Aug 26 13:10:10.552901: FIPS Product: YES Aug 26 13:10:10.552982: FIPS Kernel: NO Aug 26 13:10:10.552985: FIPS Mode: NO Aug 26 13:10:10.552987: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:10:10.553130: Initializing NSS Aug 26 13:10:10.553138: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:10:10.578087: NSS initialized Aug 26 13:10:10.578102: NSS crypto library initialized Aug 26 13:10:10.578104: FIPS HMAC integrity support [enabled] Aug 26 13:10:10.578106: FIPS mode disabled for pluto daemon Aug 26 13:10:10.608287: FIPS HMAC integrity verification self-test FAILED Aug 26 13:10:10.608461: libcap-ng support [enabled] Aug 26 13:10:10.608469: Linux audit support [enabled] Aug 26 13:10:10.608872: Linux audit activated Aug 26 13:10:10.608882: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:21139 Aug 26 13:10:10.608885: core dump dir: /tmp Aug 26 13:10:10.608888: secrets file: /etc/ipsec.secrets Aug 26 13:10:10.608890: leak-detective enabled Aug 26 13:10:10.608893: NSS crypto [enabled] Aug 26 13:10:10.608895: XAUTH PAM support [enabled] Aug 26 13:10:10.608970: | libevent is using pluto's memory allocator Aug 26 13:10:10.608977: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:10:10.608994: | libevent_malloc: new ptr-libevent@0x562c24b1b0c8 size 40 Aug 26 13:10:10.609002: | libevent_malloc: new ptr-libevent@0x562c24b1fcd8 size 40 Aug 26 13:10:10.609006: | libevent_malloc: new ptr-libevent@0x562c24b1fdd8 size 40 Aug 26 13:10:10.609009: | creating event base Aug 26 13:10:10.609013: | libevent_malloc: new ptr-libevent@0x562c24ba4518 size 56 Aug 26 13:10:10.609018: | libevent_malloc: new ptr-libevent@0x562c24b48748 size 664 Aug 26 13:10:10.609030: | libevent_malloc: new ptr-libevent@0x562c24ba4588 size 24 Aug 26 13:10:10.609033: | libevent_malloc: new ptr-libevent@0x562c24ba45d8 size 384 Aug 26 13:10:10.609044: | libevent_malloc: new ptr-libevent@0x562c24ba44d8 size 16 Aug 26 13:10:10.609048: | libevent_malloc: new ptr-libevent@0x562c24b1f908 size 40 Aug 26 13:10:10.609051: | libevent_malloc: new ptr-libevent@0x562c24b1fd38 size 48 Aug 26 13:10:10.609057: | libevent_realloc: new ptr-libevent@0x562c24b483d8 size 256 Aug 26 13:10:10.609061: | libevent_malloc: new ptr-libevent@0x562c24ba4788 size 16 Aug 26 13:10:10.609068: | libevent_free: release ptr-libevent@0x562c24ba4518 Aug 26 13:10:10.609072: | libevent initialized Aug 26 13:10:10.609077: | libevent_realloc: new ptr-libevent@0x562c24ba4518 size 64 Aug 26 13:10:10.609083: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:10:10.609098: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:10:10.609101: NAT-Traversal support [enabled] Aug 26 13:10:10.609104: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:10:10.609111: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:10:10.609115: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:10:10.609150: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:10:10.609154: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:10:10.609159: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:10:10.609224: Encryption algorithms: Aug 26 13:10:10.609231: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:10:10.609236: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:10:10.609241: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:10:10.609245: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:10:10.609250: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:10:10.609261: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:10:10.609266: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:10:10.609271: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:10:10.609276: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:10:10.609280: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:10:10.609285: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:10:10.609293: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:10:10.609302: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:10:10.609307: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:10:10.609311: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:10:10.609315: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:10:10.609319: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:10:10.609329: Hash algorithms: Aug 26 13:10:10.609332: MD5 IKEv1: IKE IKEv2: Aug 26 13:10:10.609336: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:10:10.609340: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:10:10.609344: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:10:10.609347: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:10:10.609369: PRF algorithms: Aug 26 13:10:10.609373: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:10:10.609377: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:10:10.609382: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:10:10.609386: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:10:10.609390: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:10:10.609394: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:10:10.609436: Integrity algorithms: Aug 26 13:10:10.609440: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:10:10.609445: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:10:10.609450: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:10:10.609455: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:10:10.609460: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:10:10.609464: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:10:10.609469: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:10:10.609472: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:10:10.609476: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:10:10.609494: DH algorithms: Aug 26 13:10:10.609498: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:10:10.609502: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:10:10.609505: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:10:10.609512: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:10:10.609516: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:10:10.609520: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:10:10.609524: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:10:10.609528: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:10:10.609532: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:10:10.609536: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:10:10.609539: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:10:10.609542: testing CAMELLIA_CBC: Aug 26 13:10:10.609545: Camellia: 16 bytes with 128-bit key Aug 26 13:10:10.609661: Camellia: 16 bytes with 128-bit key Aug 26 13:10:10.609694: Camellia: 16 bytes with 256-bit key Aug 26 13:10:10.609726: Camellia: 16 bytes with 256-bit key Aug 26 13:10:10.609757: testing AES_GCM_16: Aug 26 13:10:10.609760: empty string Aug 26 13:10:10.609791: one block Aug 26 13:10:10.609818: two blocks Aug 26 13:10:10.609847: two blocks with associated data Aug 26 13:10:10.609875: testing AES_CTR: Aug 26 13:10:10.609879: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:10:10.609908: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:10:10.609940: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:10:10.609975: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:10:10.610004: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:10:10.610036: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:10:10.610068: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:10:10.610098: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:10:10.610131: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:10:10.610164: testing AES_CBC: Aug 26 13:10:10.610168: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:10:10.610197: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:10:10.610230: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:10:10.610263: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:10:10.610321: testing AES_XCBC: Aug 26 13:10:10.610327: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:10:10.610452: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:10:10.610586: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:10:10.610717: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:10:10.610848: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:10:10.610980: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:10:10.611113: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:10:10.611414: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:10:10.611549: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:10:10.611690: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:10:10.611931: testing HMAC_MD5: Aug 26 13:10:10.611935: RFC 2104: MD5_HMAC test 1 Aug 26 13:10:10.612109: RFC 2104: MD5_HMAC test 2 Aug 26 13:10:10.612265: RFC 2104: MD5_HMAC test 3 Aug 26 13:10:10.612509: 8 CPU cores online Aug 26 13:10:10.612516: starting up 7 crypto helpers Aug 26 13:10:10.612559: started thread for crypto helper 0 Aug 26 13:10:10.612564: | starting up helper thread 0 Aug 26 13:10:10.612583: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:10:10.612585: started thread for crypto helper 1 Aug 26 13:10:10.612588: | crypto helper 0 waiting (nothing to do) Aug 26 13:10:10.612614: started thread for crypto helper 2 Aug 26 13:10:10.612590: | starting up helper thread 1 Aug 26 13:10:10.612630: | starting up helper thread 2 Aug 26 13:10:10.612636: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:10:10.612660: | crypto helper 1 waiting (nothing to do) Aug 26 13:10:10.612655: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:10:10.612655: | starting up helper thread 3 Aug 26 13:10:10.612649: started thread for crypto helper 3 Aug 26 13:10:10.612669: | crypto helper 2 waiting (nothing to do) Aug 26 13:10:10.612671: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:10:10.612688: | crypto helper 3 waiting (nothing to do) Aug 26 13:10:10.612697: started thread for crypto helper 4 Aug 26 13:10:10.612699: | starting up helper thread 4 Aug 26 13:10:10.612706: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:10:10.612710: | crypto helper 4 waiting (nothing to do) Aug 26 13:10:10.612719: started thread for crypto helper 5 Aug 26 13:10:10.612721: | starting up helper thread 5 Aug 26 13:10:10.612728: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:10:10.612731: | crypto helper 5 waiting (nothing to do) Aug 26 13:10:10.612739: started thread for crypto helper 6 Aug 26 13:10:10.612740: | starting up helper thread 6 Aug 26 13:10:10.612744: | checking IKEv1 state table Aug 26 13:10:10.612747: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:10:10.612751: | crypto helper 6 waiting (nothing to do) Aug 26 13:10:10.612754: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:10.612758: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:10:10.612761: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:10.612763: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:10:10.612767: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:10:10.612769: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:10:10.612772: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:10.612775: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:10.612778: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:10:10.612780: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:10:10.612783: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:10.612786: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:10.612789: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:10:10.612792: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:10.612794: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:10.612797: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:10:10.612800: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:10:10.612802: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:10.612805: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:10.612808: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:10:10.612811: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:10:10.612814: | -> UNDEFINED EVENT_NULL Aug 26 13:10:10.612817: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:10:10.612820: | -> UNDEFINED EVENT_NULL Aug 26 13:10:10.612823: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:10.612826: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:10:10.612830: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:10.612832: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:10:10.612835: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:10:10.612838: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:10:10.612840: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:10:10.612843: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:10:10.612846: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:10:10.612849: | -> UNDEFINED EVENT_NULL Aug 26 13:10:10.612852: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:10:10.612855: | -> UNDEFINED EVENT_NULL Aug 26 13:10:10.612858: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:10:10.612861: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:10:10.612867: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:10:10.612871: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:10:10.612874: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:10:10.612877: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:10:10.612880: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:10:10.612883: | -> UNDEFINED EVENT_NULL Aug 26 13:10:10.612885: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:10:10.612888: | -> UNDEFINED EVENT_NULL Aug 26 13:10:10.612891: | INFO: category: informational flags: 0: Aug 26 13:10:10.612893: | -> UNDEFINED EVENT_NULL Aug 26 13:10:10.612897: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:10:10.612899: | -> UNDEFINED EVENT_NULL Aug 26 13:10:10.612902: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:10:10.612905: | -> XAUTH_R1 EVENT_NULL Aug 26 13:10:10.612908: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:10:10.612910: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:10.612913: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:10:10.612916: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:10:10.612919: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:10:10.612922: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:10:10.612924: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:10:10.612927: | -> UNDEFINED EVENT_NULL Aug 26 13:10:10.612930: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:10:10.612933: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:10.612935: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:10:10.612938: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:10:10.612942: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:10:10.612944: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:10:10.612951: | checking IKEv2 state table Aug 26 13:10:10.612957: | PARENT_I0: category: ignore flags: 0: Aug 26 