_v2SK (len=48) Aug 26 13:10:17.671513: | Message ID: start-responder #2 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=-1->4 Aug 26 13:10:17.671519: | #2 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:10:17.671539: | data for hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.671543: | data for hmac: 2e 20 25 08 00 00 00 04 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.671546: | data for hmac: 68 c4 db 3c f9 a6 1f 60 23 79 5d 66 87 7c 23 de Aug 26 13:10:17.671549: | data for hmac: 1a 92 e6 4f d6 10 81 a5 49 f0 8a a7 61 26 a4 c3 Aug 26 13:10:17.671552: | calculated auth: 4b af 09 87 6f 75 d4 20 65 22 b3 92 8b 7e c0 94 Aug 26 13:10:17.671554: | provided auth: 4b af 09 87 6f 75 d4 20 65 22 b3 92 8b 7e c0 94 Aug 26 13:10:17.671557: | authenticator matched Aug 26 13:10:17.671565: | #2 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:10:17.671569: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:10:17.671572: | **parse IKEv2 Delete Payload: Aug 26 13:10:17.671575: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.671578: | flags: none (0x0) Aug 26 13:10:17.671580: | length: 12 (0xc) Aug 26 13:10:17.671583: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:17.671586: | SPI size: 4 (0x4) Aug 26 13:10:17.671589: | number of SPIs: 1 (0x1) Aug 26 13:10:17.671592: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:10:17.671595: | selected state microcode R2: process INFORMATIONAL Request Aug 26 13:10:17.671597: | Now let's proceed with state specific processing Aug 26 13:10:17.671600: | calling processor R2: process INFORMATIONAL Request Aug 26 13:10:17.671604: | an informational request should send a response Aug 26 13:10:17.671608: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:10:17.671612: | **emit ISAKMP Message: Aug 26 13:10:17.671615: | initiator cookie: Aug 26 13:10:17.671617: | a9 6d 2c db 22 7f 10 cd Aug 26 13:10:17.671620: | responder cookie: Aug 26 13:10:17.671622: | a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.671626: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:17.671629: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.671632: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.671634: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:17.671637: | Message ID: 4 (0x4) Aug 26 13:10:17.671640: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:17.671644: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:17.671647: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.671649: | flags: none (0x0) Aug 26 13:10:17.671653: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:17.671656: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.671659: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:17.671667: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:10:17.671670: | SPI 6a b2 7b 1b Aug 26 13:10:17.671673: | delete PROTO_v2_ESP SA(0x6ab27b1b) Aug 26 13:10:17.671677: | v2 CHILD SA #6 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:10:17.671681: | State DB: found IKEv2 state #6 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:10:17.671684: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x6ab27b1b) Aug 26 13:10:17.671687: "north-eastnets/0x2" #2: received Delete SA payload: replace IPsec State #6 now Aug 26 13:10:17.671690: | state #6 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:17.671694: | libevent_free: release ptr-libevent@0x7feddc003060 Aug 26 13:10:17.671697: | free_event_entry: release EVENT_SA_REKEY-pe@0x55fb06386d40 Aug 26 13:10:17.671701: | event_schedule: new EVENT_SA_REPLACE-pe@0x55fb0638ae20 Aug 26 13:10:17.671705: | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #6 Aug 26 13:10:17.671710: | libevent_malloc: new ptr-libevent@0x7feddc003060 size 128 Aug 26 13:10:17.671714: | ****emit IKEv2 Delete Payload: Aug 26 13:10:17.671717: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.671720: | flags: none (0x0) Aug 26 13:10:17.671723: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:17.671726: | SPI size: 4 (0x4) Aug 26 13:10:17.671729: | number of SPIs: 1 (0x1) Aug 26 13:10:17.671732: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:17.671735: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.671739: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:10:17.671742: | local SPIs d0 d5 dc fa Aug 26 13:10:17.671745: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:10:17.671748: | adding 4 bytes of padding (including 1 byte padding-length) Aug 26 13:10:17.671751: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671755: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671758: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671761: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.671765: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:17.671767: | emitting length of IKEv2 Encryption Payload: 52 Aug 26 13:10:17.671770: | emitting length of ISAKMP Message: 80 Aug 26 13:10:17.671792: | data being hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.671796: | data being hmac: 2e 20 25 20 00 00 00 04 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.671799: | data being hmac: c0 b4 ee de 6d 30 37 68 ab 82 82 cb 1a cd 32 96 Aug 26 13:10:17.671802: | data being hmac: 1b 31 35 04 4e da 11 20 e3 c1 2b 1e 19 c4 bb 8f Aug 26 13:10:17.671804: | out calculated auth: Aug 26 13:10:17.671807: | 7e fa 52 66 55 c9 9e 97 06 c4 e0 34 05 9c e6 46 Aug 26 13:10:17.671815: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #2) Aug 26 13:10:17.671818: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.671821: | 2e 20 25 20 00 00 00 04 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.671823: | c0 b4 ee de 6d 30 37 68 ab 82 82 cb 1a cd 32 96 Aug 26 13:10:17.671826: | 1b 31 35 04 4e da 11 20 e3 c1 2b 1e 19 c4 bb 8f Aug 26 13:10:17.671829: | 7e fa 52 66 55 c9 9e 97 06 c4 e0 34 05 9c e6 46 Aug 26 13:10:17.671855: | Message ID: #2 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=4 Aug 26 13:10:17.671861: | Message ID: sent #2 response 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3->4 responder.recv=3 wip.initiator=-1 wip.responder=4 Aug 26 13:10:17.671867: | #2 spent 0.25 milliseconds in processing: R2: process INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:10:17.671873: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:17.671877: | #2 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:10:17.671880: | Message ID: updating counters for #2 to 4 after switching state Aug 26 13:10:17.671885: | Message ID: recv #2 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=3->4 wip.initiator=-1 wip.responder=4->-1 Aug 26 13:10:17.671889: | Message ID: #2 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1 Aug 26 13:10:17.671896: "north-eastnets/0x2" #2: STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:10:17.671901: | stop processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:17.671907: | #2 spent 0.494 milliseconds in ikev2_process_packet() Aug 26 13:10:17.671912: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:17.671915: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:17.671918: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:17.671923: | spent 0.51 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:17.671929: | timer_event_cb: processing event@0x55fb0638ae20 Aug 26 13:10:17.671932: | handling event EVENT_SA_REPLACE for child state #6 Aug 26 13:10:17.671938: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Aug 26 13:10:17.671942: | picked newest_ipsec_sa #6 for #6 Aug 26 13:10:17.671944: | replacing stale CHILD SA Aug 26 13:10:17.671949: | dup_any(fd@-1) -> fd@-1 (in ipsecdoi_replace() at ipsec_doi.c:351) Aug 26 13:10:17.671952: | FOR_EACH_STATE_... in find_phase1_state Aug 26 13:10:17.671956: | FOR_EACH_STATE_... in find_pending_phase2 Aug 26 13:10:17.671962: | creating state object #8 at 0x55fb0637fb40 Aug 26 13:10:17.671964: | State DB: adding IKEv2 state #8 in UNDEFINED Aug 26 13:10:17.671970: | pstats #8 ikev2.child started Aug 26 13:10:17.671974: | duplicating state object #2 "north-eastnets/0x2" as #8 for IPSEC SA Aug 26 13:10:17.671979: | #8 setting local endpoint to 192.1.3.33:500 from #2.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:10:17.671985: | Message ID: init_child #2.#8; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:17.671989: | in connection_discard for connection north-eastnets/0x2 Aug 26 13:10:17.671994: | suspend processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5637) Aug 26 13:10:17.671999: | start processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5637) Aug 26 13:10:17.672003: | child state #8: UNDEFINED(ignore) => V2_REKEY_CHILD_I0(established IKE SA) Aug 26 13:10:17.672007: | create child proposal's DH changed from no-PFS to MODP2048, flushing Aug 26 13:10:17.672011: | constructing ESP/AH proposals with default DH MODP2048 for north-eastnets/0x1 (ESP/AH initiator emitting proposals) Aug 26 13:10:17.672017: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Aug 26 13:10:17.672024: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 13:10:17.672029: "north-eastnets/0x1": constructed local ESP/AH proposals for north-eastnets/0x1 (ESP/AH initiator emitting proposals): 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED Aug 26 13:10:17.672035: | #8 schedule rekey initiate IPsec SA RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #6 using IKE# 2 pfs=MODP3072 Aug 26 13:10:17.672039: | event_schedule: new EVENT_v2_INITIATE_CHILD-pe@0x55fb063849e0 Aug 26 13:10:17.672043: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #8 Aug 26 13:10:17.672046: | libevent_malloc: new ptr-libevent@0x55fb063818a0 size 128 Aug 26 13:10:17.672052: | RESET processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5737) Aug 26 13:10:17.672055: | event_schedule: new EVENT_SA_EXPIRE-pe@0x55fb0638d530 Aug 26 13:10:17.672059: | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #6 Aug 26 13:10:17.672062: | libevent_malloc: new ptr-libevent@0x55fb0639a310 size 128 Aug 26 13:10:17.672066: | libevent_free: release ptr-libevent@0x7feddc003060 Aug 26 13:10:17.672069: | free_event_entry: release EVENT_SA_REPLACE-pe@0x55fb0638ae20 Aug 26 13:10:17.672076: | #6 spent 0.146 milliseconds in timer_event_cb() EVENT_SA_REPLACE Aug 26 13:10:17.672079: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Aug 26 13:10:17.672084: | timer_event_cb: processing event@0x55fb063849e0 Aug 26 13:10:17.672087: | handling event EVENT_v2_INITIATE_CHILD for child state #8 Aug 26 13:10:17.672092: | start processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Aug 26 13:10:17.672097: | adding Child Rekey Initiator KE and nonce ni work-order 10 for state #8 Aug 26 13:10:17.672100: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638ae20 Aug 26 13:10:17.672104: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #8 Aug 26 13:10:17.672107: | libevent_malloc: new ptr-libevent@0x7feddc003060 size 128 Aug 26 13:10:17.672117: | libevent_free: release ptr-libevent@0x55fb063818a0 Aug 26 13:10:17.672120: | free_event_entry: release EVENT_v2_INITIATE_CHILD-pe@0x55fb063849e0 Aug 26 13:10:17.672125: | #8 spent 0.04 milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Aug 26 13:10:17.672130: | stop processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:557) Aug 26 13:10:17.672127: | crypto helper 1 resuming Aug 26 13:10:17.672139: | timer_event_cb: processing event@0x55fb0638d530 Aug 26 13:10:17.672151: | crypto helper 1 starting work-order 10 for state #8 Aug 26 13:10:17.672154: | handling event EVENT_SA_EXPIRE for child state #6 Aug 26 13:10:17.672158: | crypto helper 1 doing build KE and nonce (Child Rekey Initiator KE and nonce ni); request ID 10 Aug 26 13:10:17.672166: | crypto helper is pausing for 1 seconds Aug 26 13:10:17.672159: | start processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) Aug 26 13:10:17.672186: | picked newest_ipsec_sa #6 for #6 Aug 26 13:10:17.672192: | un-established partial CHILD SA timeout (SA expired) Aug 26 13:10:17.672195: | pstats #6 ikev2.child re-failed exchange-timeout Aug 26 13:10:17.672199: | pstats #6 ikev2.child deleted completed Aug 26 13:10:17.672203: | #6 spent 7.18 milliseconds in total Aug 26 13:10:17.672210: | [RE]START processing: state #6 connection "north-eastnets/0x1" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.672214: "north-eastnets/0x1" #6: deleting state (STATE_V2_IPSEC_R) aged 20.809s and NOT sending notification Aug 26 13:10:17.672218: | child state #6: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:10:17.672223: | get_sa_info esp.6ab27b1b@192.1.2.23 Aug 26 