Aug 26 13:10:02.497987: FIPS Product: YES Aug 26 13:10:02.498061: FIPS Kernel: NO Aug 26 13:10:02.498064: FIPS Mode: NO Aug 26 13:10:02.498066: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:10:02.498180: Initializing NSS Aug 26 13:10:02.498185: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:10:02.525165: NSS initialized Aug 26 13:10:02.525179: NSS crypto library initialized Aug 26 13:10:02.525181: FIPS HMAC integrity support [enabled] Aug 26 13:10:02.525182: FIPS mode disabled for pluto daemon Aug 26 13:10:02.560526: FIPS HMAC integrity verification self-test FAILED Aug 26 13:10:02.560822: libcap-ng support [enabled] Aug 26 13:10:02.560830: Linux audit support [enabled] Aug 26 13:10:02.560860: Linux audit activated Aug 26 13:10:02.560863: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:15270 Aug 26 13:10:02.560866: core dump dir: /tmp Aug 26 13:10:02.560868: secrets file: /etc/ipsec.secrets Aug 26 13:10:02.560869: leak-detective enabled Aug 26 13:10:02.560871: NSS crypto [enabled] Aug 26 13:10:02.560872: XAUTH PAM support [enabled] Aug 26 13:10:02.560929: | libevent is using pluto's memory allocator Aug 26 13:10:02.560934: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:10:02.560949: | libevent_malloc: new ptr-libevent@0x5635494ca628 size 40 Aug 26 13:10:02.560952: | libevent_malloc: new ptr-libevent@0x563549499cd8 size 40 Aug 26 13:10:02.560954: | libevent_malloc: new ptr-libevent@0x563549499dd8 size 40 Aug 26 13:10:02.560956: | creating event base Aug 26 13:10:02.560958: | libevent_malloc: new ptr-libevent@0x56354951c928 size 56 Aug 26 13:10:02.560961: | libevent_malloc: new ptr-libevent@0x5635494c8e18 size 664 Aug 26 13:10:02.560970: | libevent_malloc: new ptr-libevent@0x56354951c998 size 24 Aug 26 13:10:02.560972: | libevent_malloc: new ptr-libevent@0x56354951c9e8 size 384 Aug 26 13:10:02.560979: | libevent_malloc: new ptr-libevent@0x56354951c8e8 size 16 Aug 26 13:10:02.560981: | libevent_malloc: new ptr-libevent@0x563549499908 size 40 Aug 26 13:10:02.560982: | libevent_malloc: new ptr-libevent@0x563549499d38 size 48 Aug 26 13:10:02.560986: | libevent_realloc: new ptr-libevent@0x5635494c8aa8 size 256 Aug 26 13:10:02.560988: | libevent_malloc: new ptr-libevent@0x56354951cb98 size 16 Aug 26 13:10:02.560993: | libevent_free: release ptr-libevent@0x56354951c928 Aug 26 13:10:02.560995: | libevent initialized Aug 26 13:10:02.560998: | libevent_realloc: new ptr-libevent@0x56354951c928 size 64 Aug 26 13:10:02.561000: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:10:02.561039: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:10:02.561041: NAT-Traversal support [enabled] Aug 26 13:10:02.561042: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:10:02.561047: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:10:02.561049: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:10:02.561077: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:10:02.561080: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:10:02.561082: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:10:02.561114: Encryption algorithms: Aug 26 13:10:02.561121: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:10:02.561124: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:10:02.561126: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:10:02.561128: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:10:02.561130: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:10:02.561137: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:10:02.561140: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:10:02.561142: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:10:02.561144: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:10:02.561147: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:10:02.561149: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:10:02.561151: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:10:02.561153: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:10:02.561155: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:10:02.561158: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:10:02.561159: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:10:02.561162: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:10:02.561167: Hash algorithms: Aug 26 13:10:02.561168: MD5 IKEv1: IKE IKEv2: Aug 26 13:10:02.561170: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:10:02.561172: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:10:02.561174: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:10:02.561176: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:10:02.561184: PRF algorithms: Aug 26 13:10:02.561186: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:10:02.561188: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:10:02.561190: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:10:02.561192: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:10:02.561194: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:10:02.561196: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:10:02.561212: Integrity algorithms: Aug 26 13:10:02.561214: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:10:02.561217: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:10:02.561219: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:10:02.561222: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:10:02.561224: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:10:02.561226: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:10:02.561228: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:10:02.561230: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:10:02.561232: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:10:02.561239: DH algorithms: Aug 26 13:10:02.561241: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:10:02.561243: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:10:02.561245: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:10:02.561248: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:10:02.561250: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:10:02.561252: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:10:02.561254: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:10:02.561256: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:10:02.561258: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:10:02.561260: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:10:02.561262: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:10:02.561263: testing CAMELLIA_CBC: Aug 26 13:10:02.561265: Camellia: 16 bytes with 128-bit key Aug 26 13:10:02.561401: Camellia: 16 bytes with 128-bit key Aug 26 13:10:02.561430: Camellia: 16 bytes with 256-bit key Aug 26 13:10:02.561459: Camellia: 16 bytes with 256-bit key Aug 26 13:10:02.561485: testing AES_GCM_16: Aug 26 13:10:02.561489: empty string Aug 26 13:10:02.561515: one block Aug 26 13:10:02.561540: two blocks Aug 26 13:10:02.561564: two blocks with associated data Aug 26 13:10:02.561589: testing AES_CTR: Aug 26 13:10:02.561593: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:10:02.561620: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:10:02.561651: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:10:02.561672: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:10:02.561690: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:10:02.561706: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:10:02.561723: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:10:02.561739: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:10:02.561755: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:10:02.561772: testing AES_CBC: Aug 26 13:10:02.561774: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:10:02.561791: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:10:02.561814: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:10:02.561844: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:10:02.561879: testing AES_XCBC: Aug 26 13:10:02.561884: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:10:02.562005: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:10:02.562124: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:10:02.562202: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:10:02.562279: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:10:02.562391: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:10:02.562470: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:10:02.562637: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:10:02.562713: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:10:02.562795: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:10:02.562969: testing HMAC_MD5: Aug 26 13:10:02.562987: RFC 2104: MD5_HMAC test 1 Aug 26 13:10:02.563105: RFC 2104: MD5_HMAC test 2 Aug 26 13:10:02.563197: RFC 2104: MD5_HMAC test 3 Aug 26 13:10:02.563415: 8 CPU cores online Aug 26 13:10:02.563421: starting up 7 crypto helpers Aug 26 13:10:02.563449: started thread for crypto helper 0 Aug 26 13:10:02.563465: started thread for crypto helper 1 Aug 26 13:10:02.563480: started thread for crypto helper 2 Aug 26 13:10:02.563485: | starting up helper thread 0 Aug 26 13:10:02.563494: started thread for crypto helper 3 Aug 26 13:10:02.563498: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:10:02.563498: | starting up helper thread 3 Aug 26 13:10:02.563504: | crypto helper 0 waiting (nothing to do) Aug 26 13:10:02.563538: | starting up helper thread 2 Aug 26 13:10:02.563566: | starting up helper thread 4 Aug 26 13:10:02.563538: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:10:02.563561: started thread for crypto helper 4 Aug 26 13:10:02.563515: | starting up helper thread 1 Aug 26 13:10:02.563598: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:10:02.563573: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:10:02.563574: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:10:02.563578: | crypto helper 3 waiting (nothing to do) Aug 26 13:10:02.563667: started thread for crypto helper 5 Aug 26 13:10:02.563680: | starting up helper thread 5 Aug 26 13:10:02.563688: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:10:02.563691: | crypto helper 5 waiting (nothing to do) Aug 26 13:10:02.563692: started thread for crypto helper 6 Aug 26 13:10:02.563697: | checking IKEv1 state table Aug 26 13:10:02.563700: | starting up helper thread 6 Aug 26 13:10:02.563702: | crypto helper 1 waiting (nothing to do) Aug 26 13:10:02.563706: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:02.563706: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:10:02.563720: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:10:02.563725: | crypto helper 6 waiting (nothing to do) Aug 26 13:10:02.563729: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:02.563736: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:10:02.563738: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:10:02.563739: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:10:02.563741: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:02.563742: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:02.563744: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:10:02.563746: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:10:02.563747: | crypto helper 4 waiting (nothing to do) Aug 26 13:10:02.563747: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:02.563760: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:02.563762: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:10:02.563764: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:02.563765: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:02.563767: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:10:02.563768: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:10:02.563770: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:02.563771: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:02.563773: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:10:02.563775: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:10:02.563776: | -> UNDEFINED EVENT_NULL Aug 26 13:10:02.563778: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:10:02.563779: | -> UNDEFINED EVENT_NULL Aug 26 13:10:02.563781: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:02.563782: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:10:02.563784: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:02.563786: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:10:02.563787: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:10:02.563789: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:10:02.563790: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:10:02.563790: | crypto helper 2 waiting (nothing to do) Aug 26 13:10:02.563792: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:10:02.563804: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:10:02.563806: | -> UNDEFINED EVENT_NULL Aug 26 13:10:02.563807: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:10:02.563809: | -> UNDEFINED EVENT_NULL Aug 26 13:10:02.563810: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:10:02.563812: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:10:02.563817: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:10:02.563818: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:10:02.563820: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:10:02.563822: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:10:02.563823: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:10:02.563825: | -> UNDEFINED EVENT_NULL Aug 26 13:10:02.563826: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:10:02.563828: | -> UNDEFINED EVENT_NULL Aug 26 13:10:02.563830: | INFO: category: informational flags: 0: Aug 26 13:10:02.563831: | -> UNDEFINED EVENT_NULL Aug 26 13:10:02.563833: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:10:02.563834: | -> UNDEFINED EVENT_NULL Aug 26 13:10:02.563836: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:10:02.563837: | -> XAUTH_R1 EVENT_NULL Aug 26 13:10:02.563839: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:10:02.563841: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:02.563842: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:10:02.563844: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:10:02.563846: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:10:02.563847: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:10:02.563849: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:10:02.563850: | -> UNDEFINED EVENT_NULL Aug 26 13:10:02.563852: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:10:02.563854: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:02.563855: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:10:02.563857: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:10:02.563858: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:10:02.563860: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:10:02.563865: | checking IKEv2 state table Aug 26 13:10:02.563869: | PARENT_I0: category: ignore flags: 0: Aug 26 13:10:02.563871: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:10:02.563873: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:02.563875: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:10:02.563877: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:10:02.563879: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:10:02.563880: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:10:02.563882: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:10:02.563884: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:10:02.563886: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:10:02.563887: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:10:02.563889: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:10:02.563891: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:10:02.563892: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:10:02.563894: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:10:02.563896: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:10:02.563897: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:02.563899: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:10:02.563901: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:10:02.563903: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:10:02.563904: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:10:02.563906: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:10:02.563908: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:10:02.563911: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:10:02.563913: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:10:02.563914: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:10:02.563916: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:10:02.563918: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:10:02.563920: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:10:02.563921: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:10:02.563923: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:10:02.563925: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:10:02.563927: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:10:02.563929: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:10:02.563930: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:10:02.563932: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:10:02.563934: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:10:02.563936: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:10:02.563938: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:10:02.563939: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:10:02.563941: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:10:02.563943: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:10:02.563945: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:10:02.563947: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:10:02.563948: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:10:02.563950: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:10:02.563952: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:10:02.563992: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:10:02.564477: | Hard-wiring algorithms Aug 26 13:10:02.564483: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:10:02.564486: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:10:02.564488: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:10:02.564490: | adding 3DES_CBC to kernel algorithm db Aug 26 13:10:02.564491: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:10:02.564493: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:10:02.564495: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:10:02.564496: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:10:02.564498: | adding AES_CTR to kernel algorithm db Aug 26 13:10:02.564500: | adding AES_CBC to kernel algorithm db Aug 26 13:10:02.564501: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:10:02.564503: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:10:02.564505: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:10:02.564506: | adding NULL to kernel algorithm db Aug 26 13:10:02.564508: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:10:02.564510: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:10:02.564512: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:10:02.564513: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:10:02.564515: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:10:02.564517: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:10:02.564518: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:10:02.564520: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:10:02.564521: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:10:02.564523: | adding NONE to kernel algorithm db Aug 26 13:10:02.564541: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:10:02.564546: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:10:02.564548: | setup kernel fd callback Aug 26 13:10:02.564550: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5635495221a8 Aug 26 13:10:02.564554: | libevent_malloc: new ptr-libevent@0x563549505ba8 size 128 Aug 26 13:10:02.564556: | libevent_malloc: new ptr-libevent@0x563549521708 size 16 Aug 26 13:10:02.564560: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x5635495215f8 Aug 26 13:10:02.564563: | libevent_malloc: new ptr-libevent@0x5635494cc008 size 128 Aug 26 13:10:02.564565: | libevent_malloc: new ptr-libevent@0x5635495220f8 size 16 Aug 26 13:10:02.564705: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:10:02.564711: selinux support is enabled. Aug 26 13:10:02.565108: | unbound context created - setting debug level to 5 Aug 26 13:10:02.565128: | /etc/hosts lookups activated Aug 26 13:10:02.565140: | /etc/resolv.conf usage activated Aug 26 13:10:02.565176: | outgoing-port-avoid set 0-65535 Aug 26 13:10:02.565192: | outgoing-port-permit set 32768-60999 Aug 26 13:10:02.565195: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:10:02.565197: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:10:02.565199: | Setting up events, loop start Aug 26 13:10:02.565201: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x563549522138 Aug 26 13:10:02.565203: | libevent_malloc: new ptr-libevent@0x56354952e3f8 size 128 Aug 26 13:10:02.565205: | libevent_malloc: new ptr-libevent@0x563549539708 size 16 Aug 26 13:10:02.565209: | libevent_realloc: new ptr-libevent@0x563549539748 size 256 Aug 26 13:10:02.565211: | libevent_malloc: new ptr-libevent@0x563549539878 size 8 Aug 26 13:10:02.565214: | libevent_realloc: new ptr-libevent@0x5635494c9358 size 144 Aug 26 13:10:02.565215: | libevent_malloc: new ptr-libevent@0x5635494cd488 size 152 Aug 26 13:10:02.565218: | libevent_malloc: new ptr-libevent@0x5635495398b8 size 16 Aug 26 13:10:02.565221: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:10:02.565223: | libevent_malloc: new ptr-libevent@0x5635495398f8 size 8 Aug 26 13:10:02.565225: | libevent_malloc: new ptr-libevent@0x563549539938 size 152 Aug 26 13:10:02.565227: | signal event handler PLUTO_SIGTERM installed Aug 26 13:10:02.565228: | libevent_malloc: new ptr-libevent@0x563549539a08 size 8 Aug 26 13:10:02.565230: | libevent_malloc: new ptr-libevent@0x563549539a48 size 152 Aug 26 13:10:02.565232: | signal event handler PLUTO_SIGHUP installed Aug 26 13:10:02.565234: | libevent_malloc: new ptr-libevent@0x563549539b18 size 8 Aug 26 13:10:02.565235: | libevent_realloc: release ptr-libevent@0x5635494c9358 Aug 26 13:10:02.565237: | libevent_realloc: new ptr-libevent@0x563549539b58 size 256 Aug 26 13:10:02.565239: | libevent_malloc: new ptr-libevent@0x563549539c88 size 152 Aug 26 13:10:02.565241: | signal event handler PLUTO_SIGSYS installed Aug 26 13:10:02.565519: | created addconn helper (pid:15302) using fork+execve Aug 26 13:10:02.565533: | forked child 15302 Aug 26 13:10:02.565566: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:02.565741: listening for IKE messages Aug 26 13:10:02.565796: | Inspecting interface lo Aug 26 13:10:02.565801: | found lo with address 127.0.0.1 Aug 26 13:10:02.565805: | Inspecting interface eth0 Aug 26 13:10:02.565808: | found eth0 with address 192.0.2.254 Aug 26 13:10:02.565811: | Inspecting interface eth1 Aug 26 13:10:02.565813: | found eth1 with address 192.1.2.23 Aug 26 13:10:02.565898: Kernel supports NIC esp-hw-offload Aug 26 13:10:02.565907: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:10:02.565939: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:02.565942: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:02.565945: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:10:02.565966: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:10:02.565980: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:02.565983: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:02.565985: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:10:02.566001: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:10:02.566016: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:02.566019: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:02.566021: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:10:02.566076: | no interfaces to sort Aug 26 13:10:02.566079: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:10:02.566084: | add_fd_read_event_handler: new ethX-pe@0x56354953a1d8 Aug 26 13:10:02.566086: | libevent_malloc: new ptr-libevent@0x56354952e348 size 128 Aug 26 13:10:02.566089: | libevent_malloc: new ptr-libevent@0x56354953a248 size 16 Aug 26 13:10:02.566093: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:10:02.566095: | add_fd_read_event_handler: new ethX-pe@0x56354953a288 Aug 26 13:10:02.566097: | libevent_malloc: new ptr-libevent@0x5635494ca268 size 128 Aug 26 13:10:02.566099: | libevent_malloc: new ptr-libevent@0x56354953a2f8 size 16 Aug 26 13:10:02.566102: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:10:02.566104: | add_fd_read_event_handler: new ethX-pe@0x56354953a338 Aug 26 13:10:02.566106: | libevent_malloc: new ptr-libevent@0x5635494cc108 size 128 Aug 26 13:10:02.566107: | libevent_malloc: new ptr-libevent@0x56354953a3a8 size 16 Aug 26 13:10:02.566111: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:10:02.566112: | add_fd_read_event_handler: new ethX-pe@0x56354953a3e8 Aug 26 13:10:02.566115: | libevent_malloc: new ptr-libevent@0x5635494c9258 size 128 Aug 26 13:10:02.566117: | libevent_malloc: new ptr-libevent@0x56354953a458 size 16 Aug 26 13:10:02.566119: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:10:02.566121: | add_fd_read_event_handler: new ethX-pe@0x56354953a498 Aug 26 13:10:02.566124: | libevent_malloc: new ptr-libevent@0x56354949a4e8 size 128 Aug 26 13:10:02.566125: | libevent_malloc: new ptr-libevent@0x56354953a508 size 16 Aug 26 13:10:02.566128: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:10:02.566130: | add_fd_read_event_handler: new ethX-pe@0x56354953a548 Aug 26 13:10:02.566132: | libevent_malloc: new ptr-libevent@0x56354949a1d8 size 128 Aug 26 13:10:02.566133: | libevent_malloc: new ptr-libevent@0x56354953a5b8 size 16 Aug 26 13:10:02.566136: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:10:02.566139: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:02.566141: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:02.566155: loading secrets from "/etc/ipsec.secrets" Aug 26 13:10:02.566163: | Processing PSK at line 1: passed Aug 26 13:10:02.566165: | certs and keys locked by 'process_secret' Aug 26 13:10:02.566167: | certs and keys unlocked by 'process_secret' Aug 26 13:10:02.566173: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:02.566178: | spent 0.618 milliseconds in whack Aug 26 13:10:02.581490: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:02.581512: listening for IKE messages Aug 26 13:10:02.581538: | Inspecting interface lo Aug 26 13:10:02.581542: | found lo with address 127.0.0.1 Aug 26 13:10:02.581545: | Inspecting interface eth0 Aug 26 13:10:02.581548: | found eth0 with address 192.0.2.254 Aug 26 13:10:02.581549: | Inspecting interface eth1 Aug 26 13:10:02.581552: | found eth1 with address 192.1.2.23 Aug 26 13:10:02.581591: | no interfaces to sort Aug 26 13:10:02.581597: | libevent_free: release ptr-libevent@0x56354952e348 Aug 26 13:10:02.581600: | free_event_entry: release EVENT_NULL-pe@0x56354953a1d8 Aug 26 13:10:02.581605: | add_fd_read_event_handler: new ethX-pe@0x56354953a1d8 Aug 26 13:10:02.581608: | libevent_malloc: new ptr-libevent@0x56354952e348 size 128 Aug 26 13:10:02.581613: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:10:02.581616: | libevent_free: release ptr-libevent@0x5635494ca268 Aug 26 13:10:02.581617: | free_event_entry: release EVENT_NULL-pe@0x56354953a288 Aug 26 13:10:02.581619: | add_fd_read_event_handler: new ethX-pe@0x56354953a288 Aug 26 13:10:02.581621: | libevent_malloc: new ptr-libevent@0x5635494ca268 size 128 Aug 26 13:10:02.581624: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:10:02.581626: | libevent_free: release ptr-libevent@0x5635494cc108 Aug 26 13:10:02.581628: | free_event_entry: release EVENT_NULL-pe@0x56354953a338 Aug 26 13:10:02.581630: | add_fd_read_event_handler: new ethX-pe@0x56354953a338 Aug 26 13:10:02.581631: | libevent_malloc: new ptr-libevent@0x5635494cc108 size 128 Aug 26 13:10:02.581634: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:10:02.581637: | libevent_free: release ptr-libevent@0x5635494c9258 Aug 26 13:10:02.581639: | free_event_entry: release EVENT_NULL-pe@0x56354953a3e8 Aug 26 13:10:02.581640: | add_fd_read_event_handler: new ethX-pe@0x56354953a3e8 Aug 26 13:10:02.581642: | libevent_malloc: new ptr-libevent@0x5635494c9258 size 128 Aug 26 13:10:02.581645: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:10:02.581648: | libevent_free: release ptr-libevent@0x56354949a4e8 Aug 26 13:10:02.581649: | free_event_entry: release EVENT_NULL-pe@0x56354953a498 Aug 26 13:10:02.581651: | add_fd_read_event_handler: new ethX-pe@0x56354953a498 Aug 26 13:10:02.581653: | libevent_malloc: new ptr-libevent@0x56354949a4e8 size 128 Aug 26 13:10:02.581656: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:10:02.581658: | libevent_free: release ptr-libevent@0x56354949a1d8 Aug 26 13:10:02.581660: | free_event_entry: release EVENT_NULL-pe@0x56354953a548 Aug 26 13:10:02.581661: | add_fd_read_event_handler: new ethX-pe@0x56354953a548 Aug 26 13:10:02.581663: | libevent_malloc: new ptr-libevent@0x56354949a1d8 size 128 Aug 26 13:10:02.581666: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:10:02.581668: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:02.581670: forgetting secrets Aug 26 13:10:02.581675: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:02.581685: loading secrets from "/etc/ipsec.secrets" Aug 26 13:10:02.581690: | Processing PSK at line 1: passed Aug 26 13:10:02.581692: | certs and keys locked by 'process_secret' Aug 26 13:10:02.581694: | certs and keys unlocked by 'process_secret' Aug 26 13:10:02.581699: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:02.581704: | spent 0.222 milliseconds in whack Aug 26 13:10:02.582062: | processing signal PLUTO_SIGCHLD Aug 26 13:10:02.582073: | waitpid returned pid 15302 (exited with status 0) Aug 26 13:10:02.582076: | reaped addconn helper child (status 0) Aug 26 13:10:02.582080: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:02.582083: | spent 0.0126 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:02.646949: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:02.646976: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:02.646980: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:02.646983: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:02.646985: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:02.646989: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:02.646997: | Added new connection eastnet-any with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:02.647053: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:10:02.647064: | from whack: got --esp= Aug 26 13:10:02.647095: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 13:10:02.647100: | counting wild cards for (none) is 15 Aug 26 13:10:02.647104: | counting wild cards for @east is 0 Aug 26 13:10:02.647109: | based upon policy, the connection is a template. Aug 26 13:10:02.647116: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Aug 26 13:10:02.647118: | new hp@0x56354953c798 Aug 26 13:10:02.647123: added connection description "eastnet-any" Aug 26 13:10:02.647133: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:02.647142: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...%any===192.0.1.0/24 Aug 26 13:10:02.647149: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:02.647156: | spent 0.217 milliseconds in whack Aug 26 13:10:04.067924: | spent 0.00639 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:04.067992: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:10:04.068004: | 06 2e 9f aa 15 2a 96 f6 00 00 00 00 00 00 00 00 Aug 26 13:10:04.068009: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:10:04.068013: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:10:04.068016: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:10:04.068020: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:10:04.068024: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:10:04.068028: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:10:04.068034: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:10:04.068040: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:10:04.068046: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:10:04.068052: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:10:04.068058: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:10:04.068064: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:10:04.068070: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:10:04.068076: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:10:04.068083: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:10:04.068089: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:10:04.068095: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:10:04.068102: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:10:04.068108: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:10:04.068114: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:10:04.068120: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:10:04.068126: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:10:04.068133: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:10:04.068139: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:10:04.068145: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:10:04.068152: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:10:04.068171: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:10:04.068176: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:10:04.068181: | 28 00 01 08 00 0e 00 00 34 fc 94 fe a0 b6 8e 53 Aug 26 13:10:04.068186: | 6b aa 5b a5 34 1c 32 e5 8d 66 41 a4 d4 73 a8 6f Aug 26 13:10:04.068191: | 23 d9 65 c9 54 9c ee 54 46 2a df 8a 33 85 d2 30 Aug 26 13:10:04.068197: | 75 46 c7 b7 02 87 c9 64 b2 fa 01 3c 9e 7e 2e 59 Aug 26 13:10:04.068209: | 02 84 7c 65 66 55 d2 85 38 d1 66 8e be 6a 8e 58 Aug 26 13:10:04.068215: | 30 1b e9 11 b2 bd 8d 88 72 35 cb b3 2a 2b 04 0d Aug 26 13:10:04.068219: | 23 d5 00 43 e3 53 fb be 4e 26 8e ef d3 aa fc 5e Aug 26 13:10:04.068222: | 1d c4 cd 51 40 4b 13 a2 b3 30 ce 00 41 e5 11 e6 Aug 26 13:10:04.068225: | 2f cc 05 e0 d7 fd 34 9d 20 bc cf f3 69 af 84 64 Aug 26 13:10:04.068228: | 3f ba b3 54 c9 6d 4f 89 a5 b2 22 b5 86 91 6e 31 Aug 26 13:10:04.068232: | af 01 08 85 61 bc c6 6f 3f 25 af cc 8f e6 3b 8b Aug 26 13:10:04.068235: | 36 4a 30 52 0d 36 40 79 82 d5 7d b2 fb fa f2 e8 Aug 26 13:10:04.068238: | 77 68 d9 c1 b6 37 1a cc b4 08 d9 ec b4 e6 6e 4d Aug 26 13:10:04.068241: | ca 4b dd f6 ad 25 e9 35 01 be e5 56 d4 19 15 2d Aug 26 13:10:04.068244: | 36 da 0d 60 f0 16 8b 32 46 bf 54 86 21 2f 12 d3 Aug 26 13:10:04.068247: | a8 22 ff fe f4 1e 7e 81 07 8a 15 45 b2 f8 50 a6 Aug 26 13:10:04.068250: | f2 9a c0 1f c2 a7 c2 43 29 00 00 24 e6 da 2d e3 Aug 26 13:10:04.068253: | 77 b4 cb 15 9c 20 9e 20 3b c4 fd a1 de 5b 85 f6 Aug 26 13:10:04.068256: | 07 80 8b 35 f8 3d ce f8 18 2c a7 55 29 00 00 08 Aug 26 13:10:04.068259: | 00 00 40 2e 29 00 00 1c 00 00 40 04 ec 80 7d 2f Aug 26 13:10:04.068262: | 86 e2 0f 7c 90 68 62 98 c0 60 4b 57 07 6e a2 bb Aug 26 13:10:04.068265: | 00 00 00 1c 00 00 40 05 dd 30 b1 35 7f 3f 98 7d Aug 26 13:10:04.068268: | 85 c1 49 99 1c d7 2e 21 9d 91 77 e4 Aug 26 13:10:04.068277: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:10:04.068282: | **parse ISAKMP Message: Aug 26 13:10:04.068286: | initiator cookie: Aug 26 13:10:04.068296: | 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:04.068300: | responder cookie: Aug 26 13:10:04.068303: | 00 00 00 00 00 00 00 00 Aug 26 13:10:04.068306: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:04.068310: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:04.068313: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:10:04.068317: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:04.068321: | Message ID: 0 (0x0) Aug 26 13:10:04.068324: | length: 828 (0x33c) Aug 26 13:10:04.068331: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:10:04.068336: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:10:04.068340: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:10:04.068344: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:10:04.068349: | ***parse IKEv2 Security Association Payload: Aug 26 13:10:04.068352: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:10:04.068355: | flags: none (0x0) Aug 26 13:10:04.068359: | length: 436 (0x1b4) Aug 26 13:10:04.068364: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:10:04.068369: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:10:04.068375: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:10:04.068381: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:10:04.068386: | flags: none (0x0) Aug 26 13:10:04.068391: | length: 264 (0x108) Aug 26 13:10:04.068396: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:04.068402: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:10:04.068406: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:10:04.068412: | ***parse IKEv2 Nonce Payload: Aug 26 13:10:04.068417: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:04.068424: | flags: none (0x0) Aug 26 13:10:04.068427: | length: 36 (0x24) Aug 26 13:10:04.068430: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:10:04.068433: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:04.068437: | ***parse IKEv2 Notify Payload: Aug 26 13:10:04.068440: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:04.068443: | flags: none (0x0) Aug 26 13:10:04.068446: | length: 8 (0x8) Aug 26 13:10:04.068449: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:04.068456: | SPI size: 0 (0x0) Aug 26 13:10:04.068461: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:10:04.068464: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:10:04.068467: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:04.068470: | ***parse IKEv2 Notify Payload: Aug 26 13:10:04.068473: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:04.068476: | flags: none (0x0) Aug 26 13:10:04.068479: | length: 28 (0x1c) Aug 26 13:10:04.068482: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:04.068485: | SPI size: 0 (0x0) Aug 26 13:10:04.068489: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:10:04.068492: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:10:04.068495: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:04.068498: | ***parse IKEv2 Notify Payload: Aug 26 13:10:04.068501: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.068504: | flags: none (0x0) Aug 26 13:10:04.068507: | length: 28 (0x1c) Aug 26 13:10:04.068510: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:04.068513: | SPI size: 0 (0x0) Aug 26 13:10:04.068517: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:10:04.068520: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:10:04.068523: | DDOS disabled and no cookie sent, continuing Aug 26 13:10:04.068531: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:10:04.068535: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:10:04.068538: | find_next_host_connection returns empty Aug 26 13:10:04.068543: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:10:04.068549: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:10:04.068553: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:10:04.068558: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Aug 26 13:10:04.068561: | find_next_host_connection returns empty Aug 26 13:10:04.068566: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:10:04.068572: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:10:04.068576: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:10:04.068579: | find_next_host_connection returns empty Aug 26 13:10:04.068583: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:10:04.068589: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:10:04.068592: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:10:04.068596: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Aug 26 13:10:04.068599: | find_next_host_connection returns empty Aug 26 13:10:04.068604: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:10:04.068609: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:10:04.068613: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:10:04.068616: | find_next_host_connection returns empty Aug 26 13:10:04.068621: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:10:04.068626: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:10:04.068629: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:10:04.068633: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Aug 26 13:10:04.068636: | find_next_host_connection returns eastnet-any Aug 26 13:10:04.068640: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:10:04.068645: | find_next_host_connection returns empty Aug 26 13:10:04.068648: | rw_instantiate Aug 26 13:10:04.068661: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Aug 26 13:10:04.068665: | new hp@0x56354953e728 Aug 26 13:10:04.068672: | rw_instantiate() instantiated "eastnet-any"[1] 192.1.2.45 for 192.1.2.45 Aug 26 13:10:04.068677: | found connection: eastnet-any[1] 192.1.2.45 with policy PSK+IKEV2_ALLOW Aug 26 13:10:04.068682: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:10:04.068714: | creating state object #1 at 0x56354953ec78 Aug 26 13:10:04.068719: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:10:04.068729: | pstats #1 ikev2.ike started Aug 26 13:10:04.068734: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:10:04.068738: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:10:04.068745: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:04.068758: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:04.068762: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:04.068769: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:04.068773: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:10:04.068778: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:10:04.068784: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:10:04.068788: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:10:04.068791: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:10:04.068795: | Now let's proceed with state specific processing Aug 26 13:10:04.068798: | calling processor Respond to IKE_SA_INIT Aug 26 13:10:04.068805: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:10:04.068809: | constructing local IKE proposals for eastnet-any (IKE SA responder matching remote proposals) Aug 26 13:10:04.068819: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:04.068829: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:04.068834: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:04.068840: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:04.068845: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:04.068852: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:04.068856: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:04.068863: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:04.068876: "eastnet-any"[1] 192.1.2.45: constructed local IKE proposals for eastnet-any (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:04.068885: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:10:04.068889: | local proposal 1 type ENCR has 1 transforms Aug 26 13:10:04.068893: | local proposal 1 type PRF has 2 transforms Aug 26 13:10:04.068896: | local proposal 1 type INTEG has 1 transforms Aug 26 13:10:04.068900: | local proposal 1 type DH has 8 transforms Aug 26 13:10:04.068903: | local proposal 1 type ESN has 0 transforms Aug 26 13:10:04.068907: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:10:04.068910: | local proposal 2 type ENCR has 1 transforms Aug 26 13:10:04.068914: | local proposal 2 type PRF has 2 transforms Aug 26 13:10:04.068917: | local proposal 2 type INTEG has 1 transforms Aug 26 13:10:04.068920: | local proposal 2 type DH has 8 transforms Aug 26 13:10:04.068923: | local proposal 2 type ESN has 0 transforms Aug 26 13:10:04.068927: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:10:04.068930: | local proposal 3 type ENCR has 1 transforms Aug 26 13:10:04.068934: | local proposal 3 type PRF has 2 transforms Aug 26 13:10:04.068937: | local proposal 3 type INTEG has 2 transforms Aug 26 13:10:04.068940: | local proposal 3 type DH has 8 transforms Aug 26 13:10:04.068943: | local proposal 3 type ESN has 0 transforms Aug 26 13:10:04.068947: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:10:04.068950: | local proposal 4 type ENCR has 1 transforms Aug 26 13:10:04.068953: | local proposal 4 type PRF has 2 transforms Aug 26 13:10:04.068956: | local proposal 4 type INTEG has 2 transforms Aug 26 13:10:04.068960: | local proposal 4 type DH has 8 transforms Aug 26 13:10:04.068963: | local proposal 4 type ESN has 0 transforms Aug 26 13:10:04.068966: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:10:04.068970: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.068974: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:04.068977: | length: 100 (0x64) Aug 26 13:10:04.068981: | prop #: 1 (0x1) Aug 26 13:10:04.068984: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:04.068987: | spi size: 0 (0x0) Aug 26 13:10:04.068990: | # transforms: 11 (0xb) Aug 26 13:10:04.068995: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:10:04.068999: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069002: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069005: | length: 12 (0xc) Aug 26 13:10:04.069008: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.069012: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:04.069015: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.069019: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.069022: | length/value: 256 (0x100) Aug 26 13:10:04.069028: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:10:04.069031: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069034: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069037: | length: 8 (0x8) Aug 26 13:10:04.069041: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:04.069044: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:04.069048: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:10:04.069055: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:10:04.069059: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:10:04.069063: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:10:04.069066: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069069: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069072: | length: 8 (0x8) Aug 26 13:10:04.069075: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:04.069079: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:04.069082: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069085: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069088: | length: 8 (0x8) Aug 26 13:10:04.069091: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069095: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:04.069099: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:10:04.069103: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:10:04.069107: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:10:04.069111: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:10:04.069114: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069117: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069120: | length: 8 (0x8) Aug 26 13:10:04.069123: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069126: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:04.069130: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069133: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069136: | length: 8 (0x8) Aug 26 13:10:04.069139: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069142: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:04.069146: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069149: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069152: | length: 8 (0x8) Aug 26 13:10:04.069155: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069158: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:04.069162: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069165: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069168: | length: 8 (0x8) Aug 26 13:10:04.069171: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069174: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:04.069178: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069181: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069184: | length: 8 (0x8) Aug 26 13:10:04.069187: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069190: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:04.069194: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069197: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069200: | length: 8 (0x8) Aug 26 13:10:04.069203: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069206: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:04.069209: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069213: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.069216: | length: 8 (0x8) Aug 26 13:10:04.069219: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069222: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:04.069227: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:10:04.069234: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:10:04.069238: | remote proposal 1 matches local proposal 1 Aug 26 13:10:04.069241: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.069245: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:04.069248: | length: 100 (0x64) Aug 26 13:10:04.069251: | prop #: 2 (0x2) Aug 26 13:10:04.069254: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:04.069257: | spi size: 0 (0x0) Aug 26 13:10:04.069260: | # transforms: 11 (0xb) Aug 26 13:10:04.069264: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:04.069268: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069271: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069274: | length: 12 (0xc) Aug 26 13:10:04.069277: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.069280: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:04.069283: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.069287: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.069299: | length/value: 128 (0x80) Aug 26 13:10:04.069303: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069306: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069309: | length: 8 (0x8) Aug 26 13:10:04.069312: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:04.069315: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:04.069319: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069322: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069325: | length: 8 (0x8) Aug 26 13:10:04.069331: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:04.069334: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:04.069338: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069341: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069344: | length: 8 (0x8) Aug 26 13:10:04.069347: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069350: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:04.069354: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069357: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069360: | length: 8 (0x8) Aug 26 13:10:04.069363: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069366: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:04.069370: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069373: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069376: | length: 8 (0x8) Aug 26 13:10:04.069379: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069382: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:04.069385: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069388: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069391: | length: 8 (0x8) Aug 26 13:10:04.069394: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069398: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:04.069401: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069404: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069407: | length: 8 (0x8) Aug 26 13:10:04.069410: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069413: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:04.069417: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069420: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069423: | length: 8 (0x8) Aug 26 13:10:04.069426: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069429: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:04.069433: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069440: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069444: | length: 8 (0x8) Aug 26 13:10:04.069447: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069450: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:04.069453: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069457: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.069460: | length: 8 (0x8) Aug 26 13:10:04.069463: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069466: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:04.069471: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:10:04.069474: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:10:04.069478: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.069481: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:04.069484: | length: 116 (0x74) Aug 26 13:10:04.069487: | prop #: 3 (0x3) Aug 26 13:10:04.069490: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:04.069493: | spi size: 0 (0x0) Aug 26 13:10:04.069496: | # transforms: 13 (0xd) Aug 26 13:10:04.069500: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:04.069504: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069507: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069510: | length: 12 (0xc) Aug 26 13:10:04.069513: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.069516: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:04.069519: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.069523: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.069526: | length/value: 256 (0x100) Aug 26 13:10:04.069529: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069533: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069535: | length: 8 (0x8) Aug 26 13:10:04.069539: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:04.069542: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:04.069545: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069548: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069551: | length: 8 (0x8) Aug 26 13:10:04.069554: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:04.069558: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:04.069561: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069564: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069567: | length: 8 (0x8) Aug 26 13:10:04.069570: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:04.069574: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:04.069577: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069580: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069583: | length: 8 (0x8) Aug 26 13:10:04.069586: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:04.069589: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:04.069593: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069596: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069599: | length: 8 (0x8) Aug 26 