13:10:10.612961: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:10:10.612964: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:10.612967: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:10:10.612970: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:10:10.612973: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:10:10.612976: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:10:10.612979: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:10:10.612981: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:10:10.612984: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:10:10.612987: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:10:10.612991: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:10:10.612994: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:10:10.612996: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:10:10.612999: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:10:10.613002: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:10:10.613004: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:10.613007: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:10:10.613010: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:10:10.613013: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:10:10.613016: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:10:10.613019: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:10:10.613022: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:10:10.613027: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:10:10.613030: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:10:10.613033: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:10:10.613035: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:10:10.613039: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:10:10.613041: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:10:10.613044: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:10:10.613047: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:10:10.613049: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:10:10.613052: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:10:10.613055: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:10:10.613058: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:10:10.613061: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:10:10.613064: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:10:10.613066: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:10:10.613069: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:10:10.613071: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:10:10.613073: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:10:10.613076: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:10:10.613078: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:10:10.613081: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:10:10.613083: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:10:10.613086: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:10:10.613088: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:10:10.613123: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:10:10.613510: | Hard-wiring algorithms Aug 26 13:10:10.613517: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:10:10.613520: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:10:10.613522: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:10:10.613524: | adding 3DES_CBC to kernel algorithm db Aug 26 13:10:10.613526: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:10:10.613527: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:10:10.613529: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:10:10.613531: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:10:10.613532: | adding AES_CTR to kernel algorithm db Aug 26 13:10:10.613534: | adding AES_CBC to kernel algorithm db Aug 26 13:10:10.613536: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:10:10.613537: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:10:10.613539: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:10:10.613541: | adding NULL to kernel algorithm db Aug 26 13:10:10.613542: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:10:10.613544: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:10:10.613546: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:10:10.613548: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:10:10.613549: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:10:10.613551: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:10:10.613552: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:10:10.613554: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:10:10.613556: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:10:10.613557: | adding NONE to kernel algorithm db Aug 26 13:10:10.613590: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:10:10.613595: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:10:10.613597: | setup kernel fd callback Aug 26 13:10:10.613599: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x562c24ba9158 Aug 26 13:10:10.613603: | libevent_malloc: new ptr-libevent@0x562c24b8d618 size 128 Aug 26 13:10:10.613605: | libevent_malloc: new ptr-libevent@0x562c24ba9268 size 16 Aug 26 13:10:10.613610: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x562c24ba9c98 Aug 26 13:10:10.613613: | libevent_malloc: new ptr-libevent@0x562c24b4afd8 size 128 Aug 26 13:10:10.613615: | libevent_malloc: new ptr-libevent@0x562c24ba9c58 size 16 Aug 26 13:10:10.613761: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:10:10.613768: selinux support is enabled. Aug 26 13:10:10.614215: | unbound context created - setting debug level to 5 Aug 26 13:10:10.614240: | /etc/hosts lookups activated Aug 26 13:10:10.614256: | /etc/resolv.conf usage activated Aug 26 13:10:10.614324: | outgoing-port-avoid set 0-65535 Aug 26 13:10:10.614358: | outgoing-port-permit set 32768-60999 Aug 26 13:10:10.614361: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:10:10.614364: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:10:10.614368: | Setting up events, loop start Aug 26 13:10:10.614371: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x562c24ba9d08 Aug 26 13:10:10.614374: | libevent_malloc: new ptr-libevent@0x562c24bb5f18 size 128 Aug 26 13:10:10.614377: | libevent_malloc: new ptr-libevent@0x562c24bc11e8 size 16 Aug 26 13:10:10.614383: | libevent_realloc: new ptr-libevent@0x562c24bc1228 size 256 Aug 26 13:10:10.614386: | libevent_malloc: new ptr-libevent@0x562c24bc1358 size 8 Aug 26 13:10:10.614389: | libevent_realloc: new ptr-libevent@0x562c24b4baa8 size 144 Aug 26 13:10:10.614392: | libevent_malloc: new ptr-libevent@0x562c24b4b578 size 152 Aug 26 13:10:10.614395: | libevent_malloc: new ptr-libevent@0x562c24bc1398 size 16 Aug 26 13:10:10.614399: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:10:10.614402: | libevent_malloc: new ptr-libevent@0x562c24bc13d8 size 8 Aug 26 13:10:10.614406: | libevent_malloc: new ptr-libevent@0x562c24b4cd18 size 152 Aug 26 13:10:10.614409: | signal event handler PLUTO_SIGTERM installed Aug 26 13:10:10.614412: | libevent_malloc: new ptr-libevent@0x562c24bc1418 size 8 Aug 26 13:10:10.614414: | libevent_malloc: new ptr-libevent@0x562c24bc1458 size 152 Aug 26 13:10:10.614417: | signal event handler PLUTO_SIGHUP installed Aug 26 13:10:10.614420: | libevent_malloc: new ptr-libevent@0x562c24bc1528 size 8 Aug 26 13:10:10.614422: | libevent_realloc: release ptr-libevent@0x562c24b4baa8 Aug 26 13:10:10.614425: | libevent_realloc: new ptr-libevent@0x562c24bc1568 size 256 Aug 26 13:10:10.614427: | libevent_malloc: new ptr-libevent@0x562c24bc1698 size 152 Aug 26 13:10:10.614430: | signal event handler PLUTO_SIGSYS installed Aug 26 13:10:10.614704: | created addconn helper (pid:21241) using fork+execve Aug 26 13:10:10.614716: | forked child 21241 Aug 26 13:10:10.614754: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:10.614766: listening for IKE messages Aug 26 13:10:10.615010: | Inspecting interface lo Aug 26 13:10:10.615016: | found lo with address 127.0.0.1 Aug 26 13:10:10.615018: | Inspecting interface eth0 Aug 26 13:10:10.615021: | found eth0 with address 192.0.3.254 Aug 26 13:10:10.615024: | Inspecting interface eth1 Aug 26 13:10:10.615026: | found eth1 with address 192.1.3.33 Aug 26 13:10:10.615114: Kernel supports NIC esp-hw-offload Aug 26 13:10:10.615124: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.3.33:500 Aug 26 13:10:10.615170: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:10.615174: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:10.615177: adding interface eth1/eth1 192.1.3.33:4500 Aug 26 13:10:10.615203: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.3.254:500 Aug 26 13:10:10.615221: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:10.615225: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:10.615227: adding interface eth0/eth0 192.0.3.254:4500 Aug 26 13:10:10.615247: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:10:10.615265: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:10.615268: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:10.615270: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:10:10.615341: | no interfaces to sort Aug 26 13:10:10.615348: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:10:10.615353: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1b68 Aug 26 13:10:10.615355: | libevent_malloc: new ptr-libevent@0x562c24bb5e68 size 128 Aug 26 13:10:10.615358: | libevent_malloc: new ptr-libevent@0x562c24bc1bd8 size 16 Aug 26 13:10:10.615362: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:10:10.615364: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1c18 Aug 26 13:10:10.615366: | libevent_malloc: new ptr-libevent@0x562c24b4b088 size 128 Aug 26 13:10:10.615368: | libevent_malloc: new ptr-libevent@0x562c24bc1c88 size 16 Aug 26 13:10:10.615371: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:10:10.615372: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1cc8 Aug 26 13:10:10.615375: | libevent_malloc: new ptr-libevent@0x562c24b4af28 size 128 Aug 26 13:10:10.615377: | libevent_malloc: new ptr-libevent@0x562c24bc1d38 size 16 Aug 26 13:10:10.615380: | setup callback for interface eth0 192.0.3.254:4500 fd 20 Aug 26 13:10:10.615382: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1d78 Aug 26 13:10:10.615384: | libevent_malloc: new ptr-libevent@0x562c24b4c888 size 128 Aug 26 13:10:10.615386: | libevent_malloc: new ptr-libevent@0x562c24bc1de8 size 16 Aug 26 13:10:10.615389: | setup callback for interface eth0 192.0.3.254:500 fd 19 Aug 26 13:10:10.615391: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1e28 Aug 26 13:10:10.615393: | libevent_malloc: new ptr-libevent@0x562c24b204e8 size 128 Aug 26 13:10:10.615395: | libevent_malloc: new ptr-libevent@0x562c24bc1e98 size 16 Aug 26 13:10:10.615398: | setup callback for interface eth1 192.1.3.33:4500 fd 18 Aug 26 13:10:10.615400: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1ed8 Aug 26 13:10:10.615402: | libevent_malloc: new ptr-libevent@0x562c24b201d8 size 128 Aug 26 13:10:10.615404: | libevent_malloc: new ptr-libevent@0x562c24bc1f48 size 16 Aug 26 13:10:10.615407: | setup callback for interface eth1 192.1.3.33:500 fd 17 Aug 26 13:10:10.615410: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:10.615411: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:10.615425: loading secrets from "/etc/ipsec.secrets" Aug 26 13:10:10.615440: | saving Modulus Aug 26 13:10:10.615444: | saving PublicExponent Aug 26 13:10:10.615447: | ignoring PrivateExponent Aug 26 13:10:10.615449: | ignoring Prime1 Aug 26 13:10:10.615451: | ignoring Prime2 Aug 26 13:10:10.615453: | ignoring Exponent1 Aug 26 13:10:10.615455: | ignoring Exponent2 Aug 26 13:10:10.615457: | ignoring Coefficient Aug 26 13:10:10.615459: | ignoring CKAIDNSS Aug 26 13:10:10.615485: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 13:10:10.615488: | computed rsa CKAID 88 aa 7c 5d Aug 26 13:10:10.615492: loaded private key for keyid: PKK_RSA:AQPl33O2P Aug 26 13:10:10.615500: | certs and keys locked by 'process_secret' Aug 26 13:10:10.615504: | certs and keys unlocked by 'process_secret' Aug 26 13:10:10.615513: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:10.615518: | spent 0.768 milliseconds in whack Aug 26 13:10:10.636240: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:10.636264: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:10.636271: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:10.636273: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:10.636275: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:10.636278: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:10.636283: | Added new connection north-east with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:10.636285: | No AUTH policy was set - defaulting to RSASIG Aug 26 13:10:10.636351: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:10:10.636356: | from whack: got --esp= Aug 26 13:10:10.636380: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 13:10:10.636384: | counting wild cards for @north is 0 Aug 26 13:10:10.636386: | counting wild cards for @east is 0 Aug 26 13:10:10.636393: | connect_to_host_pair: 192.1.3.33:500 192.1.2.23:500 -> hp@(nil): none Aug 26 13:10:10.636395: | new hp@0x562c24bc4498 Aug 26 13:10:10.636399: added connection description "north-east" Aug 26 13:10:10.636407: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:10.636414: | 192.0.3.254/32===192.1.3.33<192.1.3.33>[@north]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24 Aug 26 13:10:10.636420: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:10.636425: | spent 0.167 milliseconds in whack Aug 26 13:10:10.636508: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:10.636520: add keyid @north Aug 26 13:10:10.636524: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Aug 26 13:10:10.636526: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Aug 26 13:10:10.636527: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Aug 26 13:10:10.636529: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Aug 26 13:10:10.636530: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Aug 26 13:10:10.636532: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Aug 26 13:10:10.636534: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Aug 26 13:10:10.636535: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Aug 26 13:10:10.636537: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Aug 26 13:10:10.636538: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Aug 26 13:10:10.636540: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Aug 26 13:10:10.636542: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Aug 26 13:10:10.636543: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Aug 26 13:10:10.636545: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Aug 26 13:10:10.636546: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Aug 26 13:10:10.636548: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Aug 26 13:10:10.636549: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Aug 26 13:10:10.636551: | add pubkey c7 5e a5 99 Aug 26 13:10:10.636571: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 13:10:10.636573: | computed rsa CKAID 88 aa 7c 5d Aug 26 13:10:10.636581: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:10.636586: | spent 