13:10:17.672240: | get_sa_info esp.d0d5dcfa@192.1.3.33 Aug 26 13:10:17.672250: "north-eastnets/0x1" #6: ESP traffic information: in=12MB out=12MB Aug 26 13:10:17.672254: | child state #6: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:10:17.672327: | running updown command "ipsec _updown" for verb down Aug 26 13:10:17.672337: | command executing down-client Aug 26 13:10:17.672376: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566824998' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Aug 26 13:10:17.672386: | popen cmd is 1052 chars long Aug 26 13:10:17.672390: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Aug 26 13:10:17.672395: | cmd( 80):1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUT: Aug 26 13:10:17.672399: | cmd( 160):O_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' : Aug 26 13:10:17.672402: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Aug 26 13:10:17.672406: | cmd( 320):TO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@: Aug 26 13:10:17.672409: | cmd( 400):east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_P: Aug 26 13:10:17.672413: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 13:10:17.672417: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566824998' PLUTO_CONN_POLICY=': Aug 26 13:10:17.672420: | cmd( 640):RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: Aug 26 13:10:17.672424: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: Aug 26 13:10:17.672427: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: Aug 26 13:10:17.672431: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: Aug 26 13:10:17.672434: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x6ab27b1b SPI_OUT=0xd0d5dcfa ipsec : Aug 26 13:10:17.672437: | cmd(1040):_updown 2>&1: Aug 26 13:10:17.687840: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:10:17.687863: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:17.687868: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 13:10:17.687873: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:17.687925: | delete esp.6ab27b1b@192.1.2.23 Aug 26 13:10:17.687952: | netlink response for Del SA esp.6ab27b1b@192.1.2.23 included non-error error Aug 26 13:10:17.687956: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 13:10:17.687964: | delete inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Aug 26 13:10:17.688005: | raw_eroute result=success Aug 26 13:10:17.688010: | delete esp.d0d5dcfa@192.1.3.33 Aug 26 13:10:17.688031: | netlink response for Del SA esp.d0d5dcfa@192.1.3.33 included non-error error Aug 26 13:10:17.688043: | in connection_discard for connection north-eastnets/0x1 Aug 26 13:10:17.688047: | State DB: deleting IKEv2 state #6 in CHILDSA_DEL Aug 26 13:10:17.688054: | child state #6: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:10:17.688096: | stop processing: state #6 from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.688120: | State DB: found IKEv2 state #8 in V2_REKEY_CHILD_I0 (v2_expire_unused_ike_sa) Aug 26 13:10:17.688124: | can't expire unused IKE SA #2; it has the child #8 Aug 26 13:10:17.688132: | libevent_free: release ptr-libevent@0x55fb0639a310 Aug 26 13:10:17.688136: | free_event_entry: release EVENT_SA_EXPIRE-pe@0x55fb0638d530 Aug 26 13:10:17.688139: | in statetime_stop() and could not find #6 Aug 26 13:10:17.688142: | processing: STOP state #0 (in timer_event_cb() at timer.c:557) Aug 26 13:10:17.688160: | spent 0.00306 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:17.688180: | *received 80 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:17.688183: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.688186: | 2e 20 25 08 00 00 00 05 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.688189: | 5f f0 35 0e 94 85 f9 33 49 21 29 b6 73 5b 06 42 Aug 26 13:10:17.688191: | bc f5 2a 32 b5 c6 e9 e5 05 c8 33 bf d1 df 37 a5 Aug 26 13:10:17.688194: | 5a 93 a9 6f f2 68 49 87 6f e5 60 ad 94 80 a8 ad Aug 26 13:10:17.688203: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:17.688207: | **parse ISAKMP Message: Aug 26 13:10:17.688211: | initiator cookie: Aug 26 13:10:17.688213: | a9 6d 2c db 22 7f 10 cd Aug 26 13:10:17.688216: | responder cookie: Aug 26 13:10:17.688218: | a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.688221: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:17.688224: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.688226: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.688230: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:17.688234: | Message ID: 5 (0x5) Aug 26 13:10:17.688236: | length: 80 (0x50) Aug 26 13:10:17.688239: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:10:17.688242: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:10:17.688246: | State DB: found IKEv2 state #2 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:10:17.688253: | start processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:17.688256: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:17.688261: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:17.688265: | #2 st.st_msgid_lastrecv 4 md.hdr.isa_msgid 00000005 Aug 26 13:10:17.688270: | Message ID: #2 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 Aug 26 13:10:17.688273: | unpacking clear payload Aug 26 13:10:17.688275: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:17.688278: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:17.688281: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:10:17.688283: | flags: none (0x0) Aug 26 13:10:17.688286: | length: 52 (0x34) Aug 26 13:10:17.688293: | processing payload: ISAKMP_NEXT_v2SK (len=48) Aug 26 13:10:17.688300: | Message ID: start-responder #2 request 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1->5 Aug 26 13:10:17.688303: | #2 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:10:17.688344: | data for hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.688348: | data for hmac: 2e 20 25 08 00 00 00 05 00 00 00 50 2a 00 00 34 Aug 26 13:10:17.688351: | data for hmac: 5f f0 35 0e 94 85 f9 33 49 21 29 b6 73 5b 06 42 Aug 26 13:10:17.688353: | data for hmac: bc f5 2a 32 b5 c6 e9 e5 05 c8 33 bf d1 df 37 a5 Aug 26 13:10:17.688355: | calculated auth: 5a 93 a9 6f f2 68 49 87 6f e5 60 ad 94 80 a8 ad Aug 26 13:10:17.688358: | provided auth: 5a 93 a9 6f f2 68 49 87 6f