13:10:04.069602: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069605: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:04.069609: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069612: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069615: | length: 8 (0x8) Aug 26 13:10:04.069618: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069621: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:04.069624: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069628: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069632: | length: 8 (0x8) Aug 26 13:10:04.069635: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069638: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:04.069642: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069645: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069648: | length: 8 (0x8) Aug 26 13:10:04.069651: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069654: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:04.069658: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069661: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069664: | length: 8 (0x8) Aug 26 13:10:04.069667: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069670: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:04.069673: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069677: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069679: | length: 8 (0x8) Aug 26 13:10:04.069683: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069686: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:04.069689: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069692: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069695: | length: 8 (0x8) Aug 26 13:10:04.069698: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069702: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:04.069705: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069708: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.069711: | length: 8 (0x8) Aug 26 13:10:04.069714: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069717: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:04.069722: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:10:04.069726: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:10:04.069729: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.069732: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:04.069735: | length: 116 (0x74) Aug 26 13:10:04.069738: | prop #: 4 (0x4) Aug 26 13:10:04.069741: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:04.069744: | spi size: 0 (0x0) Aug 26 13:10:04.069747: | # transforms: 13 (0xd) Aug 26 13:10:04.069751: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:04.069755: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069758: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069761: | length: 12 (0xc) Aug 26 13:10:04.069764: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.069767: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:04.069770: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.069774: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.069777: | length/value: 128 (0x80) Aug 26 13:10:04.069780: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069783: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069786: | length: 8 (0x8) Aug 26 13:10:04.069790: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:04.069793: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:04.069796: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069799: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069802: | length: 8 (0x8) Aug 26 13:10:04.069805: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:04.069809: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:04.069812: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069815: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069818: | length: 8 (0x8) Aug 26 13:10:04.069821: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:04.069828: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:04.069832: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069835: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069838: | length: 8 (0x8) Aug 26 13:10:04.069841: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:04.069844: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:04.069848: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069851: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069854: | length: 8 (0x8) Aug 26 13:10:04.069857: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069860: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:04.069863: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069867: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069870: | length: 8 (0x8) Aug 26 13:10:04.069873: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069876: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:04.069879: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069882: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069885: | length: 8 (0x8) Aug 26 13:10:04.069888: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069892: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:04.069895: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069898: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069901: | length: 8 (0x8) Aug 26 13:10:04.069904: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069907: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:04.069911: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069914: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069917: | length: 8 (0x8) Aug 26 13:10:04.069920: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069923: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:04.069927: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069930: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069933: | length: 8 (0x8) Aug 26 13:10:04.069936: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069939: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:04.069942: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069946: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.069948: | length: 8 (0x8) Aug 26 13:10:04.069952: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069955: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:04.069958: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.069961: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.069964: | length: 8 (0x8) Aug 26 13:10:04.069967: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.069971: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:04.069975: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:10:04.069979: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:10:04.069986: "eastnet-any"[1] 192.1.2.45 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:10:04.069993: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:10:04.069997: | converting proposal to internal trans attrs Aug 26 13:10:04.070001: | natd_hash: rcookie is zero Aug 26 13:10:04.070019: | natd_hash: hasher=0x563549172800(20) Aug 26 13:10:04.070023: | natd_hash: icookie= 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:04.070026: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:10:04.070029: | natd_hash: ip= c0 01 02 17 Aug 26 13:10:04.070032: | natd_hash: port=500 Aug 26 13:10:04.070036: | natd_hash: hash= dd 30 b1 35 7f 3f 98 7d 85 c1 49 99 1c d7 2e 21 Aug 26 13:10:04.070039: | natd_hash: hash= 9d 91 77 e4 Aug 26 13:10:04.070042: | natd_hash: rcookie is zero Aug 26 13:10:04.070051: | natd_hash: hasher=0x563549172800(20) Aug 26 13:10:04.070055: | natd_hash: icookie= 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:04.070058: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:10:04.070061: | natd_hash: ip= c0 01 02 2d Aug 26 13:10:04.070064: | natd_hash: port=500 Aug 26 13:10:04.070067: | natd_hash: hash= ec 80 7d 2f 86 e2 0f 7c 90 68 62 98 c0 60 4b 57 Aug 26 13:10:04.070070: | natd_hash: hash= 07 6e a2 bb Aug 26 13:10:04.070074: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:10:04.070077: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:10:04.070080: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:10:04.070084: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Aug 26 13:10:04.070088: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:10:04.070092: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56354953e858 Aug 26 13:10:04.070097: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:10:04.070102: | libevent_malloc: new ptr-libevent@0x563549540fd8 size 128 Aug 26 13:10:04.070117: | #1 spent 1.31 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:10:04.070127: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:04.070131: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:10:04.070135: | suspending state #1 and saving MD Aug 26 13:10:04.070138: | #1 is busy; has a suspended MD Aug 26 13:10:04.070144: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:10:04.070150: | "eastnet-any"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:10:04.070156: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:04.070152: | crypto helper 0 resuming Aug 26 13:10:04.070170: | #1 spent 2.21 milliseconds in ikev2_process_packet() Aug 26 13:10:04.070188: | crypto helper 0 starting work-order 1 for state #1 Aug 26 13:10:04.070191: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:10:04.070200: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:10:04.070203: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:04.070207: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:04.070213: | spent 2.24 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:04.071321: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001121 seconds Aug 26 13:10:04.071339: | (#1) spent 1.13 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:10:04.071344: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 13:10:04.071348: | scheduling resume sending helper answer for #1 Aug 26 13:10:04.071356: | libevent_malloc: new ptr-libevent@0x7f7574002888 size 128 Aug 26 13:10:04.071367: | crypto helper 0 waiting (nothing to do) Aug 26 13:10:04.071409: | processing resume sending helper answer for #1 Aug 26 13:10:04.071429: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:10:04.071436: | crypto helper 0 replies to request ID 1 Aug 26 13:10:04.071440: | calling continuation function 0x56354909db50 Aug 26 13:10:04.071444: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:10:04.071491: | **emit ISAKMP Message: Aug 26 13:10:04.071495: | initiator cookie: Aug 26 13:10:04.071499: | 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:04.071502: | responder cookie: Aug 26 13:10:04.071505: | 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:04.071509: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:04.071512: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:04.071516: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:10:04.071519: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:04.071523: | Message ID: 0 (0x0) Aug 26 13:10:04.071526: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:04.071530: | Emitting ikev2_proposal ... Aug 26 13:10:04.071534: | ***emit IKEv2 Security Association Payload: Aug 26 13:10:04.071537: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.071540: | flags: none (0x0) Aug 26 13:10:04.071544: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:10:04.071548: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.071552: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.071556: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:04.071559: | prop #: 1 (0x1) Aug 26 13:10:04.071562: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:04.071566: | spi size: 0 (0x0) Aug 26 13:10:04.071569: | # transforms: 3 (0x3) Aug 26 13:10:04.071573: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:04.071576: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:04.071580: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.071583: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.071586: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:04.071590: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:04.071594: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.071598: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.071601: | length/value: 256 (0x100) Aug 26 13:10:04.071605: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:04.071608: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:04.071611: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.071614: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:04.071618: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:04.071622: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.071626: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:04.071629: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:04.071632: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:04.071636: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.071639: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:04.071642: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:04.071649: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.071653: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:04.071657: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:04.071660: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:10:04.071664: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:04.071667: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:10:04.071671: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:10:04.071675: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:10:04.071679: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.071682: | flags: none (0x0) Aug 26 13:10:04.071685: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:04.071689: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:10:04.071693: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.071697: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:10:04.071701: | ikev2 g^x 3e c5 d1 47 2f e8 74 8c a1 1d d4 ad cb a8 a0 d2 Aug 26 13:10:04.071704: | ikev2 g^x b7 93 40 b7 84 67 f4 ae d3 a3 d3 db 43 21 f6 c5 Aug 26 13:10:04.071707: | ikev2 g^x 5c df 3e ec 12 a4 e1 13 31 47 41 90 a1 9b d6 8c Aug 26 13:10:04.071711: | ikev2 g^x e6 f6 59 d8 b5 ec 0a 4d 60 08 56 e5 c7 1c d9 ea Aug 26 13:10:04.071714: | ikev2 g^x 94 48 48 9a 9f a2 99 db dc bb d3 e9 90 b7 d9 39 Aug 26 13:10:04.071717: | ikev2 g^x 1e 31 d9 80 fa e3 d4 41 f0 54 9b 23 ae 82 f4 19 Aug 26 13:10:04.071720: | ikev2 g^x 55 f0 70 08 ce 0a 2f 39 cb 4d e4 6b 1f fb 60 b3 Aug 26 13:10:04.071723: | ikev2 g^x bc 58 16 38 47 c4 41 e6 ef cb 7b f1 07 52 0f a6 Aug 26 13:10:04.071726: | ikev2 g^x 0a b9 60 b6 30 6e 1e be b7 eb 36 84 25 ec c3 47 Aug 26 13:10:04.071729: | ikev2 g^x 2b 39 15 74 9f 1b d3 5b 5c 22 7f 1b 6d 9c b7 1d Aug 26 13:10:04.071732: | ikev2 g^x aa 54 b1 96 2d 93 c8 d6 55 f4 b6 a3 b4 8f e9 c0 Aug 26 13:10:04.071735: | ikev2 g^x 34 a1 c2 92 1d c3 a6 bc ba 17 41 9c 0a a2 3b c3 Aug 26 13:10:04.071738: | ikev2 g^x 0e 8a f1 22 ef e3 1e 29 e8 d5 cc 68 90 9a 75 63 Aug 26 13:10:04.071741: | ikev2 g^x 80 24 5c 3c e9 d0 7c 84 0a 54 5f 90 34 82 7e 31 Aug 26 13:10:04.071745: | ikev2 g^x 90 cf 20 45 73 f7 82 ba 1c 49 91 45 d7 2b 18 b5 Aug 26 13:10:04.071748: | ikev2 g^x 4f 9a 53 bc d4 f1 4e 82 0c e9 bd 0d af e2 7c b6 Aug 26 13:10:04.071751: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:10:04.071754: | ***emit IKEv2 Nonce Payload: Aug 26 13:10:04.071758: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:04.071761: | flags: none (0x0) Aug 26 13:10:04.071765: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:10:04.071769: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:10:04.071772: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.071776: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:10:04.071780: | IKEv2 nonce ba a4 e4 89 4a 87 fa 67 41 db d1 9b bc 8f c2 7d Aug 26 13:10:04.071783: | IKEv2 nonce 2c b5 22 91 73 b6 0f 01 8a bb d5 ef 56 0f 09 7c Aug 26 13:10:04.071786: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:10:04.071789: | Adding a v2N Payload Aug 26 13:10:04.071792: | ***emit IKEv2 Notify Payload: Aug 26 13:10:04.071797: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.071801: | flags: none (0x0) Aug 26 13:10:04.071804: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:04.071807: | SPI size: 0 (0x0) Aug 26 13:10:04.071811: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:10:04.071815: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:04.071818: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.071822: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:10:04.071825: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:10:04.071844: | natd_hash: hasher=0x563549172800(20) Aug 26 13:10:04.071848: | natd_hash: icookie= 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:04.071851: | natd_hash: rcookie= 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:04.071855: | natd_hash: ip= c0 01 02 17 Aug 26 13:10:04.071858: | natd_hash: port=500 Aug 26 13:10:04.071861: | natd_hash: hash= 17 29 34 68 cc a1 b2 7c e4 5a 91 ed d3 24 4b 80 Aug 26 13:10:04.071864: | natd_hash: hash= f3 73 82 b0 Aug 26 13:10:04.071867: | Adding a v2N Payload Aug 26 13:10:04.071870: | ***emit IKEv2 Notify Payload: Aug 26 13:10:04.071874: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.071877: | flags: none (0x0) Aug 26 13:10:04.071880: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:04.071883: | SPI size: 0 (0x0) Aug 26 13:10:04.071886: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:10:04.071890: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:04.071894: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.071898: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:10:04.071901: | Notify data 17 29 34 68 cc a1 b2 7c e4 5a 91 ed d3 24 4b 80 Aug 26 13:10:04.071904: | Notify data f3 73 82 b0 Aug 26 13:10:04.071907: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:10:04.071915: | natd_hash: hasher=0x563549172800(20) Aug 26 13:10:04.071919: | natd_hash: icookie= 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:04.071922: | natd_hash: rcookie= 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:04.071925: | natd_hash: ip= c0 01 02 2d Aug 26 13:10:04.071928: | natd_hash: port=500 Aug 26 13:10:04.071931: | natd_hash: hash= 58 64 f7 c8 4b d7 3c 7a 77 68 0f c3 4e bd 50 63 Aug 26 13:10:04.071934: | natd_hash: hash= 58 42 40 c7 Aug 26 13:10:04.071937: | Adding a v2N Payload Aug 26 13:10:04.071940: | ***emit IKEv2 Notify Payload: Aug 26 13:10:04.071943: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.071946: | flags: none (0x0) Aug 26 13:10:04.071949: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:04.071952: | SPI size: 0 (0x0) Aug 26 13:10:04.071956: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:10:04.071959: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:04.071963: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.071967: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:10:04.071970: | Notify data 58 64 f7 c8 4b d7 3c 7a 77 68 0f c3 4e bd 50 63 Aug 26 13:10:04.071973: | Notify data 58 42 40 c7 Aug 26 13:10:04.071976: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:10:04.071979: | emitting length of ISAKMP Message: 432 Aug 26 13:10:04.071989: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:04.071994: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:10:04.071998: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:10:04.072004: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:10:04.072008: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:10:04.072015: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:10:04.072020: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:10:04.072027: "eastnet-any"[1] 192.1.2.45 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:10:04.072033: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:10:04.072040: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:10:04.072048: | 06 2e 9f aa 15 2a 96 f6 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:04.072051: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:10:04.072054: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:10:04.072057: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:10:04.072060: | 04 00 00 0e 28 00 01 08 00 0e 00 00 3e c5 d1 47 Aug 26 13:10:04.072063: | 2f e8 74 8c a1 1d d4 ad cb a8 a0 d2 b7 93 40 b7 Aug 26 13:10:04.072066: | 84 67 f4 ae d3 a3 d3 db 43 21 f6 c5 5c df 3e ec Aug 26 13:10:04.072069: | 12 a4 e1 13 31 47 41 90 a1 9b d6 8c e6 f6 59 d8 Aug 26 13:10:04.072072: | b5 ec 0a 4d 60 08 56 e5 c7 1c d9 ea 94 48 48 9a Aug 26 13:10:04.072075: | 9f a2 99 db dc bb d3 e9 90 b7 d9 39 1e 31 d9 80 Aug 26 13:10:04.072078: | fa e3 d4 41 f0 54 9b 23 ae 82 f4 19 55 f0 70 08 Aug 26 13:10:04.072081: | ce 0a 2f 39 cb 4d e4 6b 1f fb 60 b3 bc 58 16 38 Aug 26 13:10:04.072084: | 47 c4 41 e6 ef cb 7b f1 07 52 0f a6 0a b9 60 b6 Aug 26 13:10:04.072087: | 30 6e 1e be b7 eb 36 84 25 ec c3 47 2b 39 15 74 Aug 26 13:10:04.072090: | 9f 1b d3 5b 5c 22 7f 1b 6d 9c b7 1d aa 54 b1 96 Aug 26 13:10:04.072093: | 2d 93 c8 d6 55 f4 b6 a3 b4 8f e9 c0 34 a1 c2 92 Aug 26 13:10:04.072096: | 1d c3 a6 bc ba 17 41 9c 0a a2 3b c3 0e 8a f1 22 Aug 26 13:10:04.072099: | ef e3 1e 29 e8 d5 cc 68 90 9a 75 63 80 24 5c 3c Aug 26 13:10:04.072103: | e9 d0 7c 84 0a 54 5f 90 34 82 7e 31 90 cf 20 45 Aug 26 13:10:04.072106: | 73 f7 82 ba 1c 49 91 45 d7 2b 18 b5 4f 9a 53 bc Aug 26 13:10:04.072109: | d4 f1 4e 82 0c e9 bd 0d af e2 7c b6 29 00 00 24 Aug 26 13:10:04.072112: | ba a4 e4 89 4a 87 fa 67 41 db d1 9b bc 8f c2 7d Aug 26 13:10:04.072115: | 2c b5 22 91 73 b6 0f 01 8a bb d5 ef 56 0f 09 7c Aug 26 13:10:04.072118: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:10:04.072121: | 17 29 34 68 cc a1 b2 7c e4 5a 91 ed d3 24 4b 80 Aug 26 13:10:04.072124: | f3 73 82 b0 00 00 00 1c 00 00 40 05 58 64 f7 c8 Aug 26 13:10:04.072127: | 4b d7 3c 7a 77 68 0f c3 4e bd 50 63 58 42 40 c7 Aug 26 13:10:04.072169: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:04.072176: | libevent_free: release ptr-libevent@0x563549540fd8 Aug 26 13:10:04.072180: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56354953e858 Aug 26 13:10:04.072184: | event_schedule: new EVENT_SO_DISCARD-pe@0x56354953e858 Aug 26 13:10:04.072189: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:10:04.072193: | libevent_malloc: new ptr-libevent@0x563549542128 size 128 Aug 26 13:10:04.072199: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:10:04.072207: | #1 spent 0.75 milliseconds in resume sending helper answer Aug 26 13:10:04.072215: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:10:04.072219: | libevent_free: release ptr-libevent@0x7f7574002888 Aug 26 13:10:04.076721: | spent 0.00425 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:04.076756: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:10:04.076764: | 06 2e 9f aa 15 2a 96 f6 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:04.076769: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Aug 26 13:10:04.076772: | e4 1f 99 bc 44 e2 ff 68 a7 c3 3a 68 8b af 20 be Aug 26 13:10:04.076774: | c2 37 03 f2 ff 8e a6 74 6b 86 e0 cc b0 cf eb 88 Aug 26 13:10:04.076777: | 20 a9 a1 28 eb be 82 fc 9b ae 79 b8 1f 84 ba 87 Aug 26 13:10:04.076780: | 71 1b 1c 3b f6 65 42 4f e4 d3 c9 92 db 06 81 57 Aug 26 13:10:04.076782: | 87 97 06 ea cc 63 39 78 88 8c 5e e7 f3 6c d1 90 Aug 26 13:10:04.076785: | 2a 36 0e b3 01 2f 18 bc 74 de ad bc 4a fd 2e 49 Aug 26 13:10:04.076787: | 19 de 1b 5f 28 02 2f 45 5a b0 4c a0 51 11 f0 b8 Aug 26 13:10:04.076790: | f4 34 47 b2 4a 0b 9c b5 8d ca b4 94 7a 90 e0 f6 Aug 26 13:10:04.076792: | b8 7d da f8 a9 b6 19 ea 41 c4 2a 7a b9 3f 0d 1a Aug 26 13:10:04.076795: | 1e f1 eb f8 6c a9 b6 75 ca 00 b8 fa bb 8d ec c6 Aug 26 13:10:04.076797: | 5b 6f 51 a3 e6 4d 45 36 14 b1 4c 76 da 10 d4 be Aug 26 13:10:04.076800: | 35 bf 11 8c 3e ed b8 07 84 c8 65 04 0b 20 38 5a Aug 26 13:10:04.076802: | 9a de b0 5d 61 4d f0 1d c1 9c a6 d9 27 ab ad e2 Aug 26 13:10:04.076805: | 2f 93 18 68 4d 15 45 e8 df b5 f1 dd 26 63 39 4f Aug 26 13:10:04.076807: | c8 73 27 26 6f 5e 4e 6a 21 93 50 26 95 8f 48 e0 Aug 26 13:10:04.076810: | 07 4b 60 9b 56 d1 74 bb 80 e9 b7 71 d6 96 e3 0d Aug 26 13:10:04.076812: | 13 9b 71 dd 51 56 86 c3 44 d8 76 fd 00 25 09 6a Aug 26 13:10:04.076815: | 0c 26 bb eb a3 de f7 c8 c2 d0 ec a6 4d de 40 48 Aug 26 13:10:04.076817: | 0b 08 ea 31 c1 67 2a 87 78 50 d2 19 1c 01 96 04 Aug 26 13:10:04.076820: | f0 d4 e3 21 07 ef c0 62 1e 9d 6a 5f eb 02 b0 9e Aug 26 13:10:04.076822: | 22 3c f4 0f 1d 0d 38 fa 30 84 67 97 a5 Aug 26 13:10:04.076828: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:10:04.076831: | **parse ISAKMP Message: Aug 26 13:10:04.076834: | initiator cookie: Aug 26 13:10:04.076837: | 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:04.076840: | responder cookie: Aug 26 13:10:04.076842: | 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:04.076845: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:04.076848: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:04.076851: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:04.076854: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:04.076857: | Message ID: 1 (0x1) Aug 26 13:10:04.076859: | length: 365 (0x16d) Aug 26 13:10:04.076863: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:10:04.076866: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:10:04.076870: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:10:04.076877: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:04.076881: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:04.076886: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:04.076890: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:10:04.076894: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:10:04.076897: | unpacking clear payload Aug 26 13:10:04.076900: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:04.076903: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:04.076905: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:10:04.076908: | flags: none (0x0) Aug 26 13:10:04.076911: | length: 337 (0x151) Aug 26 13:10:04.076916: | processing payload: ISAKMP_NEXT_v2SK (len=333) Aug 26 13:10:04.076924: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:10:04.076931: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:10:04.076937: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:10:04.076941: | Now let's proceed with state specific processing Aug 26 13:10:04.076945: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:10:04.076952: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:10:04.076958: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:10:04.076964: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:10:04.076969: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:10:04.076975: | libevent_free: release ptr-libevent@0x563549542128 Aug 26 13:10:04.076981: | free_event_entry: release EVENT_SO_DISCARD-pe@0x56354953e858 Aug 26 13:10:04.076986: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56354953e858 Aug 26 13:10:04.076993: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:10:04.076999: | libevent_malloc: new ptr-libevent@0x7f7574002888 size 128 Aug 26 13:10:04.077015: | #1 spent 0.0603 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:10:04.077027: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:04.077034: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:10:04.077039: | suspending state #1 and saving MD Aug 26 13:10:04.077043: | #1 is busy; has a suspended MD Aug 26 13:10:04.077052: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:10:04.077053: | crypto helper 3 resuming Aug 26 13:10:04.077062: | "eastnet-any"[1] 192.1.2.45 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:10:04.077073: | crypto helper 3 starting work-order 2 for state #1 Aug 26 13:10:04.077083: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:04.077091: | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:10:04.077096: | #1 spent 0.347 milliseconds in ikev2_process_packet() Aug 26 13:10:04.077101: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:10:04.077104: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:04.077107: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:04.077112: | spent 0.363 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:04.077949: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:10:04.078364: | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001274 seconds Aug 26 13:10:04.078375: | (#1) spent 1.28 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:10:04.078379: | crypto helper 3 sending results from work-order 2 for state #1 to event queue Aug 26 13:10:04.078381: | scheduling resume sending helper answer for #1 Aug 26 13:10:04.078385: | libevent_malloc: new ptr-libevent@0x7f756c000f48 size 128 Aug 26 13:10:04.078392: | crypto helper 3 waiting (nothing to do) Aug 26 13:10:04.078433: | processing resume sending helper answer for #1 Aug 26 13:10:04.078447: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:10:04.078452: | crypto helper 3 replies to request ID 2 Aug 26 13:10:04.078454: | calling continuation function 0x56354909db50 Aug 26 13:10:04.078457: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:10:04.078460: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:10:04.078474: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:10:04.078477: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:10:04.078480: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:10:04.078483: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:10:04.078485: | flags: none (0x0) Aug 26 13:10:04.078488: | length: 12 (0xc) Aug 26 13:10:04.078490: | ID type: ID_IPV4_ADDR (0x1) Aug 26 13:10:04.078493: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:10:04.078495: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:10:04.078498: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:10:04.078500: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:10:04.078502: | flags: none (0x0) Aug 26 13:10:04.078504: | length: 12 (0xc) Aug 26 13:10:04.078507: | ID type: ID_FQDN (0x2) Aug 26 13:10:04.078509: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 13:10:04.078511: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:10:04.078514: | **parse IKEv2 Authentication Payload: Aug 26 13:10:04.078516: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:04.078518: | flags: none (0x0) Aug 26 13:10:04.078520: | length: 72 (0x48) Aug 26 13:10:04.078522: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:10:04.078525: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:10:04.078527: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:10:04.078530: | **parse IKEv2 Security Association Payload: Aug 26 13:10:04.078532: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:10:04.078534: | flags: none (0x0) Aug 26 13:10:04.078536: | length: 164 (0xa4) Aug 26 13:10:04.078538: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 13:10:04.078541: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:10:04.078543: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:04.078545: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:10:04.078548: | flags: none (0x0) Aug 26 13:10:04.078550: | length: 24 (0x18) Aug 26 13:10:04.078552: | number of TS: 1 (0x1) Aug 26 13:10:04.078554: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:10:04.078557: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:10:04.078559: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:04.078561: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.078563: | flags: none (0x0) Aug 26 13:10:04.078565: | length: 24 (0x18) Aug 26 13:10:04.078568: | number of TS: 1 (0x1) Aug 26 13:10:04.078570: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:10:04.078572: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:10:04.078575: | Now let's proceed with state specific processing Aug 26 13:10:04.078577: | calling processor Responder: process IKE_AUTH request Aug 26 13:10:04.078583: "eastnet-any"[1] 192.1.2.45 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 13:10:04.078589: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:10:04.078592: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 13:10:04.078595: | peer ID c0 01 02 2d Aug 26 13:10:04.078597: | received IDr payload - extracting our alleged ID Aug 26 13:10:04.078601: | refine_host_connection for IKEv2: starting with "eastnet-any"[1] 192.1.2.45 Aug 26 13:10:04.078606: | match_id a=192.1.2.45 Aug 26 13:10:04.078608: | b=192.1.2.45 Aug 26 13:10:04.078610: | results matched Aug 26 13:10:04.078616: | refine_host_connection: checking "eastnet-any"[1] 192.1.2.45 against "eastnet-any"[1] 192.1.2.45, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:10:04.078618: | Warning: not switching back to template of current instance Aug 26 13:10:04.078621: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 13:10:04.078624: | This connection's local id is @east (ID_FQDN) Aug 26 13:10:04.078630: | refine_host_connection: checked eastnet-any[1] 192.1.2.45 against eastnet-any[1] 192.1.2.45, now for see if best Aug 26 13:10:04.078634: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 13:10:04.078637: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 13:10:04.078641: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:04.078644: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 13:10:04.078647: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 13:10:04.078649: | line 1: match=002 Aug 26 13:10:04.078652: | match 002 beats previous best_match 000 match=0x563549495c48 (line=1) Aug 26 13:10:04.078654: | concluding with best_match=002 best=0x563549495c48 (lineno=1) Aug 26 13:10:04.078657: | returning because exact peer id match Aug 26 13:10:04.078659: | offered CA: '%none' Aug 26 13:10:04.078663: "eastnet-any"[1] 192.1.2.45 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.2.45' Aug 26 13:10:04.078682: | verifying AUTH payload Aug 26 13:10:04.078686: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:10:04.078689: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 13:10:04.078693: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 13:10:04.078696: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:04.078699: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 13:10:04.078701: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 13:10:04.078703: | line 1: match=002 Aug 26 13:10:04.078706: | match 002 beats previous best_match 000 match=0x563549495c48 (line=1) Aug 26 13:10:04.078708: | concluding with best_match=002 best=0x563549495c48 (lineno=1) Aug 26 13:10:04.078760: "eastnet-any"[1] 192.1.2.45 #1: Authenticated using authby=secret Aug 26 13:10:04.078765: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:10:04.078770: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:10:04.078772: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:04.078776: | libevent_free: release ptr-libevent@0x7f7574002888 Aug 26 13:10:04.078778: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56354953e858 Aug 26 13:10:04.078781: | event_schedule: new EVENT_SA_REKEY-pe@0x56354953e858 Aug 26 13:10:04.078785: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 13:10:04.078787: | libevent_malloc: new ptr-libevent@0x563549542128 size 128 Aug 26 13:10:04.078885: | pstats #1 ikev2.ike established Aug 26 13:10:04.078893: | **emit ISAKMP Message: Aug 26 13:10:04.078896: | initiator cookie: Aug 26 13:10:04.078898: | 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:04.078900: | responder cookie: Aug 26 13:10:04.078903: | 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:04.078905: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:04.078908: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:04.078910: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:04.078913: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:04.078915: | Message ID: 1 (0x1) Aug 26 13:10:04.078918: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:04.078920: | IKEv2 CERT: send a certificate? Aug 26 13:10:04.078923: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:10:04.078926: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:04.078929: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.078933: | flags: none (0x0) Aug 26 13:10:04.078937: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:04.078942: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.078947: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:04.078956: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:10:04.078968: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:10:04.078971: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.078973: | flags: none (0x0) Aug 26 13:10:04.078976: | ID type: ID_FQDN (0x2) Aug 26 13:10:04.078979: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:10:04.078982: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.078985: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:10:04.078987: | my identity 65 61 73 74 Aug 26 13:10:04.078990: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:10:04.078996: | assembled IDr payload Aug 26 13:10:04.078999: | CHILD SA proposals received Aug 26 13:10:04.079001: | going to assemble AUTH payload Aug 26 13:10:04.079004: | ****emit IKEv2 Authentication Payload: Aug 26 13:10:04.079062: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:04.079066: | flags: none (0x0) Aug 26 13:10:04.079069: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:10:04.079072: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:10:04.079075: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:10:04.079077: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.079080: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:10:04.079084: | started looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 13:10:04.079088: | actually looking for secret for @east->192.1.2.45 of kind PKK_PSK Aug 26 13:10:04.079092: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:04.079097: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 13:10:04.079099: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Aug 26 13:10:04.079102: | line 1: match=002 Aug 26 13:10:04.079104: | match 002 beats previous best_match 000 match=0x563549495c48 (line=1) Aug 26 13:10:04.079107: | concluding with best_match=002 best=0x563549495c48 (lineno=1) Aug 26 13:10:04.079156: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:10:04.079160: | PSK auth b7 d4 49 15 2c 11 f6 01 3a 38 0c 7c 5b 7a a8 ff Aug 26 13:10:04.079162: | PSK auth ee c9 81 a7 95 9a ad a4 b6 24 c0 75 c5 d9 7b 39 Aug 26 13:10:04.079164: | PSK auth 7d 30 2a 00 ce f8 68 ec 6d 6c c3 7c 29 f5 4e 08 Aug 26 13:10:04.079167: | PSK auth 1f d4 01 dc 22 32 e2 7d 37 45 2a 93 db db 14 ad Aug 26 13:10:04.079169: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:10:04.079177: | creating state object #2 at 0x563549542c88 Aug 26 13:10:04.079179: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:10:04.079183: | pstats #2 ikev2.child started Aug 26 13:10:04.079187: | duplicating state object #1 "eastnet-any"[1] 192.1.2.45 as #2 for IPSEC SA Aug 26 13:10:04.079191: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:10:04.079196: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:04.079201: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:10:04.079205: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:10:04.079208: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:10:04.079212: | TSi: parsing 1 traffic selectors Aug 26 13:10:04.079215: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:04.079218: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:04.079221: | IP Protocol ID: 0 (0x0) Aug 26 13:10:04.079223: | length: 16 (0x10) Aug 26 13:10:04.079225: | start port: 0 (0x0) Aug 26 13:10:04.079228: | end port: 65535 (0xffff) Aug 26 13:10:04.079230: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:04.079232: | TS low c0 00 01 00 Aug 26 13:10:04.079235: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:04.079237: | TS high c0 00 01 ff Aug 26 13:10:04.079239: | TSi: parsed 1 traffic selectors Aug 26 13:10:04.079242: | TSr: parsing 1 traffic selectors Aug 26 13:10:04.079244: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:04.079247: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:04.079249: | IP Protocol ID: 0 (0x0) Aug 26 13:10:04.079251: | length: 16 (0x10) Aug 26 13:10:04.079253: | start port: 0 (0x0) Aug 26 13:10:04.079255: | end port: 65535 (0xffff) Aug 26 13:10:04.079258: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:04.079260: | TS low c0 00 02 00 Aug 26 13:10:04.079262: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:04.079264: | TS high c0 00 02 ff Aug 26 13:10:04.079266: | TSr: parsed 1 traffic selectors Aug 26 13:10:04.079269: | looking for best SPD in current connection Aug 26 13:10:04.079274: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:04.079279: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:04.079285: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:10:04.079298: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:04.079304: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:04.079307: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:04.079310: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:04.079314: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:04.079318: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:04.079321: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:04.079323: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:04.079326: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:04.079328: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:04.079331: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:04.079333: | found better spd route for TSi[0],TSr[0] Aug 26 13:10:04.079336: | looking for better host pair Aug 26 13:10:04.079340: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:10:04.079344: | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found Aug 26 13:10:04.079347: | investigating connection "eastnet-any" as a better match Aug 26 13:10:04.079350: | match_id a=192.1.2.45 Aug 26 13:10:04.079353: | b=192.1.2.45 Aug 26 13:10:04.079355: | results matched Aug 26 13:10:04.079360: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:04.079363: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:04.079368: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:10:04.079371: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:04.079373: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:04.079376: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:04.079378: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:04.079382: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:04.079388: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:04.079390: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:04.079393: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:04.079395: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:04.079398: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:04.079400: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:04.079402: | did not find a better connection using host pair Aug 26 13:10:04.079405: | printing contents struct traffic_selector Aug 26 13:10:04.079407: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:10:04.079409: | ipprotoid: 0 Aug 26 13:10:04.079411: | port range: 0-65535 Aug 26 13:10:04.079415: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:10:04.079417: | printing contents struct traffic_selector Aug 26 13:10:04.079419: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:10:04.079421: | ipprotoid: 0 Aug 26 13:10:04.079423: | port range: 0-65535 Aug 26 13:10:04.079426: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:10:04.079430: | constructing ESP/AH proposals with all DH removed for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:10:04.079439: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:10:04.079444: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:10:04.079447: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:10:04.079450: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:10:04.079453: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:04.079457: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:04.079460: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:04.079463: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:04.079471: "eastnet-any"[1] 192.1.2.45: constructed local ESP/AH proposals for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:04.079474: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:10:04.079477: | local proposal 1 type ENCR has 1 transforms Aug 26 13:10:04.079480: | local proposal 1 type PRF has 0 transforms Aug 26 13:10:04.079482: | local proposal 1 type INTEG has 1 transforms Aug 26 13:10:04.079485: | local proposal 1 type DH has 1 transforms Aug 26 13:10:04.079487: | local proposal 1 type ESN has 1 transforms Aug 26 13:10:04.079490: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:10:04.079492: | local proposal 2 type ENCR has 1 transforms Aug 26 13:10:04.079495: | local proposal 2 type PRF has 0 transforms Aug 26 13:10:04.079497: | local proposal 2 type INTEG has 1 transforms Aug 26 13:10:04.079499: | local proposal 2 type DH has 1 transforms Aug 26 13:10:04.079501: | local proposal 2 type ESN has 1 transforms Aug 26 13:10:04.079504: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:10:04.079506: | local proposal 3 type ENCR has 1 transforms Aug 26 13:10:04.079509: | local proposal 3 type PRF has 0 transforms Aug 26 13:10:04.079511: | local proposal 3 type INTEG has 2 transforms Aug 26 13:10:04.079513: | local proposal 3 type DH has 1 transforms Aug 26 13:10:04.079515: | local proposal 3 type ESN has 1 transforms Aug 26 13:10:04.079518: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:10:04.079521: | local proposal 4 type ENCR has 1 transforms Aug 26 13:10:04.079524: | local proposal 4 type PRF has 0 transforms Aug 26 13:10:04.079526: | local proposal 4 type INTEG has 2 transforms Aug 26 13:10:04.079528: | local proposal 4 type DH has 1 transforms Aug 26 13:10:04.079531: | local proposal 4 type ESN has 1 transforms Aug 26 13:10:04.079533: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:10:04.079536: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.079539: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:04.079541: | length: 32 (0x20) Aug 26 13:10:04.079543: | prop #: 1 (0x1) Aug 26 13:10:04.079546: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:04.079548: | spi size: 4 (0x4) Aug 26 13:10:04.079550: | # transforms: 2 (0x2) Aug 26 13:10:04.079553: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:04.079555: | remote SPI 93 5f 0d db Aug 26 13:10:04.079558: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:10:04.079561: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079563: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079566: | length: 12 (0xc) Aug 26 13:10:04.079568: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.079570: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:04.079573: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.079575: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.079578: | length/value: 256 (0x100) Aug 26 13:10:04.079582: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:10:04.079584: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079586: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.079589: | length: 8 (0x8) Aug 26 13:10:04.079591: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:04.079593: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:04.079596: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:10:04.079599: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:10:04.079602: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:10:04.079605: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:10:04.079608: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 13:10:04.079612: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 13:10:04.079614: | remote proposal 1 matches local proposal 1 Aug 26 13:10:04.079617: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.079619: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:04.079621: | length: 32 (0x20) Aug 26 13:10:04.079624: | prop #: 2 (0x2) Aug 26 13:10:04.079626: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:04.079628: | spi size: 4 (0x4) Aug 26 13:10:04.079630: | # transforms: 2 (0x2) Aug 26 13:10:04.079633: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:04.079635: | remote SPI 93 5f 0d db Aug 26 13:10:04.079638: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:04.079640: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079642: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079645: | length: 12 (0xc) Aug 26 13:10:04.079647: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.079649: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:04.079651: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.079654: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.079657: | length/value: 128 (0x80) Aug 26 13:10:04.079660: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079662: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.079664: | length: 8 (0x8) Aug 26 13:10:04.079666: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:04.079669: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:04.079672: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 13:10:04.079674: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 13:10:04.079677: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.079679: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:04.079681: | length: 48 (0x30) Aug 26 13:10:04.079683: | prop #: 3 (0x3) Aug 26 13:10:04.079686: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:04.079688: | spi size: 4 (0x4) Aug 26 13:10:04.079690: | # transforms: 4 (0x4) Aug 26 13:10:04.079692: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:04.079695: | remote SPI 93 5f 0d db Aug 26 13:10:04.079697: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:04.079700: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079702: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079704: | length: 12 (0xc) Aug 26 13:10:04.079706: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.079708: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:04.079711: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.079713: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.079715: | length/value: 256 (0x100) Aug 26 13:10:04.079718: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079720: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079722: | length: 8 (0x8) Aug 26 13:10:04.079725: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:04.079727: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:04.079729: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079732: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079734: | length: 8 (0x8) Aug 26 13:10:04.079736: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:04.079738: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:04.079741: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079743: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.079745: | length: 8 (0x8) Aug 26 13:10:04.079747: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:04.079750: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:04.079753: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:10:04.079755: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:10:04.079758: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.079760: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:04.079762: | length: 48 (0x30) Aug 26 13:10:04.079764: | prop #: 4 (0x4) Aug 26 13:10:04.079766: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:04.079769: | spi size: 4 (0x4) Aug 26 13:10:04.079771: | # transforms: 4 (0x4) Aug 26 13:10:04.079773: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:04.079775: | remote SPI 93 5f 0d db Aug 26 13:10:04.079778: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:04.079780: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079783: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079785: | length: 12 (0xc) Aug 26 13:10:04.079787: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.079789: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:04.079792: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.079795: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.079798: | length/value: 128 (0x80) Aug 26 13:10:04.079800: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079803: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079805: | length: 8 (0x8) Aug 26 13:10:04.079807: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:04.079809: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:04.079812: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079814: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079816: | length: 8 (0x8) Aug 26 13:10:04.079818: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:04.079821: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:04.079823: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079825: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.079828: | length: 8 (0x8) Aug 26 13:10:04.079830: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:04.079832: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:04.079835: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:10:04.079838: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:10:04.079843: "eastnet-any"[1] 192.1.2.45 #1: proposal 1:ESP:SPI=935f0ddb;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 13:10:04.079848: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=935f0ddb;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 13:10:04.079850: | converting proposal to internal trans attrs Aug 26 13:10:04.079867: | netlink_get_spi: allocated 0x909f43c1 for esp.0@192.1.2.23 Aug 26 13:10:04.079870: | Emitting ikev2_proposal ... Aug 26 13:10:04.079873: | ****emit IKEv2 Security Association Payload: Aug 26 13:10:04.079875: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.079878: | flags: none (0x0) Aug 26 13:10:04.079881: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:10:04.079884: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.079887: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:04.079889: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:04.079891: | prop #: 1 (0x1) Aug 26 13:10:04.079893: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:04.079896: | spi size: 4 (0x4) Aug 26 13:10:04.079898: | # transforms: 2 (0x2) Aug 26 13:10:04.079900: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:04.079904: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:10:04.079906: | our spi 90 9f 43 c1 Aug 26 13:10:04.079908: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079911: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079913: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:04.079915: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:04.079918: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:04.079920: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:04.079923: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:04.079925: | length/value: 256 (0x100) Aug 26 13:10:04.079928: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:04.079930: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:04.079934: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:04.079937: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:04.079939: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:04.079942: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:04.079945: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:04.079947: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:04.079950: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:10:04.079952: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:04.079955: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 