0.0832 milliseconds in whack Aug 26 13:10:10.636648: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:10.636660: add keyid @east Aug 26 13:10:10.636663: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 13:10:10.636665: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 13:10:10.636667: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 13:10:10.636668: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 13:10:10.636670: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 13:10:10.636671: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 13:10:10.636673: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 13:10:10.636675: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 13:10:10.636676: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 13:10:10.636678: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 13:10:10.636679: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 13:10:10.636681: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 13:10:10.636683: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 13:10:10.636684: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 13:10:10.636686: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 13:10:10.636687: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 13:10:10.636689: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 13:10:10.636690: | add pubkey 51 51 48 ef Aug 26 13:10:10.636698: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 13:10:10.636700: | computed rsa CKAID 8a 82 25 f1 Aug 26 13:10:10.636707: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:10.636711: | spent 0.0691 milliseconds in whack Aug 26 13:10:10.636771: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:10.636784: listening for IKE messages Aug 26 13:10:10.636813: | Inspecting interface lo Aug 26 13:10:10.636818: | found lo with address 127.0.0.1 Aug 26 13:10:10.636820: | Inspecting interface eth0 Aug 26 13:10:10.636823: | found eth0 with address 192.0.3.254 Aug 26 13:10:10.636824: | Inspecting interface eth1 Aug 26 13:10:10.636827: | found eth1 with address 192.1.3.33 Aug 26 13:10:10.636870: | no interfaces to sort Aug 26 13:10:10.636876: | libevent_free: release ptr-libevent@0x562c24bb5e68 Aug 26 13:10:10.636879: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1b68 Aug 26 13:10:10.636881: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1b68 Aug 26 13:10:10.636883: | libevent_malloc: new ptr-libevent@0x562c24bb5e68 size 128 Aug 26 13:10:10.636889: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:10:10.636891: | libevent_free: release ptr-libevent@0x562c24b4b088 Aug 26 13:10:10.636893: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1c18 Aug 26 13:10:10.636895: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1c18 Aug 26 13:10:10.636897: | libevent_malloc: new ptr-libevent@0x562c24b4b088 size 128 Aug 26 13:10:10.636900: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:10:10.636903: | libevent_free: release ptr-libevent@0x562c24b4af28 Aug 26 13:10:10.636904: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1cc8 Aug 26 13:10:10.636906: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1cc8 Aug 26 13:10:10.636908: | libevent_malloc: new ptr-libevent@0x562c24b4af28 size 128 Aug 26 13:10:10.636911: | setup callback for interface eth0 192.0.3.254:4500 fd 20 Aug 26 13:10:10.636914: | libevent_free: release ptr-libevent@0x562c24b4c888 Aug 26 13:10:10.636915: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1d78 Aug 26 13:10:10.636917: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1d78 Aug 26 13:10:10.636919: | libevent_malloc: new ptr-libevent@0x562c24b4c888 size 128 Aug 26 13:10:10.636925: | setup callback for interface eth0 192.0.3.254:500 fd 19 Aug 26 13:10:10.636928: | libevent_free: release ptr-libevent@0x562c24b204e8 Aug 26 13:10:10.636929: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1e28 Aug 26 13:10:10.636931: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1e28 Aug 26 13:10:10.636933: | libevent_malloc: new ptr-libevent@0x562c24b204e8 size 128 Aug 26 13:10:10.636936: | setup callback for interface eth1 192.1.3.33:4500 fd 18 Aug 26 13:10:10.636939: | libevent_free: release ptr-libevent@0x562c24b201d8 Aug 26 13:10:10.636940: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1ed8 Aug 26 13:10:10.636942: | add_fd_read_event_handler: new ethX-pe@0x562c24bc1ed8 Aug 26 13:10:10.636944: | libevent_malloc: new ptr-libevent@0x562c24b201d8 size 128 Aug 26 13:10:10.636947: | setup callback for interface eth1 192.1.3.33:500 fd 17 Aug 26 13:10:10.636949: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:10.636950: forgetting secrets Aug 26 13:10:10.636956: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:10.636967: loading secrets from "/etc/ipsec.secrets" Aug 26 13:10:10.636977: | saving Modulus Aug 26 13:10:10.636980: | saving PublicExponent Aug 26 13:10:10.636982: | ignoring PrivateExponent Aug 26 13:10:10.636984: | ignoring Prime1 Aug 26 13:10:10.636986: | ignoring Prime2 Aug 26 13:10:10.636988: | ignoring Exponent1 Aug 26 13:10:10.636990: | ignoring Exponent2 Aug 26 13:10:10.636993: | ignoring Coefficient Aug 26 13:10:10.636995: | ignoring CKAIDNSS Aug 26 13:10:10.637005: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Aug 26 13:10:10.637007: | computed rsa CKAID 88 aa 7c 5d Aug 26 13:10:10.637009: loaded private key for keyid: PKK_RSA:AQPl33O2P Aug 26 13:10:10.637014: | certs and keys locked by 'process_secret' Aug 26 13:10:10.637015: | certs and keys unlocked by 'process_secret' Aug 26 13:10:10.637022: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:10.637026: | spent 0.26 milliseconds in whack Aug 26 13:10:10.637046: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:10.637052: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:10.637055: | start processing: connection "north-east" (in whack_route_connection() at rcv_whack.c:106) Aug 26 13:10:10.637058: | could_route called for north-east (kind=CK_PERMANENT) Aug 26 13:10:10.637059: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:10.637061: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 13:10:10.637063: | conn north-east mark 0/00000000, 0/00000000 Aug 26 13:10:10.637066: | route owner of "north-east" unrouted: NULL; eroute owner: NULL Aug 26 13:10:10.637068: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:10:10.637070: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:10.637071: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 13:10:10.637073: | conn north-east mark 0/00000000, 0/00000000 Aug 26 13:10:10.637075: | route owner of "north-east" unrouted: NULL; eroute owner: NULL Aug 26 13:10:10.637077: | route_and_eroute with c: north-east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 Aug 26 13:10:10.637080: | shunt_eroute() called for connection 'north-east' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:10:10.637082: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:10.637085: | priority calculation of connection "north-east" is 0xfdfe7 Aug 26 13:10:10.637090: | IPsec Sa SPD priority set to 1040359 Aug 26 13:10:10.637115: | priority calculation of connection "north-east" is 0xfdfe7 Aug 26 13:10:10.637118: | route_and_eroute: firewall_notified: true Aug 26 13:10:10.637120: | running updown command "ipsec _updown" for verb prepare Aug 26 13:10:10.637121: | command executing prepare-client Aug 26 13:10:10.637153: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Aug 26 13:10:10.637162: | popen cmd is 1028 chars long Aug 26 13:10:10.637167: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PL: Aug 26 13:10:10.637170: | cmd( 80):UTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_: Aug 26 13:10:10.637174: | cmd( 160):ID='@north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' P: Aug 26 13:10:10.637177: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Aug 26 13:10:10.637181: | cmd( 320):UTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID=: Aug 26 13:10:10.637184: | cmd( 400):'@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO: Aug 26 13:10:10.637188: | cmd( 480):_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Aug 26 13:10:10.637191: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+: Aug 26 13:10:10.637195: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIN: Aug 26 13:10:10.637199: | cmd( 720):D='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO: Aug 26 13:10:10.637202: | cmd( 800):='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO: Aug 26 13:10:10.637205: | cmd( 880):_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_RO: Aug 26 13:10:10.637208: | cmd( 960):UTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:10:10.646909: | running updown command "ipsec _updown" for verb route Aug 26 13:10:10.646926: | command executing route-client Aug 26 13:10:10.646960: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0 Aug 26 13:10:10.646964: | popen cmd is 1026 chars long Aug 26 13:10:10.646967: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUT: Aug 26 13:10:10.646970: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID: Aug 26 13:10:10.646973: | cmd( 160):='@north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' PLU: Aug 26 13:10:10.646980: | cmd( 240):TO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUT: Aug 26 13:10:10.646983: | cmd( 320):O_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@: Aug 26 13:10:10.646986: | cmd( 400):east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_P: Aug 26 13:10:10.646988: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 13:10:10.646991: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+EN: Aug 26 13:10:10.646994: | cmd( 640):CRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND=: Aug 26 13:10:10.646997: | cmd( 720):'CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO=': Aug 26 13:10:10.646999: | cmd( 800):0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_C: Aug 26 13:10:10.647002: | cmd( 880):FG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUT: Aug 26 13:10:10.647005: | cmd( 960):ING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:10:10.658770: | stop processing: connection "north-east" (in whack_route_connection() at rcv_whack.c:116) Aug 26 13:10:10.658797: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:10.658808: | spent 0.98 milliseconds in whack Aug 26 13:10:10.658826: | processing signal PLUTO_SIGCHLD Aug 26 13:10:10.658832: | waitpid returned nothing left to do (all child processes are busy) Aug 26 13:10:10.658837: | spent 0.00662 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:10.658840: | processing signal PLUTO_SIGCHLD Aug 26 13:10:10.658843: | waitpid returned nothing left to do (all child processes are busy) Aug 26 13:10:10.658847: | spent 0.00364 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:10.659331: | processing signal PLUTO_SIGCHLD Aug 26 13:10:10.659345: | waitpid returned pid 21241 (exited with status 0) Aug 26 13:10:10.659349: | reaped addconn helper child (status 0) Aug 26 13:10:10.659359: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:10.659364: | spent 0.0229 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:10.844881: | kernel_process_msg_cb process netlink message Aug 26 13:10:10.844914: | netlink_get: XFRM_MSG_ACQUIRE message Aug 26 13:10:10.844918: | xfrm netlink msg len 376 Aug 26 13:10:10.844921: | xfrm acquire rtattribute type 5 Aug 26 13:10:10.844924: | xfrm acquire rtattribute type 16 Aug 26 13:10:10.844941: | add bare shunt 0x562c24bc3748 192.0.3.254/32:8 --1--> 192.0.2.254/32:0 => %hold 0 %acquire-netlink Aug 26 13:10:10.844951: initiate on demand from 192.0.3.254:8 to 192.0.2.254:0 proto=1 because: acquire Aug 26 13:10:10.844958: | find_connection: looking for policy for connection: 192.0.3.254:1/8 -> 192.0.2.254:1/0 Aug 26 13:10:10.844961: | FOR_EACH_CONNECTION_... in find_connection_for_clients Aug 26 13:10:10.844967: | find_connection: conn "north-east" has compatible peers: 192.0.3.254/32 -> 192.0.2.0/24 [pri: 33603594] Aug 26 13:10:10.844971: | find_connection: first OK "north-east" [pri:33603594]{0x562c24bc2688} (child none) Aug 26 13:10:10.844975: | find_connection: concluding with "north-east" [pri:33603594]{0x562c24bc2688} kind=CK_PERMANENT Aug 26 13:10:10.844979: | assign hold, routing was prospective erouted, needs to be erouted HOLD Aug 26 13:10:10.844982: | assign_holdpass() need broad(er) shunt Aug 26 13:10:10.844985: | priority calculation of connection "north-east" is 0xfdfe7 Aug 26 13:10:10.844992: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.3.254/32:0 --0-> 192.0.2.0/24:0 => %hold>%hold (raw_eroute) Aug 26 13:10:10.844999: | netlink_raw_eroute: SPI_HOLD implemented as no-op Aug 26 13:10:10.845002: | raw_eroute result=success Aug 26 13:10:10.845005: | assign_holdpass() eroute_connection() done Aug 26 13:10:10.845007: | fiddle_bare_shunt called Aug 26 13:10:10.845010: | fiddle_bare_shunt with transport_proto 1 Aug 26 13:10:10.845019: | removing specific host-to-host bare shunt Aug 26 13:10:10.845025: | delete narrow %hold eroute 192.0.3.254/32:8 --1-> 192.0.2.254/32:0 => %hold (raw_eroute) Aug 26 13:10:10.845028: | netlink_raw_eroute: SPI_PASS Aug 26 13:10:10.845047: | raw_eroute result=success Aug 26 13:10:10.845052: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Aug 26 13:10:10.845058: | delete bare shunt 0x562c24bc3748 192.0.3.254/32:8 --1--> 192.0.2.254/32:0 => %hold 0 %acquire-netlink Aug 26 13:10:10.845061: assign_holdpass() delete_bare_shunt() failed Aug 26 13:10:10.845064: initiate_ondemand_body() failed to install negotiation_shunt, Aug 26 13:10:10.845068: | FOR_EACH_STATE_... in find_phase1_state Aug 26 13:10:10.845090: | creating state object #1 at 0x562c24bc4b58 Aug 26 13:10:10.845094: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:10:10.845103: | pstats #1 ikev2.ike started Aug 26 13:10:10.845109: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:10:10.845113: | parent state #1: UNDEFINED(ignore) => PARENT_I0(ignore) Aug 26 13:10:10.845119: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:10.845131: | start processing: state #1 connection "north-east" from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:535) Aug 26 13:10:10.845135: | dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551) Aug 26 13:10:10.845140: | Queuing pending IPsec SA negotiating with 192.1.2.23 "north-east" IKE SA #1 "north-east" Aug 26 13:10:10.845147: "north-east" #1: initiating v2 parent SA Aug 26 13:10:10.845151: | constructing local IKE proposals for north-east (IKE SA initiator selecting KE) Aug 26 13:10:10.845162: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:10.845171: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:10.845176: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:10.845182: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:10.845187: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:10.845193: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:10.845197: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:10.845203: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:10.845213: "north-east": constructed local IKE proposals for north-east (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:10.845221: | adding ikev2_outI1 KE work-order 1 for state #1 Aug 26 13:10:10.845228: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x562c24bc4578 Aug 26 13:10:10.845233: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:10:10.845237: | libevent_malloc: new ptr-libevent@0x562c24bc5b68 size 128 Aug 26 13:10:10.845253: | #1 spent 0.302 milliseconds in ikev2_parent_outI1() Aug 26 13:10:10.845259: | RESET processing: state #1 connection "north-east" from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:610) Aug 26 13:10:10.845265: | initiate on demand using RSASIG from 192.0.3.254 to 192.0.2.254 Aug 26 13:10:10.845271: | spent 0.363 milliseconds in kernel message Aug 26 13:10:10.845298: | crypto helper 0 resuming Aug 26 13:10:10.845316: | crypto helper 0 starting work-order 1 for state #1 Aug 26 13:10:10.845322: | crypto helper 0 doing build KE and nonce (ikev2_outI1 KE); request ID 1 Aug 26 13:10:10.846467: | crypto helper 0 finished build KE and nonce (ikev2_outI1 KE); request ID 1 time elapsed 0.001144 seconds Aug 26 13:10:10.846485: | (#1) spent 1.15 milliseconds in crypto helper computing work-order 1: ikev2_outI1 KE (pcr) Aug 26 13:10:10.846490: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 13:10:10.846494: | scheduling resume sending helper answer for #1 Aug 26 13:10:10.846498: | libevent_malloc: new ptr-libevent@0x7f25b8002888 size 128 Aug 26 13:10:10.846509: | crypto helper 0 waiting (nothing to do) Aug 26 13:10:10.846554: | processing resume sending helper answer for #1 Aug 26 13:10:10.846571: | start processing: state #1 connection "north-east" from 192.1.2.23 (in resume_handler() at server.c:797) Aug 26 13:10:10.846578: | crypto helper 0 replies to request ID 1 Aug 26 13:10:10.846581: | calling continuation function 0x562c2410eb50 Aug 26 13:10:10.846584: | ikev2_parent_outI1_continue for #1 Aug 26 13:10:10.846630: | **emit ISAKMP Message: Aug 26 13:10:10.846634: | initiator cookie: Aug 26 13:10:10.846637: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.846640: | responder cookie: Aug 26 13:10:10.846643: | 00 00 00 00 00 00 00 00 Aug 26 13:10:10.846647: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:10.846650: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:10.846653: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:10:10.846658: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:10.846661: | Message ID: 0 (0x0) Aug 26 13:10:10.846665: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:10.846682: | using existing local IKE proposals for connection north-east (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:10.846686: | Emitting ikev2_proposals ... Aug 26 13:10:10.846689: | ***emit IKEv2 Security Association Payload: Aug 26 13:10:10.846693: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.846695: | flags: none (0x0) Aug 26 13:10:10.846699: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:10:10.846703: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.846706: | discarding INTEG=NONE Aug 26 13:10:10.846710: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.846713: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.846716: | prop #: 1 (0x1) Aug 26 13:10:10.846723: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:10.846727: | spi size: 0 (0x0) Aug 26 13:10:10.846730: | # transforms: 11 (0xb) Aug 26 13:10:10.846733: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:10.846737: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846740: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846743: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.846746: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:10.846749: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846753: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.846756: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.846759: | length/value: 256 (0x100) Aug 26 13:10:10.846763: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:10.846765: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846768: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846771: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:10.846774: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:10.846778: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846781: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846785: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846788: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846790: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846793: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:10.846796: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:10.846800: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846803: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846806: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846808: | discarding INTEG=NONE Aug 26 13:10:10.846811: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846814: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846817: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.846820: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:10.846823: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846827: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846829: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846832: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846835: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846838: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.846841: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:10.846844: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846847: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846850: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846853: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846856: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846865: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.846868: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:10.846872: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846875: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846878: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846881: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846884: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846886: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.846889: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:10.846893: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846896: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846899: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846902: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846905: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846907: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.846910: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:10.846914: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846917: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846920: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846923: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846926: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846928: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.846931: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:10.846935: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846938: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846941: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846944: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846947: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846949: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.846952: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:10.846956: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846959: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846962: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846965: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.846967: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.846970: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.846973: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:10.846977: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.846980: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.846983: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.846988: | emitting length of IKEv2 Proposal Substructure Payload: 100 Aug 26 13:10:10.846992: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:10.846994: | discarding INTEG=NONE Aug 26 13:10:10.846997: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.847000: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.847003: | prop #: 2 (0x2) Aug 26 13:10:10.847006: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:10.847009: | spi size: 0 (0x0) Aug 26 13:10:10.847012: | # transforms: 11 (0xb) Aug 26 13:10:10.847015: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.847019: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:10.847022: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847024: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847027: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.847030: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:10.847033: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847036: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.847039: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.847042: | length/value: 128 (0x80) Aug 26 13:10:10.847045: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:10.847048: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847051: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847054: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:10.847057: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:10.847060: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847063: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847066: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847069: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847072: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847075: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:10.847078: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:10.847081: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847084: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847087: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847090: | discarding INTEG=NONE Aug 26 13:10:10.847093: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847095: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847098: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847101: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:10.847105: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847108: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847111: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847114: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847116: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847119: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847124: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:10.847127: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847131: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847134: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847136: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847139: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847142: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847145: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:10.847148: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847151: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847154: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847157: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847160: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847163: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847166: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:10.847169: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847172: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847175: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847178: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847181: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847184: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847187: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:10.847190: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847193: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847196: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847199: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847202: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847205: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847208: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:10.847211: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847214: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847217: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847220: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847223: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847226: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847228: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:10.847232: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847235: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847238: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847242: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847245: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.847248: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847251: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:10.847255: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847258: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847261: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847264: | emitting length of IKEv2 Proposal Substructure Payload: 100 Aug 26 13:10:10.847267: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:10.847270: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.847273: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.847276: | prop #: 3 (0x3) Aug 26 13:10:10.847278: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:10.847281: | spi size: 0 (0x0) Aug 26 13:10:10.847284: | # transforms: 13 (0xd) Aug 26 13:10:10.847294: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.847298: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:10.847301: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847304: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847307: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.847309: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:10.847313: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847316: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.847318: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.847321: | length/value: 256 (0x100) Aug 26 