e5 60 ad 94 80 a8 ad Aug 26 13:10:17.688359: | authenticator matched Aug 26 13:10:17.688373: | #2 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:10:17.688376: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:10:17.688378: | **parse IKEv2 Delete Payload: Aug 26 13:10:17.688381: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.688384: | flags: none (0x0) Aug 26 13:10:17.688386: | length: 8 (0x8) Aug 26 13:10:17.688389: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:10:17.688391: | SPI size: 0 (0x0) Aug 26 13:10:17.688394: | number of SPIs: 0 (0x0) Aug 26 13:10:17.688396: | processing payload: ISAKMP_NEXT_v2D (len=0) Aug 26 13:10:17.688399: | selected state microcode R2: process INFORMATIONAL Request Aug 26 13:10:17.688401: | Now let's proceed with state specific processing Aug 26 13:10:17.688403: | calling processor R2: process INFORMATIONAL Request Aug 26 13:10:17.688407: | an informational request should send a response Aug 26 13:10:17.688430: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:10:17.688435: | **emit ISAKMP Message: Aug 26 13:10:17.688438: | initiator cookie: Aug 26 13:10:17.688442: | a9 6d 2c db 22 7f 10 cd Aug 26 13:10:17.688445: | responder cookie: Aug 26 13:10:17.688447: | a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.688450: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:17.688453: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:17.688455: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:17.688458: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:17.688461: | Message ID: 5 (0x5) Aug 26 13:10:17.688465: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:17.688468: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:17.688471: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:17.688474: | flags: none (0x0) Aug 26 13:10:17.688478: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:17.688481: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:17.688485: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:17.688498: | adding 16 bytes of padding (including 1 byte padding-length) Aug 26 13:10:17.688502: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688505: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688508: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688511: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688514: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688517: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688520: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688523: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688526: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688530: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688533: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688536: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688539: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688542: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688545: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688548: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:17.688551: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:17.688554: | emitting length of IKEv2 Encryption Payload: 52 Aug 26 13:10:17.688556: | emitting length of ISAKMP Message: 80 Aug 26 13:10:17.688583: | data being hmac: a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.688586: | data being hmac: 2e 20 25 20 00 00 00 05 00 00 00 50 00 00 00 34 Aug 26 13:10:17.688589: | data being hmac: a3 ab 49 e1 ed 6d 78 dc 79 6f 37 45 49 f8 4e 36 Aug 26 13:10:17.688592: | data being hmac: 71 f1 e9 b1 a1 8c f4 83 ab 86 5e 2a 3f 7a d9 a3 Aug 26 13:10:17.688594: | out calculated auth: Aug 26 13:10:17.688597: | b4 ef 06 30 40 99 4f d0 53 7b 98 da f1 80 e6 ea Aug 26 13:10:17.688607: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #2) Aug 26 13:10:17.688610: | a9 6d 2c db 22 7f 10 cd a9 27 21 0d a1 26 af 75 Aug 26 13:10:17.688613: | 2e 20 25 20 00 00 00 05 00 00 00 50 00 00 00 34 Aug 26 13:10:17.688615: | a3 ab 49 e1 ed 6d 78 dc 79 6f 37 45 49 f8 4e 36 Aug 26 13:10:17.688621: | 71 f1 e9 b1 a1 8c f4 83 ab 86 5e 2a 3f 7a d9 a3 Aug 26 13:10:17.688624: | b4 ef 06 30 40 99 4f d0 53 7b 98 da f1 80 e6 ea Aug 26 13:10:17.688675: | Message ID: #2 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=5 Aug 26 13:10:17.688681: | Message ID: sent #2 response 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4->5 responder.recv=4 wip.initiator=-1 wip.responder=5 Aug 26 13:10:17.688685: | child state #8: V2_REKEY_CHILD_I0(established IKE SA) => CHILDSA_DEL(informational) Aug 26 13:10:17.688688: | pstats #8 ikev2.child deleted other Aug 26 13:10:17.688693: | #8 spent 0.04 milliseconds in total Aug 26 13:10:17.688698: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.688703: | start processing: state #8 connection "north-eastnets/0x1" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.688708: "north-eastnets/0x1" #8: deleting other state #8 connection (STATE_CHILDSA_DEL) "north-eastnets/0x1" aged 0.016s and NOT sending notification Aug 26 13:10:17.688711: | child state #8: CHILDSA_DEL(informational) => delete Aug 26 13:10:17.688715: | state #8 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:17.688721: | libevent_free: release ptr-libevent@0x7feddc003060 Aug 26 13:10:17.688725: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638ae20 Aug 26 13:10:17.688730: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 13:10:17.688737: | delete inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Aug 26 13:10:17.688751: | raw_eroute result=success Aug 26 13:10:17.688756: | in connection_discard for connection north-eastnets/0x1 Aug 26 13:10:17.688759: | State DB: deleting IKEv2 state #8 in CHILDSA_DEL Aug 26 13:10:17.688764: | child state #8: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:10:17.688770: | stop processing: state #8 from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.688775: | resume processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.688779: | child state #7: V2_REKEY_CHILD_I0(established IKE SA) => CHILDSA_DEL(informational) Aug 26 13:10:17.688782: | pstats #7 ikev2.child deleted other Aug 26 13:10:17.688785: | #7 spent 0.0429 milliseconds in total Aug 26 13:10:17.688790: | suspend processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.688795: | start processing: state #7 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.688798: "north-eastnets/0x2" #7: deleting other state #7 (STATE_CHILDSA_DEL) aged 0.036s and NOT sending notification Aug 26 13:10:17.688801: | child state #7: CHILDSA_DEL(informational) => delete Aug 26 13:10:17.688805: | state #7 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:17.688808: | libevent_free: release ptr-libevent@0x55fb0638e950 Aug 26 13:10:17.688811: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638d2a0 Aug 26 13:10:17.688815: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 13:10:17.688822: | delete inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => unk255.10000@192.1.3.33 (raw_eroute) Aug 26 13:10:17.688831: | raw_eroute result=success Aug 26 13:10:17.688835: | in connection_discard for connection north-eastnets/0x2 Aug 26 13:10:17.688837: | State DB: deleting IKEv2 state #7 in CHILDSA_DEL Aug 26 13:10:17.688840: | child state #7: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:10:17.688845: | stop processing: state #7 from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.688849: | resume processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.688855: | State DB: IKEv2 state not found (delete_my_family) Aug 26 13:10:17.688859: | parent state #2: PARENT_R2(established IKE SA) => IKESA_DEL(established IKE SA) Aug 26 13:10:17.688862: | pstats #2 ikev2.ike deleted completed Aug 26 13:10:17.688868: | #2 spent 18.9 milliseconds in total Aug 26 13:10:17.688873: | [RE]START processing: state #2 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:879) Aug 26 13:10:17.688877: "north-eastnets/0x2" #2: deleting state (STATE_IKESA_DEL) aged 22.914s and NOT sending notification Aug 26 13:10:17.688880: | parent state #2: IKESA_DEL(established IKE SA) => delete Aug 26 13:10:17.688944: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:17.688950: | libevent_free: release ptr-libevent@0x55fb06384860 Aug 26 13:10:17.688955: | free_event_entry: release EVENT_SA_REKEY-pe@0x7fedec002b20 Aug 26 13:10:17.688958: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:10:17.688961: | picked newest_isakmp_sa #0 for #2 Aug 26 13:10:17.688965: "north-eastnets/0x2" #2: deleting IKE SA for connection 'north-eastnets/0x2' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Aug 26 13:10:17.688968: | add revival: connection 'north-eastnets/0x2' added to the list and scheduled for 0 seconds Aug 26 13:10:17.688972: | global one-shot timer EVENT_REVIVE_CONNS scheduled in 0 seconds Aug 26 13:10:17.688976: | in connection_discard for connection north-eastnets/0x2 Aug 26 13:10:17.688979: | State DB: deleting IKEv2 state #2 in IKESA_DEL Aug 26 13:10:17.688983: | parent state #2: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) Aug 26 13:10:17.688987: | unreference key: 0x55fb06309390 @east cnt 2-- Aug 26 13:10:17.689012: | stop processing: state #2 from 192.1.2.23:500 (in delete_state() at state.c:1143) Aug 26 13:10:17.689048: | in statetime_stop() and could not find #2 Aug 26 13:10:17.689053: | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:17.689057: | #0 complete_v2_state_transition() md.from_state=PARENT_R2 md.svm.state[from]=PARENT_R2 UNDEFINED->PARENT_R2 with status STF_OK Aug 26 13:10:17.689060: | STF_OK but no state object remains Aug 26 13:10:17.689064: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:17.689067: | in statetime_stop() and could not find #2 Aug 26 13:10:17.689072: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:17.689076: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:17.689079: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:17.689085: | spent 0.889 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:17.689093: | processing signal PLUTO_SIGCHLD Aug 26 13:10:17.689099: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:17.689104: | spent 0.00628 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:17.689110: | processing global timer EVENT_REVIVE_CONNS Aug 26 13:10:17.689115: Initiating connection north-eastnets/0x2 which received a Delete/Notify but must remain up per local policy Aug 26 13:10:17.689118: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:17.689123: | start processing: connection "north-eastnets/0x2" (in initiate_a_connection() at initiate.c:186) Aug 26 13:10:17.689126: | connection 'north-eastnets/0x2' +POLICY_UP Aug 26 13:10:17.689130: | dup_any(fd@-1) -> fd@-1 (in initiate_a_connection() at initiate.c:342) Aug 26 13:10:17.689134: | FOR_EACH_STATE_... in find_phase1_state Aug 26 13:10:17.689146: | creating state object #9 at 0x55fb0637fb40 Aug 26 13:10:17.689149: | State DB: adding IKEv2 state #9 in UNDEFINED Aug 26 13:10:17.689155: | pstats #9 ikev2.ike started Aug 26 13:10:17.689159: | Message ID: init #9: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:10:17.689162: | parent state #9: UNDEFINED(ignore) => PARENT_I0(ignore) Aug 26 13:10:17.689171: | Message ID: init_ike #9; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:17.689177: | suspend processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:535) Aug 26 13:10:17.689183: | start processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:535) Aug 26 13:10:17.689187: | dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551) Aug 26 13:10:17.689192: | Queuing pending IPsec SA negotiating with 192.1.2.23 "north-eastnets/0x2" IKE SA #9 "north-eastnets/0x2" Aug 26 13:10:17.689197: "north-eastnets/0x2" #9: initiating v2 parent SA Aug 26 13:10:17.689205: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048 Aug 26 13:10:17.689212: | adding ikev2_outI1 KE work-order 11 for state #9 Aug 26 13:10:17.689216: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638ae20 Aug 26 13:10:17.689219: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #9 Aug 26 13:10:17.689223: | libevent_malloc: new ptr-libevent@0x7feddc003060 size 128 Aug 26 13:10:17.689243: | crypto helper 3 resuming Aug 26 13:10:17.689250: | crypto helper 3 starting work-order 11 for state #9 Aug 26 13:10:17.689254: | crypto helper 3 doing build KE and nonce (ikev2_outI1 KE); request ID 11 Aug 26 13:10:17.689257: | crypto helper is pausing for 1 seconds Aug 26 13:10:17.689266: | #9 spent 0.114 milliseconds in ikev2_parent_outI1() Aug 26 13:10:17.689272: | RESET processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:610) Aug 26 13:10:17.689276: | RESET processing: connection "north-eastnets/0x2" (in ikev2_parent_outI1() at ikev2_parent.c:610) Aug 26 13:10:17.689279: | processing: STOP connection NULL (in initiate_a_connection() at initiate.c:349) Aug 26 13:10:17.689284: | spent 0.14 milliseconds in global timer EVENT_REVIVE_CONNS Aug 26 13:10:18.245967: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:18.246138: shutting down Aug 26 13:10:18.246149: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:10:18.246152: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:18.246154: forgetting secrets Aug 26 13:10:18.246163: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:18.246166: | unreference key: 0x55fb06309390 @east cnt 1-- Aug 26 13:10:18.246169: | unreference key: 0x55fb063065d0 @north cnt 1-- Aug 26 13:10:18.246174: | start processing: connection "north-eastnets/0x2" (in delete_connection() at connections.c:189) Aug 26 13:10:18.246176: | removing pending policy for no connection {0x55fb062dd8f0} Aug 26 13:10:18.246178: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:10:18.246180: | pass 0 Aug 26 13:10:18.246182: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:18.246184: | state #9 Aug 26 13:10:18.246187: | suspend processing: connection "north-eastnets/0x2" (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:18.246191: | start processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:18.246193: | pstats #9 ikev2.ike deleted other Aug 26 13:10:18.246198: | #9 spent 0.114 milliseconds in total Aug 26 13:10:18.246201: | [RE]START processing: state #9 connection "north-eastnets/0x2" from 192.1.2.23 (in delete_state() at state.c:879) Aug 26 13:10:18.246204: "north-eastnets/0x2" #9: deleting state (STATE_PARENT_I0) aged 0.557s and NOT sending notification Aug 26 13:10:18.246207: | parent state #9: PARENT_I0(ignore) => delete Aug 26 13:10:18.246209: | state #9 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:18.246216: | libevent_free: release ptr-libevent@0x7feddc003060 Aug 26 13:10:18.246218: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fb0638ae20 Aug 26 13:10:18.246221: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:10:18.246223: | picked newest_isakmp_sa #0 for #9 Aug 26 13:10:18.246225: "north-eastnets/0x2" #9: deleting IKE SA for connection 'north-eastnets/0x2' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Aug 26 13:10:18.246228: | add revival: connection 'north-eastnets/0x2' added to the list and scheduled for 5 seconds Aug 26 13:10:18.246231: | global one-shot timer EVENT_REVIVE_CONNS scheduled in 5 seconds Aug 26 13:10:18.246235: | stop processing: connection "north-eastnets/0x2" (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:10:18.246237: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:10:18.246239: | in connection_discard for connection north-eastnets/0x2 Aug 26 13:10:18.246241: | State DB: deleting IKEv2 state #9 in PARENT_I0 Aug 26 13:10:18.246244: | parent state #9: PARENT_I0(ignore) => UNDEFINED(ignore) Aug 26 13:10:18.246247: | stop processing: state #9 from 192.1.2.23 (in delete_state() at state.c:1143) Aug 26 13:10:18.246250: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:10:18.246252: | pass 1 Aug 26 13:10:18.246253: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:18.246256: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:10:18.246259: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:18.246261: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 13:10:18.246574: | priority calculation of connection "north-eastnets/0x2" is 0xfe7e7 Aug 26 13:10:18.246596: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:18.246603: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.246607: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Aug 26 13:10:18.246611: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.246614: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:10:18.246620: | route owner of "north-eastnets/0x2" unrouted: NULL Aug 26 13:10:18.246624: | running updown command "ipsec _updown" for verb unroute Aug 26 13:10:18.246627: | command executing unroute-client Aug 26 13:10:18.246662: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Aug 26 13:10:18.246667: | popen cmd is 1035 chars long Aug 26 13:10:18.246671: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Aug 26 13:10:18.246675: | cmd( 80):/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' P: Aug 26 13:10:18.246679: | cmd( 160):LUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.: Aug 26 13:10:18.246683: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 13:10:18.246692: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_I: Aug 26 13:10:18.246696: | cmd( 400):D='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' P: Aug 26 13:10:18.246699: | cmd( 480):LUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0: Aug 26 13:10:18.246703: | cmd( 560):' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSA: Aug 26 13:10:18.246706: | cmd( 640):SIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_C: Aug 26 13:10:18.246709: | cmd( 720):ONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEE: Aug 26 13:10:18.246712: | cmd( 800):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': Aug 26 13:10:18.246715: | cmd( 880):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='': Aug 26 13:10:18.246718: | cmd( 960): VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:10:18.259137: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259160: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259163: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259164: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259167: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259176: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259187: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259197: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259207: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259217: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259226: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259238: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259247: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259257: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259266: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259276: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259286: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259346: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259499: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259508: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259518: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259528: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259538: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259547: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259556: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259566: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259577: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259586: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259595: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259607: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259621: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259637: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259650: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259663: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259745: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259761: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259777: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259791: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259804: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259817: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259831: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.259855: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.264944: | flush revival: connection 'north-eastnets/0x2' revival flushed Aug 26 13:10:18.264967: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:10:18.264983: | start processing: connection "north-eastnets/0x1" (in delete_connection() at connections.c:189) Aug 26 13:10:18.264987: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:10:18.264990: | pass 0 Aug 26 13:10:18.264993: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:18.264996: | pass 1 Aug 26 13:10:18.264998: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:18.265003: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:10:18.265007: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:18.265010: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 13:10:18.265070: | priority calculation of connection "north-eastnets/0x1" is 0xfe7e7 Aug 26 13:10:18.265082: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:18.265085: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.265087: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Aug 26 13:10:18.265091: | route owner of "north-eastnets/0x1" unrouted: NULL Aug 26 13:10:18.265093: | running updown command "ipsec _updown" for verb unroute Aug 26 13:10:18.265095: | command executing unroute-client Aug 26 13:10:18.265117: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' Aug 26 13:10:18.265120: | popen cmd is 1033 chars long Aug 26 13:10:18.265122: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Aug 26 13:10:18.265124: | cmd( 80):/0x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' P: Aug 26 13:10:18.265126: | cmd( 160):LUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.: Aug 26 13:10:18.265128: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 13:10:18.265130: | cmd( 320):PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_I: Aug 26 13:10:18.265131: | cmd( 400):D='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLU: Aug 26 13:10:18.265133: | cmd( 480):TO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : Aug 26 13:10:18.265135: | cmd( 560):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASI: Aug 26 13:10:18.265140: | cmd( 640):G+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: Aug 26 13:10:18.265142: | cmd( 720):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Aug 26 13:10:18.265144: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Aug 26 13:10:18.265146: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Aug 26 13:10:18.265147: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:10:18.276222: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276244: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276247: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276250: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276263: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276275: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276302: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276307: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276320: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276329: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276340: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276356: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276368: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276380: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276392: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276404: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276418: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276431: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276626: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276638: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276650: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276664: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276677: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276691: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276702: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276714: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276730: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276742: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276755: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276766: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276779: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276793: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276806: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276817: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276830: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276841: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276857: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276870: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276882: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276894: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276906: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.276923: "north-eastnets/0x1": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:18.282544: | free hp@0x55fb0634a510 Aug 26 13:10:18.282568: | flush revival: connection 'north-eastnets/0x1' wasn't on the list Aug 26 13:10:18.282574: | stop processing: connection "north-eastnets/0x1" (in discard_connection() at connections.c:249) Aug 26 13:10:18.282588: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:10:18.282592: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:10:18.282607: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:10:18.282612: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:10:18.282616: shutting down interface eth0/eth0 192.0.3.254:4500 Aug 26 13:10:18.282620: shutting down interface eth0/eth0 192.0.3.254:500 Aug 26 13:10:18.282623: shutting down interface eth1/eth1 192.1.3.33:4500 Aug 26 13:10:18.282627: shutting down interface eth1/eth1 192.1.3.33:500 Aug 26 13:10:18.282632: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:10:18.282643: | libevent_free: release ptr-libevent@0x55fb0637db80 Aug 26 13:10:18.282647: | free_event_entry: release EVENT_NULL-pe@0x55fb0637db40 Aug 26 13:10:18.282659: | libevent_free: release ptr-libevent@0x55fb0637dc70 Aug 26 13:10:18.282662: | free_event_entry: release EVENT_NULL-pe@0x55fb0637dc30 Aug 26 13:10:18.282669: | libevent_free: release ptr-libevent@0x55fb0637dd60 Aug 26 13:10:18.282673: | free_event_entry: release EVENT_NULL-pe@0x55fb0637dd20 Aug 26 13:10:18.282679: | libevent_free: release ptr-libevent@0x55fb0637de50 Aug 26 13:10:18.282682: | free_event_entry: release EVENT_NULL-pe@0x55fb0637de10 Aug 26 13:10:18.282689: | libevent_free: release ptr-libevent@0x55fb0637df40 Aug 26 13:10:18.282692: | free_event_entry: release EVENT_NULL-pe@0x55fb0637df00 Aug 26 13:10:18.282699: | libevent_free: release ptr-libevent@0x55fb0637e030 Aug 26 13:10:18.282702: | free_event_entry: release EVENT_NULL-pe@0x55fb0637dff0 Aug 26 13:10:18.282707: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:10:18.283324: | libevent_free: release ptr-libevent@0x55fb0637d4a0 Aug 26 13:10:18.283336: | free_event_entry: release EVENT_NULL-pe@0x55fb06361420 Aug 26 13:10:18.283344: | libevent_free: release ptr-libevent@0x55fb06372f80 Aug 26 13:10:18.283349: | free_event_entry: release EVENT_NULL-pe@0x55fb06366e00 Aug 26 13:10:18.283354: | libevent_free: release ptr-libevent@0x55fb06372ef0 Aug 26 13:10:18.283358: | free_event_entry: release EVENT_NULL-pe@0x55fb06366e40 Aug 26 13:10:18.283363: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:10:18.283367: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:10:18.283370: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:10:18.283374: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:10:18.283377: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:10:18.283380: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:10:18.283383: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:10:18.283391: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:10:18.283394: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:10:18.283400: | libevent_free: release ptr-libevent@0x55fb0637d570 Aug 26 13:10:18.283404: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:10:18.283407: | libevent_free: release ptr-libevent@0x55fb0637d650 Aug 26 13:10:18.283411: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:10:18.283415: | libevent_free: release ptr-libevent@0x55fb0637d710 Aug 26 13:10:18.283418: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:10:18.283422: | libevent_free: release ptr-libevent@0x55fb06372360 Aug 26 13:10:18.283424: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:10:18.283427: | releasing event base Aug 26 13:10:18.283440: | libevent_free: release ptr-libevent@0x55fb0637d7d0 Aug 26 13:10:18.283445: | libevent_free: release ptr-libevent@0x55fb06352eb0 Aug 26 13:10:18.283449: | libevent_free: release ptr-libevent@0x55fb06361760 Aug 26 13:10:18.283452: | libevent_free: release ptr-libevent@0x55fb0638e9e0 Aug 26 13:10:18.283455: | libevent_free: release ptr-libevent@0x55fb06361780 Aug 26 13:10:18.283458: | libevent_free: release ptr-libevent@0x55fb0637d530 Aug 26 13:10:18.283460: | libevent_free: release ptr-libevent@0x55fb0637d610 Aug 26 13:10:18.283463: | libevent_free: release ptr-libevent@0x55fb06361810 Aug 26 13:10:18.283466: | libevent_free: release ptr-libevent@0x55fb06366120 Aug 26 13:10:18.283468: | libevent_free: release ptr-libevent@0x55fb06366140 Aug 26 13:10:18.283471: | libevent_free: release ptr-libevent@0x55fb0637e0c0 Aug 26 13:10:18.283474: | libevent_free: release ptr-libevent@0x55fb0637dfd0 Aug 26 13:10:18.283476: | libevent_free: release ptr-libevent@0x55fb0637dee0 Aug 26 13:10:18.283479: | libevent_free: release ptr-libevent@0x55fb0637ddf0 Aug 26 13:10:18.283482: | libevent_free: release ptr-libevent@0x55fb0637dd00 Aug 26 13:10:18.283485: | libevent_free: release ptr-libevent@0x55fb0637dc10 Aug 26 13:10:18.283488: | libevent_free: release ptr-libevent@0x55fb062e3370 Aug 26 13:10:18.283492: | libevent_free: release ptr-libevent@0x55fb0637d6f0 Aug 26 13:10:18.283495: | libevent_free: release ptr-libevent@0x55fb0637d630 Aug 26 13:10:18.283498: | libevent_free: release ptr-libevent@0x55fb0637d550 Aug 26 13:10:18.283501: | libevent_free: release ptr-libevent@0x55fb0637d7b0 Aug 26 13:10:18.283503: | libevent_free: release ptr-libevent@0x55fb062e15b0 Aug 26 13:10:18.283507: | libevent_free: release ptr-libevent@0x55fb063617a0 Aug 26 13:10:18.283510: | libevent_free: release ptr-libevent@0x55fb063617d0 Aug 26 13:10:18.283512: | libevent_free: release ptr-libevent@0x55fb063614c0 Aug 26 13:10:18.283515: | releasing global libevent data Aug 26 13:10:18.283518: | libevent_free: release ptr-libevent@0x55fb063601b0 Aug 26 13:10:18.283521: | libevent_free: release ptr-libevent@0x55fb06361460 Aug 26 13:10:18.283524: | libevent_free: release ptr-libevent@0x55fb06361490