13:10:04.079958: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:10:04.079960: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:04.079963: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.079965: | flags: none (0x0) Aug 26 13:10:04.079967: | number of TS: 1 (0x1) Aug 26 13:10:04.079970: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:10:04.079973: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.079975: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:04.079978: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:04.079980: | IP Protocol ID: 0 (0x0) Aug 26 13:10:04.079982: | start port: 0 (0x0) Aug 26 13:10:04.079984: | end port: 65535 (0xffff) Aug 26 13:10:04.079987: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:04.079990: | ipv4 start c0 00 01 00 Aug 26 13:10:04.079992: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:04.079994: | ipv4 end c0 00 01 ff Aug 26 13:10:04.079996: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:04.079999: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:10:04.080001: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:04.080004: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:04.080006: | flags: none (0x0) Aug 26 13:10:04.080008: | number of TS: 1 (0x1) Aug 26 13:10:04.080011: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:10:04.080014: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:04.080016: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:04.080018: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:04.080020: | IP Protocol ID: 0 (0x0) Aug 26 13:10:04.080023: | start port: 0 (0x0) Aug 26 13:10:04.080025: | end port: 65535 (0xffff) Aug 26 13:10:04.080027: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:04.080029: | ipv4 start c0 00 02 00 Aug 26 13:10:04.080032: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:04.080034: | ipv4 end c0 00 02 ff Aug 26 13:10:04.080036: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:04.080039: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:10:04.080041: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:10:04.080044: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:10:04.080180: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:10:04.080189: | #1 spent 1.54 milliseconds Aug 26 13:10:04.080194: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:10:04.080197: | could_route called for eastnet-any (kind=CK_INSTANCE) Aug 26 13:10:04.080199: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:04.080202: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:04.080205: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:04.080207: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:04.080210: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:04.080215: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Aug 26 13:10:04.080218: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:04.080221: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:04.080224: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:04.080227: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:04.080230: | setting IPsec SA replay-window to 32 Aug 26 13:10:04.080233: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Aug 26 13:10:04.080236: | netlink: enabling tunnel mode Aug 26 13:10:04.080239: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:04.080242: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:04.080319: | netlink response for Add SA esp.935f0ddb@192.1.2.45 included non-error error Aug 26 13:10:04.080327: | set up outgoing SA, ref=0/0 Aug 26 13:10:04.080330: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:04.080333: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:04.080335: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:04.080338: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:04.080341: | setting IPsec SA replay-window to 32 Aug 26 13:10:04.080344: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Aug 26 13:10:04.080346: | netlink: enabling tunnel mode Aug 26 13:10:04.080348: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:04.080351: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:04.080393: | netlink response for Add SA esp.909f43c1@192.1.2.23 included non-error error Aug 26 13:10:04.080398: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:04.080404: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:10:04.080407: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:04.080430: | raw_eroute result=success Aug 26 13:10:04.080433: | set up incoming SA, ref=0/0 Aug 26 13:10:04.080435: | sr for #2: unrouted Aug 26 13:10:04.080438: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:10:04.080441: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:04.080443: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:04.080446: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:04.080448: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:04.080451: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:04.080455: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Aug 26 13:10:04.080459: | route_and_eroute with c: eastnet-any (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:10:04.080462: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:04.080468: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Aug 26 13:10:04.080470: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:04.080482: | raw_eroute result=success Aug 26 13:10:04.080486: | running updown command "ipsec _updown" for verb up Aug 26 13:10:04.080488: | command executing up-client Aug 26 13:10:04.080511: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x935f0ddb SP Aug 26 13:10:04.080517: | popen cmd is 1031 chars long Aug 26 13:10:04.080520: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_: Aug 26 13:10:04.080523: | cmd( 80):INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=': Aug 26 13:10:04.080525: | cmd( 160):@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_C: Aug 26 13:10:04.080528: | cmd( 240):LIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQI: Aug 26 13:10:04.080530: | cmd( 320):D='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45': Aug 26 13:10:04.080532: | cmd( 400): PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_C: Aug 26 13:10:04.080535: | cmd( 480):LIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEE: Aug 26 13:10:04.080537: | cmd( 560):R_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TU: Aug 26 13:10:04.080539: | cmd( 640):NNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INST: Aug 26 13:10:04.080542: | cmd( 720):ANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_: Aug 26 13:10:04.080544: | cmd( 800):PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER: Aug 26 13:10:04.080547: | cmd( 880):='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' : Aug 26 13:10:04.080549: | cmd( 960):VTI_SHARED='no' SPI_IN=0x935f0ddb SPI_OUT=0x909f43c1 ipsec _updown 2>&1: Aug 26 13:10:04.091934: | route_and_eroute: firewall_notified: true Aug 26 13:10:04.091953: | running updown command "ipsec _updown" for verb prepare Aug 26 13:10:04.091956: | command executing prepare-client Aug 26 13:10:04.091981: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x9 Aug 26 13:10:04.091985: | popen cmd is 1036 chars long Aug 26 13:10:04.091987: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Aug 26 13:10:04.091989: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 13:10:04.091991: | cmd( 160):_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO: Aug 26 13:10:04.091996: | cmd( 240):_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA: Aug 26 13:10:04.091998: | cmd( 320):_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.: Aug 26 13:10:04.092000: | cmd( 400):2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_P: Aug 26 13:10:04.092002: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 13:10:04.092004: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRY: Aug 26 13:10:04.092006: | cmd( 640):PT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK: Aug 26 13:10:04.092008: | cmd( 720):_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P: Aug 26 13:10:04.092009: | cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: Aug 26 13:10:04.092011: | cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: Aug 26 13:10:04.092013: | cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x935f0ddb SPI_OUT=0x909f43c1 ipsec _updown 2>&1: Aug 26 13:10:04.099487: | running updown command "ipsec _updown" for verb route Aug 26 13:10:04.099503: | command executing route-client Aug 26 13:10:04.099525: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x935f0 Aug 26 13:10:04.099529: | popen cmd is 1034 chars long Aug 26 13:10:04.099531: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLU: Aug 26 13:10:04.099533: | cmd( 80):TO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_I: Aug 26 13:10:04.099535: | cmd( 160):D='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_M: Aug 26 13:10:04.099537: | cmd( 240):Y_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_R: Aug 26 13:10:04.099538: | cmd( 320):EQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.: Aug 26 13:10:04.099540: | cmd( 400):45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEE: Aug 26 13:10:04.099542: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Aug 26 13:10:04.099543: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT: Aug 26 13:10:04.099545: | cmd( 640):+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_I: Aug 26 13:10:04.099547: | cmd( 720):NSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLU: Aug 26 13:10:04.099548: | cmd( 800):TO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SER: Aug 26 13:10:04.099550: | cmd( 880):VER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n: Aug 26 13:10:04.099552: | cmd( 960):o' VTI_SHARED='no' SPI_IN=0x935f0ddb SPI_OUT=0x909f43c1 ipsec _updown 2>&1: Aug 26 13:10:04.110163: | route_and_eroute: instance "eastnet-any"[1] 192.1.2.45, setting eroute_owner {spd=0x56354953e148,sr=0x56354953e148} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:10:04.110268: | #1 spent 1.9 milliseconds in install_ipsec_sa() Aug 26 13:10:04.110276: | ISAKMP_v2_IKE_AUTH: instance eastnet-any[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:10:04.110280: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:04.110285: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:04.110302: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:04.110310: | emitting length of IKEv2 Encryption Payload: 197 Aug 26 13:10:04.110313: | emitting length of ISAKMP Message: 225 Aug 26 13:10:04.110348: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:10:04.110356: | #1 spent 3.53 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:10:04.110367: | suspend processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:04.110374: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:04.110379: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:10:04.110383: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:10:04.110387: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:10:04.110392: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:10:04.110399: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:10:04.110404: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:10:04.110408: | pstats #2 ikev2.child established Aug 26 13:10:04.110418: "eastnet-any"[1] 192.1.2.45 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:10:04.110424: | NAT-T: encaps is 'auto' Aug 26 13:10:04.110430: "eastnet-any"[1] 192.1.2.45 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x935f0ddb <0x909f43c1 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 13:10:04.110436: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:10:04.110445: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:10:04.110448: | 06 2e 9f aa 15 2a 96 f6 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:04.110451: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Aug 26 13:10:04.110454: | 87 a2 18 02 4c f3 34 65 25 0e 38 8e be 9c d0 ba Aug 26 13:10:04.110457: | 0a 4b f1 74 e2 10 97 90 ee b6 ca 61 11 a8 30 b7 Aug 26 13:10:04.110459: | 93 cb 8a 80 e4 55 f3 1c f3 25 3f c8 7b c5 2d 9c Aug 26 13:10:04.110462: | 47 05 ac 36 85 55 9e 45 25 b8 a6 1f a9 5f ff ea Aug 26 13:10:04.110465: | 42 0b f1 fb 7e 6e c8 78 21 70 47 af a9 db b3 ba Aug 26 13:10:04.110467: | 49 d9 3a 07 de c9 56 b0 84 8c 1b 91 19 8d dd b5 Aug 26 13:10:04.110470: | 8b 4d 46 1a 88 5f 14 c3 bc e6 d1 56 ab 72 33 9c Aug 26 13:10:04.110473: | 44 4b 1c f5 9a 32 0c 66 b6 ac 3c af cd bf bc 5c Aug 26 13:10:04.110475: | bf 3c 4c 7a 69 26 64 70 e4 d9 63 a7 3d e1 9e 5e Aug 26 13:10:04.110478: | 67 f6 f3 d5 66 d1 ed 9f 0a 65 2d 76 7a 61 6d a0 Aug 26 13:10:04.110480: | 4f 1f 51 62 02 7d da 7f 83 de 14 7e ac 48 b1 b8 Aug 26 13:10:04.110483: | 4f 11 21 b3 c7 e5 a0 34 f8 cb e5 dc a0 80 2f 79 Aug 26 13:10:04.110486: | 60 Aug 26 13:10:04.110529: | releasing whack for #2 (sock=fd@-1) Aug 26 13:10:04.110534: | releasing whack and unpending for parent #1 Aug 26 13:10:04.110539: | unpending state #1 connection "eastnet-any"[1] 192.1.2.45 Aug 26 13:10:04.110544: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:10:04.110551: | event_schedule: new EVENT_SA_REKEY-pe@0x7f7574002b78 Aug 26 13:10:04.110555: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 13:10:04.110559: | libevent_malloc: new ptr-libevent@0x563549542bd8 size 128 Aug 26 13:10:04.110575: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:10:04.110585: | #1 spent 3.86 milliseconds in resume sending helper answer Aug 26 13:10:04.110592: | stop processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:10:04.110598: | libevent_free: release ptr-libevent@0x7f756c000f48 Aug 26 13:10:04.110613: | processing signal PLUTO_SIGCHLD Aug 26 13:10:04.110620: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:04.110625: | spent 0.00574 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:04.110628: | processing signal PLUTO_SIGCHLD Aug 26 13:10:04.110632: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:04.110636: | spent 0.00397 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:04.110639: | processing signal PLUTO_SIGCHLD Aug 26 13:10:04.110643: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:04.110647: | spent 0.00413 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:05.426742: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:05.426772: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:10:05.426779: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:05.426788: | get_sa_info esp.909f43c1@192.1.2.23 Aug 26 13:10:05.426804: | get_sa_info esp.935f0ddb@192.1.2.45 Aug 26 13:10:05.426826: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:05.426833: | spent 0.101 milliseconds in whack Aug 26 13:10:05.555102: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:05.555655: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:05.555668: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:05.555821: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:10:05.555827: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:05.555846: | get_sa_info esp.909f43c1@192.1.2.23 Aug 26 13:10:05.555866: | get_sa_info esp.935f0ddb@192.1.2.45 Aug 26 13:10:05.555896: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:05.555906: | spent 0.813 milliseconds in whack Aug 26 13:10:06.263789: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:06.263809: shutting down Aug 26 13:10:06.263816: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:10:06.263821: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:06.263823: forgetting secrets Aug 26 13:10:06.263829: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:06.263834: | start processing: connection "eastnet-any"[1] 192.1.2.45 (in delete_connection() at connections.c:189) Aug 26 13:10:06.263838: "eastnet-any"[1] 192.1.2.45: deleting connection "eastnet-any"[1] 192.1.2.45 instance with peer 192.1.2.45 {isakmp=#1/ipsec=#2} Aug 26 13:10:06.263841: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:10:06.263842: | pass 0 Aug 26 13:10:06.263844: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:06.263847: | state #2 Aug 26 13:10:06.263851: | suspend processing: connection "eastnet-any"[1] 192.1.2.45 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:06.263856: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:06.263859: | pstats #2 ikev2.child deleted completed Aug 26 13:10:06.263863: | [RE]START processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:10:06.263874: "eastnet-any"[1] 192.1.2.45 #2: deleting state (STATE_V2_IPSEC_R) aged 2.184s and sending notification Aug 26 13:10:06.263877: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:10:06.263881: | get_sa_info esp.935f0ddb@192.1.2.45 Aug 26 13:10:06.263896: | get_sa_info esp.909f43c1@192.1.2.23 Aug 26 13:10:06.263904: "eastnet-any"[1] 192.1.2.45 #2: ESP traffic information: in=168B out=168B Aug 26 13:10:06.263907: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:10:06.263910: | Opening output PBS informational exchange delete request Aug 26 13:10:06.263912: | **emit ISAKMP Message: Aug 26 13:10:06.263914: | initiator cookie: Aug 26 13:10:06.263916: | 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:06.263918: | responder cookie: Aug 26 13:10:06.263919: | 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:06.263921: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:06.263923: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:06.263925: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:06.263926: | flags: none (0x0) Aug 26 13:10:06.263928: | Message ID: 0 (0x0) Aug 26 13:10:06.263930: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:06.263932: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:06.263934: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:06.263935: | flags: none (0x0) Aug 26 13:10:06.263938: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:06.263940: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:06.263942: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:06.263954: | ****emit IKEv2 Delete Payload: Aug 26 13:10:06.263956: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:06.263958: | flags: none (0x0) Aug 26 13:10:06.263960: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:06.263961: | SPI size: 4 (0x4) Aug 26 13:10:06.263963: | number of SPIs: 1 (0x1) Aug 26 13:10:06.263965: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:06.263967: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:06.263969: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:10:06.263970: | local spis 90 9f 43 c1 Aug 26 13:10:06.263972: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:10:06.263974: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:06.263976: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:06.263978: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:06.263980: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:10:06.263981: | emitting length of ISAKMP Message: 69 Aug 26 13:10:06.264002: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) Aug 26 13:10:06.264006: | 06 2e 9f aa 15 2a 96 f6 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:06.264008: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:10:06.264009: | 01 39 8d 6a d0 60 7a 3c 63 14 98 10 80 f3 65 03 Aug 26 13:10:06.264011: | 02 fe cf 01 71 df cd 27 5c 38 72 aa ad 9d 47 e7 Aug 26 13:10:06.264012: | b7 78 38 ab 28 Aug 26 13:10:06.264045: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 13:10:06.264048: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 13:10:06.264052: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:10:06.264055: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:06.264059: | libevent_free: release ptr-libevent@0x563549542bd8 Aug 26 13:10:06.264061: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f7574002b78 Aug 26 13:10:06.264114: | running updown command "ipsec _updown" for verb down Aug 26 13:10:06.264118: | command executing down-client Aug 26 13:10:06.264147: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825004' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_I Aug 26 13:10:06.264155: | popen cmd is 1044 chars long Aug 26 13:10:06.264159: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUT: Aug 26 13:10:06.264163: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: Aug 26 13:10:06.264166: | cmd( 160):='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY: Aug 26 13:10:06.264170: | cmd( 240):_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_RE: Aug 26 13:10:06.264173: | cmd( 320):QID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.4: Aug 26 13:10:06.264177: | cmd( 400):5' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER: Aug 26 13:10:06.264180: | cmd( 480):_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_P: Aug 26 13:10:06.264184: | cmd( 560):EER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825004' PLUTO_CONN_POLICY='PSK: Aug 26 13:10:06.264187: | cmd( 640):+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KI: Aug 26 13:10:06.264191: | cmd( 720):ND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS: Aug 26 13:10:06.264194: | cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU: Aug 26 13:10:06.264196: | cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_: Aug 26 13:10:06.264198: | cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0x935f0ddb SPI_OUT=0x909f43c1 ipsec _updown : Aug 26 13:10:06.264200: | cmd(1040):2>&1: Aug 26 13:10:06.274817: | shunt_eroute() called for connection 'eastnet-any' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:10:06.274831: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:06.274834: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:06.274837: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:06.274871: | delete esp.935f0ddb@192.1.2.45 Aug 26 13:10:06.274900: | netlink response for Del SA esp.935f0ddb@192.1.2.45 included non-error error Aug 26 13:10:06.274904: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:06.274909: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:10:06.274926: | raw_eroute result=success Aug 26 13:10:06.274929: | delete esp.909f43c1@192.1.2.23 Aug 26 13:10:06.274937: | netlink response for Del SA esp.909f43c1@192.1.2.23 included non-error error Aug 26 13:10:06.274952: | stop processing: connection "eastnet-any"[1] 192.1.2.45 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:10:06.274955: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:10:06.274957: | in connection_discard for connection eastnet-any Aug 26 13:10:06.274959: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 13:10:06.274964: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:10:06.274971: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:10:06.274982: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:10:06.274984: | state #1 Aug 26 13:10:06.274986: | pass 1 Aug 26 13:10:06.274988: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:06.274989: | state #1 Aug 26 13:10:06.274993: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:06.274995: | pstats #1 ikev2.ike deleted completed Aug 26 13:10:06.275001: | #1 spent 9.57 milliseconds in total Aug 26 13:10:06.275004: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:10:06.275007: "eastnet-any"[1] 192.1.2.45 #1: deleting state (STATE_PARENT_R2) aged 2.206s and sending notification Aug 26 13:10:06.275010: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 13:10:06.275060: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 13:10:06.275076: | Opening output PBS informational exchange delete request Aug 26 13:10:06.275079: | **emit ISAKMP Message: Aug 26 13:10:06.275081: | initiator cookie: Aug 26 13:10:06.275082: | 06 2e 9f aa 15 2a 96 f6 Aug 26 13:10:06.275084: | responder cookie: Aug 26 13:10:06.275086: | 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:06.275088: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:06.275089: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:06.275092: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:06.275095: | flags: none (0x0) Aug 26 13:10:06.275096: | Message ID: 1 (0x1) Aug 26 13:10:06.275098: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:06.275101: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:06.275103: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:06.275104: | flags: none (0x0) Aug 26 13:10:06.275107: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:06.275109: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:06.275111: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:06.275125: | ****emit IKEv2 Delete Payload: Aug 26 13:10:06.275127: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:06.275128: | flags: none (0x0) Aug 26 13:10:06.275131: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:10:06.275132: | SPI size: 0 (0x0) Aug 26 13:10:06.275134: | number of SPIs: 0 (0x0) Aug 26 13:10:06.275136: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:06.275138: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:06.275140: | emitting length of IKEv2 Delete Payload: 8 Aug 26 13:10:06.275142: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:06.275144: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:06.275146: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:06.275148: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 13:10:06.275151: | emitting length of ISAKMP Message: 65 Aug 26 13:10:06.275173: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:10:06.275176: | 06 2e 9f aa 15 2a 96 f6 6b 66 e1 cd 5b 36 a0 51 Aug 26 13:10:06.275178: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 13:10:06.275179: | a5 00 c8 b8 39 95 a5 07 e5 f0 c9 b9 de 6b cc 64 Aug 26 13:10:06.275181: | b8 3b 29 f6 72 0b 39 bd 64 aa c2 56 8c d9 83 b9 Aug 26 13:10:06.275182: | c1 Aug 26 13:10:06.275217: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 13:10:06.275219: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 13:10:06.275223: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Aug 26 13:10:06.275227: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Aug 26 13:10:06.275229: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:06.275238: | libevent_free: release ptr-libevent@0x563549542128 Aug 26 13:10:06.275240: | free_event_entry: release EVENT_SA_REKEY-pe@0x56354953e858 Aug 26 13:10:06.275244: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:10:06.275246: | in connection_discard for connection eastnet-any Aug 26 13:10:06.275248: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 13:10:06.275250: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 13:10:06.275278: | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:10:06.275309: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:10:06.275314: | shunt_eroute() called for connection 'eastnet-any' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:10:06.275317: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:06.275319: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:06.275331: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:06.275351: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:06.275368: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:06.275370: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:06.275372: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:06.275374: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:06.275377: | route owner of "eastnet-any" unrouted: NULL Aug 26 13:10:06.275379: | running updown command "ipsec _updown" for verb unroute Aug 26 13:10:06.275381: | command executing unroute-client Aug 26 13:10:06.275399: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN= Aug 26 13:10:06.275402: | popen cmd is 1025 chars long Aug 26 13:10:06.275405: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Aug 26 13:10:06.275407: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 13:10:06.275409: | cmd( 160):_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO: Aug 26 13:10:06.275411: | cmd( 240):_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA: Aug 26 13:10:06.275413: | cmd( 320):_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1: Aug 26 13:10:06.275414: | cmd( 400):.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_: Aug 26 13:10:06.275416: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Aug 26 13:10:06.275418: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCR: Aug 26 13:10:06.275419: | cmd( 640):YPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='C: Aug 26 13:10:06.275421: | cmd( 720):K_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0: Aug 26 13:10:06.275423: | cmd( 800):' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF: Aug 26 13:10:06.275424: | cmd( 880):G_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTI: Aug 26 13:10:06.275426: | cmd( 960):NG='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:10:06.291916: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.291933: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.291936: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.291937: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.291939: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.291961: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.291972: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.291978: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292254: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292273: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292294: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292365: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292372: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292375: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292387: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292449: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292457: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292461: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292472: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292596: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292600: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292602: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292603: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292605: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292606: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292608: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292609: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292612: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292613: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292625: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292639: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.292655: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:06.297086: | free hp@0x56354953e728 Aug 26 13:10:06.297101: | flush revival: connection 'eastnet-any' wasn't on the list Aug 26 13:10:06.297104: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:10:06.297114: | start processing: connection "eastnet-any" (in delete_connection() at connections.c:189) Aug 26 13:10:06.297116: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:10:06.297118: | pass 0 Aug 26 13:10:06.297120: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:06.297122: | pass 1 Aug 26 13:10:06.297123: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:06.297126: | free hp@0x56354953c798 Aug 26 13:10:06.297128: | flush revival: connection 'eastnet-any' wasn't on the list Aug 26 13:10:06.297130: | stop processing: connection "eastnet-any" (in discard_connection() at connections.c:249) Aug 26 13:10:06.297139: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:10:06.297141: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:10:06.297149: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:10:06.297151: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:10:06.297153: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 13:10:06.297155: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 13:10:06.297157: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 13:10:06.297159: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 13:10:06.297162: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:10:06.297171: | libevent_free: release ptr-libevent@0x56354952e348 Aug 26 13:10:06.297174: | free_event_entry: release EVENT_NULL-pe@0x56354953a1d8 Aug 26 13:10:06.297182: | libevent_free: release ptr-libevent@0x5635494ca268 Aug 26 13:10:06.297184: | free_event_entry: release EVENT_NULL-pe@0x56354953a288 Aug 26 13:10:06.297190: | libevent_free: release ptr-libevent@0x5635494cc108 Aug 26 13:10:06.297192: | free_event_entry: release EVENT_NULL-pe@0x56354953a338 Aug 26 13:10:06.297197: | libevent_free: release ptr-libevent@0x5635494c9258 Aug 26 13:10:06.297199: | free_event_entry: release EVENT_NULL-pe@0x56354953a3e8 Aug 26 13:10:06.297204: | libevent_free: release ptr-libevent@0x56354949a4e8 Aug 26 13:10:06.297206: | free_event_entry: release EVENT_NULL-pe@0x56354953a498 Aug 26 13:10:06.297210: | libevent_free: release ptr-libevent@0x56354949a1d8 Aug 26 13:10:06.297212: | free_event_entry: release EVENT_NULL-pe@0x56354953a548 Aug 26 13:10:06.297216: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:10:06.297638: | libevent_free: release ptr-libevent@0x56354952e3f8 Aug 26 13:10:06.297646: | free_event_entry: release EVENT_NULL-pe@0x563549522138 Aug 26 13:10:06.297651: | libevent_free: release ptr-libevent@0x5635494cc008 Aug 26 13:10:06.297653: | free_event_entry: release EVENT_NULL-pe@0x5635495215f8 Aug 26 13:10:06.297657: | libevent_free: release ptr-libevent@0x563549505ba8 Aug 26 13:10:06.297659: | free_event_entry: release EVENT_NULL-pe@0x5635495221a8 Aug 26 13:10:06.297662: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:10:06.297663: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:10:06.297665: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:10:06.297667: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:10:06.297668: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:10:06.297670: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:10:06.297672: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:10:06.297673: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:10:06.297675: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:10:06.297679: | libevent_free: release ptr-libevent@0x5635494cd488 Aug 26 13:10:06.297681: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:10:06.297685: | libevent_free: release ptr-libevent@0x563549539938 Aug 26 13:10:06.297687: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:10:06.297689: | libevent_free: release ptr-libevent@0x563549539a48 Aug 26 13:10:06.297691: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:10:06.297693: | libevent_free: release ptr-libevent@0x563549539c88 Aug 26 13:10:06.297694: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:10:06.297696: | releasing event base Aug 26 13:10:06.297705: | libevent_free: release ptr-libevent@0x563549539b58 Aug 26 13:10:06.297707: | libevent_free: release ptr-libevent@0x56354951c9e8 Aug 26 13:10:06.297709: | libevent_free: release ptr-libevent@0x56354951c998 Aug 26 13:10:06.297711: | libevent_free: release ptr-libevent@0x56354951c928 Aug 26 13:10:06.297713: | libevent_free: release ptr-libevent@0x56354951c8e8 Aug 26 13:10:06.297715: | libevent_free: release ptr-libevent@0x563549539708 Aug 26 13:10:06.297716: | libevent_free: release ptr-libevent@0x5635495398b8 Aug 26 13:10:06.297718: | libevent_free: release ptr-libevent@0x56354951cb98 Aug 26 13:10:06.297719: | libevent_free: release ptr-libevent@0x563549521708 Aug 26 13:10:06.297721: | libevent_free: release ptr-libevent@0x5635495220f8 Aug 26 13:10:06.297723: | libevent_free: release ptr-libevent@0x56354953a5b8 Aug 26 13:10:06.297724: | libevent_free: release ptr-libevent@0x56354953a508 Aug 26 13:10:06.297726: | libevent_free: release ptr-libevent@0x56354953a458 Aug 26 13:10:06.297727: | libevent_free: release ptr-libevent@0x56354953a3a8 Aug 26 13:10:06.297729: | libevent_free: release ptr-libevent@0x56354953a2f8 Aug 26 13:10:06.297731: | libevent_free: release ptr-libevent@0x56354953a248 Aug 26 13:10:06.297732: | libevent_free: release ptr-libevent@0x5635494c8aa8 Aug 26 13:10:06.297734: | libevent_free: release ptr-libevent@0x563549539a08 Aug 26 13:10:06.297735: | libevent_free: release ptr-libevent@0x5635495398f8 Aug 26 13:10:06.297737: | libevent_free: release ptr-libevent@0x563549539878 Aug 26 13:10:06.297739: | libevent_free: release ptr-libevent@0x563549539b18 Aug 26 13:10:06.297740: | libevent_free: release ptr-libevent@0x563549539748 Aug 26 13:10:06.297742: | libevent_free: release ptr-libevent@0x563549499908 Aug 26 13:10:06.297744: | libevent_free: release ptr-libevent@0x563549499d38 Aug 26 13:10:06.297745: | libevent_free: release ptr-libevent@0x5635494c8e18 Aug 26 13:10:06.297747: | releasing global libevent data Aug 26 13:10:06.297749: | libevent_free: release ptr-libevent@0x5635494ca628 Aug 26 13:10:06.297751: | libevent_free: release ptr-libevent@0x563549499cd8 Aug 26 13:10:06.297753: | libevent_free: release ptr-libevent@0x563549499dd8 Aug 26 13:10:06.297780: leak detective found no leaks