13:10:10.847328: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:10.847332: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847334: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847337: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:10.847340: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:10.847344: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847347: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847350: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847353: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847355: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847358: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:10.847361: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:10.847365: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847368: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847371: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847374: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847376: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847379: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:10.847382: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:10.847387: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847391: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847394: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847397: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847399: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847402: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:10.847405: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:10.847408: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847412: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847415: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847418: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847420: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847423: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847426: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:10.847430: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847433: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847436: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847439: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847441: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847444: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847447: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:10.847450: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847454: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847457: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847459: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847462: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847465: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847468: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:10.847471: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847475: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847478: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847480: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847483: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847486: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847489: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:10.847492: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847496: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847499: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847501: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847504: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847508: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847511: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:10.847515: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847518: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847521: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847524: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847527: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847530: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847532: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:10.847536: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847539: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847542: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847545: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847548: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847551: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847554: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:10.847557: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847560: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847563: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847566: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847569: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.847572: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847575: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:10.847578: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847581: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847584: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847587: | emitting length of IKEv2 Proposal Substructure Payload: 116 Aug 26 13:10:10.847590: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:10.847594: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.847596: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:10.847599: | prop #: 4 (0x4) Aug 26 13:10:10.847602: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:10.847605: | spi size: 0 (0x0) Aug 26 13:10:10.847608: | # transforms: 13 (0xd) Aug 26 13:10:10.847611: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.847614: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:10.847617: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847620: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847623: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.847626: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:10.847629: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847634: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.847637: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.847640: | length/value: 128 (0x80) Aug 26 13:10:10.847643: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:10.847646: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847649: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847652: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:10.847655: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:10.847658: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847661: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847664: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847667: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847670: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847673: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:10.847676: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:10.847679: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847682: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847685: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847688: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847691: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847694: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:10.847697: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:10.847700: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847703: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847706: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847709: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847712: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847715: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:10.847718: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:10.847721: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847724: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847727: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847730: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847733: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847736: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847753: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:10.847757: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847761: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847764: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847767: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847771: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847774: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847777: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:10.847783: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847787: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847790: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847793: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847797: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847800: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847803: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:10.847807: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847811: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847814: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847818: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847821: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847824: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847827: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:10.847831: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847835: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847839: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847842: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847845: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847848: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847852: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:10.847856: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847859: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847863: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847866: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847869: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847873: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847876: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:10.847880: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847884: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847887: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847890: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847893: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847897: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847900: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:10.847904: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847908: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847911: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847914: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.847919: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.847923: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.847926: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:10.847930: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.847934: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.847937: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.847941: | emitting length of IKEv2 Proposal Substructure Payload: 116 Aug 26 13:10:10.847944: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:10.847948: | emitting length of IKEv2 Security Association Payload: 436 Aug 26 13:10:10.847952: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:10:10.847955: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:10:10.847959: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.847962: | flags: none (0x0) Aug 26 13:10:10.847966: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:10.847970: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:10:10.847974: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.847979: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:10:10.847983: | ikev2 g^x 8c d0 11 ee 26 0f 17 1c 54 79 81 91 89 fd a0 65 Aug 26 13:10:10.847986: | ikev2 g^x 1a 4b 9a d8 d3 96 f7 1a 34 05 bd d2 c1 74 30 9e Aug 26 13:10:10.847990: | ikev2 g^x 7e 6b 56 7d 67 e4 74 39 e1 5a 33 80 cd 68 98 f1 Aug 26 13:10:10.847993: | ikev2 g^x 8b a3 11 2f 08 23 e7 4d 74 12 0c 0d 60 d4 6f b1 Aug 26 13:10:10.847996: | ikev2 g^x 0b 76 a6 5c 00 22 99 f2 1c 32 4c 53 95 d7 54 85 Aug 26 13:10:10.847999: | ikev2 g^x 4b a9 34 1c 9e b1 86 6a 5d 4d fc 6e fb ef 10 b9 Aug 26 13:10:10.848003: | ikev2 g^x c0 c8 4d ce f5 41 7b cc d9 83 3f 29 1a 4a 8a 1a Aug 26 13:10:10.848006: | ikev2 g^x d8 6e 84 56 63 85 f8 45 aa e0 63 4a cb 47 eb 41 Aug 26 13:10:10.848009: | ikev2 g^x 89 13 9f 31 3e 15 61 e5 13 2c 9b 5c 5f dd 01 e4 Aug 26 13:10:10.848012: | ikev2 g^x ab 90 a2 2e 6e d5 9f 78 91 42 f9 14 c1 87 d1 0f Aug 26 13:10:10.848016: | ikev2 g^x ea 39 15 1e ea 5a 56 fa a4 82 01 b6 71 ed 9a 5c Aug 26 13:10:10.848019: | ikev2 g^x da 89 87 8e 1d 9d 45 8c 04 4f 08 76 0a 3e 47 2f Aug 26 13:10:10.848022: | ikev2 g^x b1 a3 83 5f 7a 92 26 14 79 cf 10 ac a0 9b f1 db Aug 26 13:10:10.848025: | ikev2 g^x 33 3a 9b 54 2b a7 c6 df e1 72 ea 41 e4 b8 2c ff Aug 26 13:10:10.848028: | ikev2 g^x 61 32 84 51 61 24 ad 7f e0 a8 64 5a f2 3c 14 cc Aug 26 13:10:10.848032: | ikev2 g^x b4 76 6f a6 8a f9 ab c1 e4 de 79 66 02 93 dc 48 Aug 26 13:10:10.848035: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:10:10.848039: | ***emit IKEv2 Nonce Payload: Aug 26 13:10:10.848042: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:10.848045: | flags: none (0x0) Aug 26 13:10:10.848049: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:10:10.848054: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:10:10.848058: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.848062: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:10:10.848065: | IKEv2 nonce 46 1c 3d 0f 4f f9 c9 32 16 b1 a3 7f 43 a1 04 e9 Aug 26 13:10:10.848068: | IKEv2 nonce 9c c5 21 09 7a f0 1d 5b f5 13 03 1d e8 22 5d 26 Aug 26 13:10:10.848074: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:10:10.848077: | Adding a v2N Payload Aug 26 13:10:10.848081: | ***emit IKEv2 Notify Payload: Aug 26 13:10:10.848084: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.848088: | flags: none (0x0) Aug 26 13:10:10.848091: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:10.848094: | SPI size: 0 (0x0) Aug 26 13:10:10.848098: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:10:10.848102: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:10.848106: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.848110: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:10:10.848114: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:10:10.848118: | natd_hash: rcookie is zero Aug 26 13:10:10.848136: | natd_hash: hasher=0x562c241e3800(20) Aug 26 13:10:10.848140: | natd_hash: icookie= bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.848144: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:10:10.848147: | natd_hash: ip= c0 01 03 21 Aug 26 13:10:10.848150: | natd_hash: port=500 Aug 26 13:10:10.848154: | natd_hash: hash= 78 e9 69 69 0d e3 d5 87 52 56 6a 72 39 2b 30 a4 Aug 26 13:10:10.848157: | natd_hash: hash= 3e 3f cd 20 Aug 26 13:10:10.848160: | Adding a v2N Payload Aug 26 13:10:10.848163: | ***emit IKEv2 Notify Payload: Aug 26 13:10:10.848167: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.848170: | flags: none (0x0) Aug 26 13:10:10.848173: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:10.848176: | SPI size: 0 (0x0) Aug 26 13:10:10.848180: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:10:10.848184: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:10.848188: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.848192: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:10:10.848196: | Notify data 78 e9 69 69 0d e3 d5 87 52 56 6a 72 39 2b 30 a4 Aug 26 13:10:10.848199: | Notify data 3e 3f cd 20 Aug 26 13:10:10.848202: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:10:10.848205: | natd_hash: rcookie is zero Aug 26 13:10:10.848213: | natd_hash: hasher=0x562c241e3800(20) Aug 26 13:10:10.848217: | natd_hash: icookie= bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.848220: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:10:10.848223: | natd_hash: ip= c0 01 02 17 Aug 26 13:10:10.848226: | natd_hash: port=500 Aug 26 13:10:10.848230: | natd_hash: hash= a4 6b 09 09 ae 45 dd 5a 3d 1f fd ba 12 2e fe 69 Aug 26 13:10:10.848233: | natd_hash: hash= 2b b0 3d fb Aug 26 13:10:10.848236: | Adding a v2N Payload Aug 26 13:10:10.848239: | ***emit IKEv2 Notify Payload: Aug 26 13:10:10.848243: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.848246: | flags: none (0x0) Aug 26 13:10:10.848249: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:10.848252: | SPI size: 0 (0x0) Aug 26 13:10:10.848256: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:10:10.848260: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:10.848263: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.848267: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:10:10.848270: | Notify data a4 6b 09 09 ae 45 dd 5a 3d 1f fd ba 12 2e fe 69 Aug 26 13:10:10.848273: | Notify data 2b b0 3d fb Aug 26 13:10:10.848277: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:10:10.848280: | emitting length of ISAKMP Message: 828 Aug 26 13:10:10.848296: | stop processing: state #1 connection "north-east" from 192.1.2.23 (in ikev2_parent_outI1_common() at ikev2_parent.c:817) Aug 26 13:10:10.848318: | start processing: state #1 connection "north-east" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:10.848325: | #1 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK Aug 26 13:10:10.848329: | IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1 Aug 26 13:10:10.848333: | parent state #1: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) Aug 26 13:10:10.848338: | Message ID: updating counters for #1 to 4294967295 after switching state Aug 26 13:10:10.848341: | Message ID: IKE #1 skipping update_recv as MD is fake Aug 26 13:10:10.848348: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:10:10.848352: "north-east" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 Aug 26 13:10:10.848359: | sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.33:500) Aug 26 13:10:10.848373: | sending 828 bytes for STATE_PARENT_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:10:10.848377: | bf c4 e0 9e f3 c2 f5 83 00 00 00 00 00 00 00 00 Aug 26 13:10:10.848380: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:10:10.848383: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:10:10.848386: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:10:10.848390: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:10:10.848393: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:10:10.848396: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:10:10.848399: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:10:10.848402: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:10:10.848406: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:10:10.848409: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:10:10.848412: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:10:10.848415: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:10:10.848418: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:10:10.848421: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:10:10.848425: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:10:10.848428: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:10:10.848431: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:10:10.848434: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:10:10.848437: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:10:10.848440: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:10:10.848444: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:10:10.848447: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:10:10.848450: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:10:10.848453: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:10:10.848456: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:10:10.848459: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:10:10.848463: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:10:10.848466: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:10:10.848469: | 28 00 01 08 00 0e 00 00 8c d0 11 ee 26 0f 17 1c Aug 26 13:10:10.848472: | 54 79 81 91 89 fd a0 65 1a 4b 9a d8 d3 96 f7 1a Aug 26 13:10:10.848475: | 34 05 bd d2 c1 74 30 9e 7e 6b 56 7d 67 e4 74 39 Aug 26 13:10:10.848479: | e1 5a 33 80 cd 68 98 f1 8b a3 11 2f 08 23 e7 4d Aug 26 13:10:10.848482: | 74 12 0c 0d 60 d4 6f b1 0b 76 a6 5c 00 22 99 f2 Aug 26 13:10:10.848485: | 1c 32 4c 53 95 d7 54 85 4b a9 34 1c 9e b1 86 6a Aug 26 13:10:10.848488: | 5d 4d fc 6e fb ef 10 b9 c0 c8 4d ce f5 41 7b cc Aug 26 13:10:10.848491: | d9 83 3f 29 1a 4a 8a 1a d8 6e 84 56 63 85 f8 45 Aug 26 13:10:10.848499: | aa e0 63 4a cb 47 eb 41 89 13 9f 31 3e 15 61 e5 Aug 26 13:10:10.848502: | 13 2c 9b 5c 5f dd 01 e4 ab 90 a2 2e 6e d5 9f 78 Aug 26 13:10:10.848505: | 91 42 f9 14 c1 87 d1 0f ea 39 15 1e ea 5a 56 fa Aug 26 13:10:10.848508: | a4 82 01 b6 71 ed 9a 5c da 89 87 8e 1d 9d 45 8c Aug 26 13:10:10.848512: | 04 4f 08 76 0a 3e 47 2f b1 a3 83 5f 7a 92 26 14 Aug 26 13:10:10.848515: | 79 cf 10 ac a0 9b f1 db 33 3a 9b 54 2b a7 c6 df Aug 26 13:10:10.848518: | e1 72 ea 41 e4 b8 2c ff 61 32 84 51 61 24 ad 7f Aug 26 13:10:10.848521: | e0 a8 64 5a f2 3c 14 cc b4 76 6f a6 8a f9 ab c1 Aug 26 13:10:10.848524: | e4 de 79 66 02 93 dc 48 29 00 00 24 46 1c 3d 0f Aug 26 13:10:10.848527: | 4f f9 c9 32 16 b1 a3 7f 43 a1 04 e9 9c c5 21 09 Aug 26 13:10:10.848530: | 7a f0 1d 5b f5 13 03 1d e8 22 5d 26 29 00 00 08 Aug 26 13:10:10.848534: | 00 00 40 2e 29 00 00 1c 00 00 40 04 78 e9 69 69 Aug 26 13:10:10.848537: | 0d e3 d5 87 52 56 6a 72 39 2b 30 a4 3e 3f cd 20 Aug 26 13:10:10.848540: | 00 00 00 1c 00 00 40 05 a4 6b 09 09 ae 45 dd 5a Aug 26 13:10:10.848543: | 3d 1f fd ba 12 2e fe 69 2b b0 3d fb Aug 26 13:10:10.848661: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:10.848673: | libevent_free: release ptr-libevent@0x562c24bc5b68 Aug 26 13:10:10.848680: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x562c24bc4578 Aug 26 13:10:10.848687: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Aug 26 13:10:10.848694: | event_schedule: new EVENT_RETRANSMIT-pe@0x562c24bc4578 Aug 26 13:10:10.848701: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 Aug 26 13:10:10.848707: | libevent_malloc: new ptr-libevent@0x562c24bc5798 size 128 Aug 26 13:10:10.848718: | #1 STATE_PARENT_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 10296.591159 Aug 26 13:10:10.848727: | resume sending helper answer for #1 suppresed complete_v2_state_transition() and stole MD Aug 26 13:10:10.848738: | #1 spent 2.06 milliseconds in resume sending helper answer Aug 26 13:10:10.848750: | stop processing: state #1 connection "north-east" from 192.1.2.23 (in resume_handler() at server.c:833) Aug 26 13:10:10.848757: | libevent_free: release ptr-libevent@0x7f25b8002888 Aug 26 13:10:10.852936: | spent 0.00435 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:10.852976: | *received 432 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:10.852983: | bf c4 e0 9e f3 c2 f5 83 c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.852989: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:10:10.852995: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:10:10.853000: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:10:10.853005: | 04 00 00 0e 28 00 01 08 00 0e 00 00 18 52 03 a4 Aug 26 13:10:10.853010: | 95 63 3a 9b 73 b9 69 20 91 99 15 36 ee 6f 68 63 Aug 26 13:10:10.853016: | 55 53 fa c1 c6 3e 10 e0 88 2a a0 f2 47 cb 02 d9 Aug 26 13:10:10.853020: | 70 32 8f 8e a1 4a 54 e1 60 09 76 e2 2a 0b 11 41 Aug 26 13:10:10.853023: | 9e d7 6b ae 00 63 8e a6 e9 d2 db a7 0c f3 e7 c8 Aug 26 13:10:10.853026: | 99 f3 11 49 5f 18 31 5a b0 01 99 63 b8 4d bf 7c Aug 26 13:10:10.853029: | 80 33 60 42 30 31 8e 20 64 35 0e 8c 33 3a 28 d5 Aug 26 13:10:10.853032: | d6 9b 27 f0 66 eb 4f 50 ef 4d c8 7f 67 98 4d 00 Aug 26 13:10:10.853036: | 94 f3 eb 91 33 e2 d8 c6 08 f0 87 b9 1d ec 7d 73 Aug 26 13:10:10.853039: | 0f fa a1 30 5b 7a 2c ca 72 2d f2 5a 6d 1b e4 88 Aug 26 13:10:10.853042: | 91 97 8e 31 c3 cc 03 e8 34 a0 d8 9e 13 c4 04 56 Aug 26 13:10:10.853045: | f9 e0 fe 59 bf 3d d0 9b 96 44 6b d9 9a 61 73 65 Aug 26 13:10:10.853048: | 36 14 03 95 2e 8b eb d8 7c 5d 80 40 56 43 71 e8 Aug 26 13:10:10.853051: | 11 48 1d a3 47 4e fc 07 51 6b 95 bc 4f 23 53 fc Aug 26 13:10:10.853055: | 66 6a de b6 51 14 2c 2b d8 3c ee 0a eb 3c 0a 4e Aug 26 13:10:10.853061: | cf cd 0d cb f4 e3 d6 32 64 52 e6 fc 97 60 32 71 Aug 26 13:10:10.853065: | ed 83 db e9 7c 4d cd f6 f9 a5 4c 60 29 00 00 24 Aug 26 13:10:10.853068: | b7 aa f4 04 b5 71 c5 89 9b 42 ac 2d be 02 a3 9c Aug 26 13:10:10.853071: | 3a 36 c9 31 a5 d2 36 c3 2d 4c 01 e8 d0 8c bc a7 Aug 26 13:10:10.853074: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:10:10.853077: | 2a 91 0b 18 b6 a8 e7 e8 6b 90 74 44 f4 f1 d4 3d Aug 26 13:10:10.853080: | 4d d6 95 04 00 00 00 1c 00 00 40 05 b8 5f 1d dd Aug 26 13:10:10.853084: | b4 8a 40 51 67 3c f8 9b 43 44 2b cb 0c 92 d4 d1 Aug 26 13:10:10.853090: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:10.853095: | **parse ISAKMP Message: Aug 26 13:10:10.853099: | initiator cookie: Aug 26 13:10:10.853102: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.853106: | responder cookie: Aug 26 13:10:10.853109: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.853113: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:10.853116: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:10.853120: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:10:10.853124: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:10.853127: | Message ID: 0 (0x0) Aug 26 13:10:10.853131: | length: 432 (0x1b0) Aug 26 13:10:10.853135: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:10:10.853139: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response Aug 26 13:10:10.853144: | State DB: found IKEv2 state #1 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi) Aug 26 13:10:10.853152: | start processing: state #1 connection "north-east" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:10.853158: | [RE]START processing: state #1 connection "north-east" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:10:10.853162: | #1 is idle Aug 26 13:10:10.853165: | #1 idle Aug 26 13:10:10.853168: | unpacking clear payload Aug 26 13:10:10.853172: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:10:10.853176: | ***parse IKEv2 Security Association Payload: Aug 26 13:10:10.853179: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:10:10.853183: | flags: none (0x0) Aug 26 13:10:10.853186: | length: 40 (0x28) Aug 26 13:10:10.853190: | processing payload: ISAKMP_NEXT_v2SA (len=36) Aug 26 13:10:10.853193: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:10:10.853197: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:10:10.853200: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:10:10.853203: | flags: none (0x0) Aug 26 13:10:10.853207: | length: 264 (0x108) Aug 26 13:10:10.853210: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:10.853214: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:10:10.853217: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:10:10.853220: | ***parse IKEv2 Nonce Payload: Aug 26 13:10:10.853224: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:10.853227: | flags: none (0x0) Aug 26 13:10:10.853230: | length: 36 (0x24) Aug 26 13:10:10.853233: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:10:10.853237: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:10.853240: | ***parse IKEv2 Notify Payload: Aug 26 13:10:10.853243: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:10.853247: | flags: none (0x0) Aug 26 13:10:10.853250: | length: 8 (0x8) Aug 26 13:10:10.853253: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:10.853257: | SPI size: 0 (0x0) Aug 26 13:10:10.853261: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:10:10.853264: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:10:10.853267: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:10.853271: | ***parse IKEv2 Notify Payload: Aug 26 13:10:10.853274: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:10.853277: | flags: none (0x0) Aug 26 13:10:10.853283: | length: 28 (0x1c) Aug 26 13:10:10.853286: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:10.853296: | SPI size: 0 (0x0) Aug 26 13:10:10.853300: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:10:10.853303: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:10:10.853306: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:10.853310: | ***parse IKEv2 Notify Payload: Aug 26 13:10:10.853313: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.853316: | flags: none (0x0) Aug 26 13:10:10.853319: | length: 28 (0x1c) Aug 26 13:10:10.853323: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:10.853326: | SPI size: 0 (0x0) Aug 26 13:10:10.853332: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:10:10.853335: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:10:10.853339: | State DB: re-hashing IKEv2 state #1 IKE SPIi and SPI[ir] Aug 26 13:10:10.853347: | #1 in state PARENT_I1: sent v2I1, expected v2R1 Aug 26 13:10:10.853351: | selected state microcode Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH Aug 26 13:10:10.853354: | Now let's proceed with state specific processing Aug 26 13:10:10.853358: | calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH Aug 26 13:10:10.853363: | ikev2 parent inR1: calculating g^{xy} in order to send I2 Aug 26 13:10:10.853383: | using existing local IKE proposals for connection north-east (IKE SA initiator accepting remote proposal): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:10.853388: | Comparing remote proposals against IKE initiator (accepting) 4 local proposals Aug 26 13:10:10.853393: | local proposal 1 type ENCR has 1 transforms Aug 26 13:10:10.853397: | local proposal 1 type PRF has 2 transforms Aug 26 13:10:10.853400: | local proposal 1 type INTEG has 1 transforms Aug 26 13:10:10.853404: | local proposal 1 type DH has 8 transforms Aug 26 13:10:10.853407: | local proposal 1 type ESN has 0 transforms Aug 26 13:10:10.853411: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:10:10.853415: | local proposal 2 type ENCR has 1 transforms Aug 26 13:10:10.853418: | local proposal 2 type PRF has 2 transforms Aug 26 13:10:10.853422: | local proposal 2 type INTEG has 1 transforms Aug 26 13:10:10.853425: | local proposal 2 type DH has 8 transforms Aug 26 13:10:10.853428: | local proposal 2 type ESN has 0 transforms Aug 26 13:10:10.853432: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:10:10.853436: | local proposal 3 type ENCR has 1 transforms Aug 26 13:10:10.853439: | local proposal 3 type PRF has 2 transforms Aug 26 13:10:10.853442: | local proposal 3 type INTEG has 2 transforms Aug 26 13:10:10.853445: | local proposal 3 type DH has 8 transforms Aug 26 13:10:10.853449: | local proposal 3 type ESN has 0 transforms Aug 26 13:10:10.853453: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:10:10.853456: | local proposal 4 type ENCR has 1 transforms Aug 26 13:10:10.853459: | local proposal 4 type PRF has 2 transforms Aug 26 13:10:10.853463: | local proposal 4 type INTEG has 2 transforms Aug 26 13:10:10.853466: | local proposal 4 type DH has 8 transforms Aug 26 13:10:10.853469: | local proposal 4 type ESN has 0 transforms Aug 26 13:10:10.853473: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:10:10.853477: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.853483: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:10.853487: | length: 36 (0x24) Aug 26 13:10:10.853490: | prop #: 1 (0x1) Aug 26 13:10:10.853493: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:10.853497: | spi size: 0 (0x0) Aug 26 13:10:10.853500: | # transforms: 3 (0x3) Aug 26 13:10:10.853505: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 4 local proposals Aug 26 13:10:10.853508: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:10.853512: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.853515: | length: 12 (0xc) Aug 26 13:10:10.853519: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.853522: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:10.853526: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.853529: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.853533: | length/value: 256 (0x100) Aug 26 13:10:10.853538: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:10:10.853542: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:10.853546: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.853549: | length: 8 (0x8) Aug 26 13:10:10.853552: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:10.853555: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:10.853560: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:10:10.853563: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:10.853567: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.853570: | length: 8 (0x8) Aug 26 13:10:10.853573: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:10.853577: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:10.853581: | remote proposal 1 transform 2 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:10:10.853586: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:10:10.853592: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:10:10.853595: | remote proposal 1 matches local proposal 1 Aug 26 13:10:10.853600: | remote accepted the proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048[first-match] Aug 26 13:10:10.853603: | converting proposal to internal trans attrs Aug 26 13:10:10.853620: | natd_hash: hasher=0x562c241e3800(20) Aug 26 13:10:10.853625: | natd_hash: icookie= bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.853628: | natd_hash: rcookie= c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.853632: | natd_hash: ip= c0 01 03 21 Aug 26 13:10:10.853635: | natd_hash: port=500 Aug 26 13:10:10.853638: | natd_hash: hash= b8 5f 1d dd b4 8a 40 51 67 3c f8 9b 43 44 2b cb Aug 26 13:10:10.853642: | natd_hash: hash= 0c 92 d4 d1 Aug 26 13:10:10.853649: | natd_hash: hasher=0x562c241e3800(20) Aug 26 13:10:10.853653: | natd_hash: icookie= bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.853656: | natd_hash: rcookie= c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.853659: | natd_hash: ip= c0 01 02 17 Aug 26 13:10:10.853662: | natd_hash: port=500 Aug 26 13:10:10.853665: | natd_hash: hash= 2a 91 0b 18 b6 a8 e7 e8 6b 90 74 44 f4 f1 d4 3d Aug 26 13:10:10.853669: | natd_hash: hash= 4d d6 95 04 Aug 26 13:10:10.853672: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:10:10.853675: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:10:10.853678: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:10:10.853683: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 Aug 26 13:10:10.853688: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:10:10.853692: | adding ikev2_inR1outI2 KE work-order 2 for state #1 Aug 26 13:10:10.853696: | state #1 requesting EVENT_RETRANSMIT to be deleted Aug 26 13:10:10.853700: | #1 STATE_PARENT_I1: retransmits: cleared Aug 26 13:10:10.853708: | libevent_free: release ptr-libevent@0x562c24bc5798 Aug 26 13:10:10.853712: | free_event_entry: release EVENT_RETRANSMIT-pe@0x562c24bc4578 Aug 26 13:10:10.853716: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x562c24bc4578 Aug 26 13:10:10.853721: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:10:10.853725: | libevent_malloc: new ptr-libevent@0x7f25b8002888 size 128 Aug 26 13:10:10.853740: | #1 spent 0.374 milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH in ikev2_process_state_packet() Aug 26 13:10:10.853747: | [RE]START processing: state #1 connection "north-east" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:10.853752: | #1 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND Aug 26 13:10:10.853755: | suspending state #1 and saving MD Aug 26 13:10:10.853758: | #1 is busy; has a suspended MD Aug 26 13:10:10.853764: | [RE]START processing: state #1 connection "north-east" from 192.1.2.23 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:10:10.853768: | "north-east" #1 complete v2 state STATE_PARENT_I1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:10:10.853774: | stop processing: state #1 connection "north-east" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:10.853780: | #1 spent 0.82 milliseconds in ikev2_process_packet() Aug 26 13:10:10.853785: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:10.853795: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:10.853780: | crypto helper 1 resuming Aug 26 13:10:10.853819: | crypto helper 1 starting work-order 2 for state #1 Aug 26 13:10:10.853826: | crypto helper 1 doing compute dh (V2) (ikev2_inR1outI2 KE); request ID 2 Aug 26 13:10:10.853801: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:10.853873: | spent 0.899 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:10.854908: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:10:10.855465: | crypto helper 1 finished compute dh (V2) (ikev2_inR1outI2 KE); request ID 2 time elapsed 0.001639 seconds Aug 26 13:10:10.855481: | (#1) spent 1.64 milliseconds in crypto helper computing work-order 2: ikev2_inR1outI2 KE (pcr) Aug 26 13:10:10.855486: | crypto helper 1 sending results from work-order 2 for state #1 to event queue Aug 26 13:10:10.855490: | scheduling resume sending helper answer for #1 Aug 26 13:10:10.855494: | libevent_malloc: new ptr-libevent@0x7f25b0000f48 size 128 Aug 26 13:10:10.855505: | crypto helper 1 waiting (nothing to do) Aug 26 13:10:10.855545: | processing resume sending helper answer for #1 Aug 26 13:10:10.855564: | start processing: state #1 connection "north-east" from 192.1.2.23 (in resume_handler() at server.c:797) Aug 26 13:10:10.855571: | crypto helper 1 replies to request ID 2 Aug 26 13:10:10.855575: | calling continuation function 0x562c2410eb50 Aug 26 13:10:10.855579: | ikev2_parent_inR1outI2_continue for #1: calculating g^{xy}, sending I2 Aug 26 13:10:10.855592: | creating state object #2 at 0x562c24bc9f08 Aug 26 13:10:10.855596: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:10:10.855601: | pstats #2 ikev2.child started Aug 26 13:10:10.855606: | duplicating state object #1 "north-east" as #2 for IPSEC SA Aug 26 13:10:10.855612: | #2 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:10:10.855621: | Message ID: init_child #1.#2; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:10.855628: | Message ID: switch-from #1 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=0->-1 wip.responder=-1 Aug 26 13:10:10.855634: | Message ID: switch-to #1.#2 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->0 wip.responder=-1 Aug 26 13:10:10.855642: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:10.855647: | libevent_free: release ptr-libevent@0x7f25b8002888 Aug 26 13:10:10.855651: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x562c24bc4578 Aug 26 13:10:10.855655: | event_schedule: new EVENT_SA_REPLACE-pe@0x562c24bc4578 Aug 26 13:10:10.855661: | inserting event EVENT_SA_REPLACE, timeout in 60 seconds for #1 Aug 26 13:10:10.855665: | libevent_malloc: new ptr-libevent@0x7f25b8002888 size 128 Aug 26 13:10:10.855669: | parent state #1: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA) Aug 26 13:10:10.855677: | **emit ISAKMP Message: Aug 26 13:10:10.855681: | initiator cookie: Aug 26 13:10:10.855685: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.855688: | responder cookie: Aug 26 13:10:10.855691: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.855695: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:10.855699: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:10.855703: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:10.855707: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:10.855710: | Message ID: 1 (0x1) Aug 26 13:10:10.855714: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:10.855718: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:10.855722: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.855725: | flags: none (0x0) Aug 26 13:10:10.855730: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:10.855734: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.855739: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:10.855748: | IKEv2 CERT: send a certificate? Aug 26 13:10:10.855752: | IKEv2 CERT: no certificate to send Aug 26 13:10:10.855755: | IDr payload will be sent Aug 26 13:10:10.855776: | ****emit IKEv2 Identification - Initiator - Payload: Aug 26 13:10:10.855781: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.855784: | flags: none (0x0) Aug 26 13:10:10.855788: | ID type: ID_FQDN (0x2) Aug 26 13:10:10.855793: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi) Aug 26 13:10:10.855797: | next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.855801: | emitting 5 raw bytes of my identity into IKEv2 Identification - Initiator - Payload Aug 26 13:10:10.855805: | my identity 6e 6f 72 74 68 Aug 26 13:10:10.855808: | emitting length of IKEv2 Identification - Initiator - Payload: 13 Aug 26 13:10:10.855820: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:10:10.855824: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:10:10.855828: | flags: none (0x0) Aug 26 13:10:10.855831: | ID type: ID_FQDN (0x2) Aug 26 13:10:10.855835: | next payload chain: ignoring supplied 'IKEv2 Identification - Responder - Payload'.'next payload type' value 39:ISAKMP_NEXT_v2AUTH Aug 26 13:10:10.855840: | next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:10:10.855844: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.855848: | emitting 4 raw bytes of IDr into IKEv2 Identification - Responder - Payload Aug 26 13:10:10.855851: | IDr 65 61 73 74 Aug 26 13:10:10.855855: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:10:10.855858: | not sending INITIAL_CONTACT Aug 26 13:10:10.855862: | ****emit IKEv2 Authentication Payload: Aug 26 13:10:10.855865: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.855871: | flags: none (0x0) Aug 26 13:10:10.855875: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 13:10:10.855880: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:10:10.855883: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.855890: | started looking for secret for @north->@east of kind PKK_RSA Aug 26 13:10:10.855895: | actually looking for secret for @north->@east of kind PKK_RSA Aug 26 13:10:10.855899: | line 1: key type PKK_RSA(@north) to type PKK_RSA Aug 26 13:10:10.855904: | 1: compared key (none) to @north / @east -> 002 Aug 26 13:10:10.855908: | 2: compared key (none) to @north / @east -> 002 Aug 26 13:10:10.855911: | line 1: match=002 Aug 26 13:10:10.855915: | match 002 beats previous best_match 000 match=0x562c24b1bb58 (line=1) Aug 26 13:10:10.855919: | concluding with best_match=002 best=0x562c24b1bb58 (lineno=1) Aug 26 13:10:10.864236: | #1 spent 8.24 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Aug 26 13:10:10.864260: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Aug 26 13:10:10.864267: | rsa signature 20 c2 d6 ec cd 08 cc a3 87 96 82 63 fb 3c db 87 Aug 26 13:10:10.864271: | rsa signature 19 0e c8 52 02 e2 0c bd fb fe 01 a7 74 d6 fb 90 Aug 26 13:10:10.864275: | rsa signature 61 36 a4 d4 bc ad 0f 5a b7 57 c1 e5 76 35 ac 70 Aug 26 13:10:10.864279: | rsa signature 3f 72 4f 6f 87 31 47 35 5b 25 0c 33 7b 1d 4b c0 Aug 26 13:10:10.864283: | rsa signature 9d 14 ed 17 49 5b 4e f4 e6 c4 e1 30 c3 71 ec b7 Aug 26 13:10:10.864286: | rsa signature dc 6e e6 cb 48 6d d7 91 08 63 b3 20 87 de 38 96 Aug 26 13:10:10.864301: | rsa signature 27 13 b3 3b ac 3f 35 41 0d be a6 bc 6e c0 59 4d Aug 26 13:10:10.864305: | rsa signature 9d 8c 54 a5 c9 71 a0 eb 23 c2 11 16 3b db c5 51 Aug 26 13:10:10.864309: | rsa signature 40 b7 5d 5f e4 dd 44 fb a8 79 db a6 42 db c7 03 Aug 26 13:10:10.864313: | rsa signature 73 25 f6 c0 5a e3 b6 28 69 2e 0b c8 84 c7 a9 27 Aug 26 13:10:10.864317: | rsa signature 69 91 0e de b2 9f 60 7c 51 19 70 ae 75 be 41 6f Aug 26 13:10:10.864321: | rsa signature fd ea 49 d6 f6 84 25 f8 55 b3 40 45 ea 75 39 f0 Aug 26 13:10:10.864325: | rsa signature 78 2c 11 8e dd 3d 42 2f c2 54 75 ee 02 bd d4 de Aug 26 13:10:10.864329: | rsa signature 0f 48 25 60 8f 2e c3 d2 7e 49 34 2f 99 a0 d6 6b Aug 26 13:10:10.864333: | rsa signature 3f 01 18 c0 f7 b9 12 0f eb af 00 b8 d2 4e 16 94 Aug 26 13:10:10.864336: | rsa signature bb 20 c6 1b 37 fd 45 72 b9 ff 77 29 8e 99 b3 3b Aug 26 13:10:10.864340: | rsa signature 03 a7 4a bc 94 22 c0 f5 c5 bb 9f 61 5c f5 f7 6a Aug 26 13:10:10.864344: | rsa signature 2a eb Aug 26 13:10:10.864352: | #1 spent 8.4 milliseconds in ikev2_calculate_rsa_hash() Aug 26 13:10:10.864358: | emitting length of IKEv2 Authentication Payload: 282 Aug 26 13:10:10.864363: | getting first pending from state #1 Aug 26 13:10:10.864394: | netlink_get_spi: allocated 0x4eea0a18 for esp.0@192.1.3.33 Aug 26 13:10:10.864401: | constructing ESP/AH proposals with all DH removed for north-east (IKE SA initiator emitting ESP/AH proposals) Aug 26 13:10:10.864410: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:10:10.864420: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:10:10.864425: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:10:10.864431: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:10:10.864437: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:10.864443: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:10.864448: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:10.864454: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:10.864472: "north-east": constructed local ESP/AH proposals for north-east (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:10.864477: | Emitting ikev2_proposals ... Aug 26 13:10:10.864482: | ****emit IKEv2 Security Association Payload: Aug 26 13:10:10.864487: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.864492: | flags: none (0x0) Aug 26 13:10:10.864498: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:10:10.864503: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.864508: | discarding INTEG=NONE Aug 26 13:10:10.864512: | discarding DH=NONE Aug 26 13:10:10.864516: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.864520: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.864524: | prop #: 1 (0x1) Aug 26 13:10:10.864528: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:10.864532: | spi size: 4 (0x4) Aug 26 13:10:10.864536: | # transforms: 2 (0x2) Aug 26 13:10:10.864541: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:10.864546: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:10:10.864550: | our spi 4e ea 0a 18 Aug 26 13:10:10.864554: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.864559: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864563: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.864567: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:10.864572: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.864576: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.864581: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.864585: | length/value: 256 (0x100) Aug 26 13:10:10.864589: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:10.864593: | discarding INTEG=NONE Aug 26 13:10:10.864597: | discarding DH=NONE Aug 26 13:10:10.864601: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.864605: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.864609: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:10.864613: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:10.864618: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864623: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.864627: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.864631: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:10:10.864636: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:10.864639: | discarding INTEG=NONE Aug 26 13:10:10.864643: | discarding DH=NONE Aug 26 13:10:10.864647: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.864651: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.864655: | prop #: 2 (0x2) Aug 26 13:10:10.864659: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:10.864662: | spi size: 4 (0x4) Aug 26 13:10:10.864666: | # transforms: 2 (0x2) Aug 26 13:10:10.864671: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.864678: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:10.864684: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:10:10.864688: | our spi 4e ea 0a 18 Aug 26 13:10:10.864692: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.864696: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864700: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.864704: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:10.864708: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.864712: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.864716: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.864720: | length/value: 128 (0x80) Aug 26 13:10:10.864724: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:10.864728: | discarding INTEG=NONE Aug 26 13:10:10.864732: | discarding DH=NONE Aug 26 13:10:10.864735: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.864740: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.864744: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:10.864747: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:10.864752: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864757: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.864761: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.864765: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:10:10.864769: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:10.864773: | discarding DH=NONE Aug 26 13:10:10.864777: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.864781: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.864785: | prop #: 3 (0x3) Aug 26 13:10:10.864789: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:10.864793: | spi size: 4 (0x4) Aug 26 13:10:10.864796: | # transforms: 4 (0x4) Aug 26 13:10:10.864801: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.864806: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:10.864810: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:10:10.864814: | our spi 4e ea 0a 18 Aug 26 13:10:10.864818: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.864822: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864826: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.864830: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:10.864834: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.864838: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.864842: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.864846: | length/value: 256 (0x100) Aug 26 13:10:10.864850: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:10.864854: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.864858: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864862: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:10.864866: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:10.864871: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864878: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.864882: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.864886: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.864890: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864894: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:10.864898: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:10.864902: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864907: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.864911: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.864915: | discarding DH=NONE Aug 26 13:10:10.864918: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.864922: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.864926: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:10.864930: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:10.864935: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.864939: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.864944: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.864948: | emitting length of IKEv2 Proposal Substructure Payload: 48 Aug 26 13:10:10.864952: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:10.864956: | discarding DH=NONE Aug 26 13:10:10.864960: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.864964: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:10.864967: | prop #: 4 (0x4) Aug 26 13:10:10.864971: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:10.864975: | spi size: 4 (0x4) Aug 26 13:10:10.864979: | # transforms: 4 (0x4) Aug 26 13:10:10.864983: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:10.864988: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:10.864992: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:10:10.864996: | our spi 4e ea 0a 18 Aug 26 13:10:10.865000: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.865004: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.865008: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.865012: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:10.865016: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.865020: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.865024: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.865028: | length/value: 128 (0x80) Aug 26 13:10:10.865032: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:10.865036: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.865040: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.865044: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:10.865048: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:10.865053: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.865060: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.865064: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.865068: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.865072: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.865076: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:10.865080: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:10.865085: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.865089: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.865093: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.865097: | discarding DH=NONE Aug 26 13:10:10.865101: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:10.865105: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.865109: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:10.865112: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:10.865117: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.865122: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:10.865126: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:10.865130: | emitting length of IKEv2 Proposal Substructure Payload: 48 Aug 26 13:10:10.865134: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:10.865138: | emitting length of IKEv2 Security Association Payload: 164 Aug 26 13:10:10.865143: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:10:10.865148: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:10.865152: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.865156: | flags: none (0x0) Aug 26 13:10:10.865160: | number of TS: 1 (0x1) Aug 26 13:10:10.865166: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:10:10.865170: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.865175: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:10.865179: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:10.865183: | IP Protocol ID: 0 (0x0) Aug 26 13:10:10.865187: | start port: 0 (0x0) Aug 26 13:10:10.865191: | end port: 65535 (0xffff) Aug 26 13:10:10.865196: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:10.865199: | ipv4 start c0 00 03 fe Aug 26 13:10:10.865204: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:10.865208: | ipv4 end c0 00 03 fe Aug 26 13:10:10.865212: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:10.865216: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:10:10.865220: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:10.865224: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.865228: | flags: none (0x0) Aug 26 13:10:10.865232: | number of TS: 1 (0x1) Aug 26 13:10:10.865237: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:10:10.865242: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:10.865248: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:10.865252: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:10.865256: | IP Protocol ID: 0 (0x0) Aug 26 13:10:10.865260: | start port: 0 (0x0) Aug 26 13:10:10.865264: | end port: 65535 (0xffff) Aug 26 13:10:10.865268: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:10.865272: | ipv4 start c0 00 02 00 Aug 26 13:10:10.865276: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:10.865280: | ipv4 end c0 00 02 ff Aug 26 13:10:10.865284: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:10.865295: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:10:10.865305: | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE Aug 26 13:10:10.865310: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:10:10.865315: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:10.865320: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:10.865325: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:10.865330: | emitting length of IKEv2 Encryption Payload: 548 Aug 26 13:10:10.865334: | emitting length of ISAKMP Message: 576 Aug 26 13:10:10.865341: | **parse ISAKMP Message: Aug 26 13:10:10.865345: | initiator cookie: Aug 26 13:10:10.865349: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.865353: | responder cookie: Aug 26 13:10:10.865357: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.865361: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:10.865365: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:10.865370: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:10.865374: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:10.865378: | Message ID: 1 (0x1) Aug 26 13:10:10.865382: | length: 576 (0x240) Aug 26 13:10:10.865386: | **parse IKEv2 Encryption Payload: Aug 26 13:10:10.865390: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:10:10.865394: | flags: none (0x0) Aug 26 13:10:10.865398: | length: 548 (0x224) Aug 26 13:10:10.865402: | **emit ISAKMP Message: Aug 26 13:10:10.865405: | initiator cookie: Aug 26 13:10:10.865409: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.865413: | responder cookie: Aug 26 13:10:10.865417: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.865421: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:10.865425: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:10.865429: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:10.865433: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:10.865436: | Message ID: 1 (0x1) Aug 26 13:10:10.865441: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:10.865446: | ***emit IKEv2 Encrypted Fragment: Aug 26 13:10:10.865450: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:10:10.865453: | flags: none (0x0) Aug 26 13:10:10.865457: | fragment number: 1 (0x1) Aug 26 13:10:10.865461: | total fragments: 2 (0x2) Aug 26 13:10:10.865466: | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 35:ISAKMP_NEXT_v2IDi Aug 26 13:10:10.865471: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) Aug 26 13:10:10.865476: | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' Aug 26 13:10:10.865481: | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment Aug 26 13:10:10.865492: | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment Aug 26 13:10:10.865497: | cleartext fragment 24 00 00 0d 02 00 00 00 6e 6f 72 74 68 27 00 00 Aug 26 13:10:10.865501: | cleartext fragment 0c 02 00 00 00 65 61 73 74 21 00 01 1a 01 00 00 Aug 26 13:10:10.865508: | cleartext fragment 00 20 c2 d6 ec cd 08 cc a3 87 96 82 63 fb 3c db Aug 26 13:10:10.865512: | cleartext fragment 87 19 0e c8 52 02 e2 0c bd fb fe 01 a7 74 d6 fb Aug 26 13:10:10.865516: | cleartext fragment 90 61 36 a4 d4 bc ad 0f 5a b7 57 c1 e5 76 35 ac Aug 26 13:10:10.865520: | cleartext fragment 70 3f 72 4f 6f 87 31 47 35 5b 25 0c 33 7b 1d 4b Aug 26 13:10:10.865524: | cleartext fragment c0 9d 14 ed 17 49 5b 4e f4 e6 c4 e1 30 c3 71 ec Aug 26 13:10:10.865528: | cleartext fragment b7 dc 6e e6 cb 48 6d d7 91 08 63 b3 20 87 de 38 Aug 26 13:10:10.865532: | cleartext fragment 96 27 13 b3 3b ac 3f 35 41 0d be a6 bc 6e c0 59 Aug 26 13:10:10.865536: | cleartext fragment 4d 9d 8c 54 a5 c9 71 a0 eb 23 c2 11 16 3b db c5 Aug 26 13:10:10.865540: | cleartext fragment 51 40 b7 5d 5f e4 dd 44 fb a8 79 db a6 42 db c7 Aug 26 13:10:10.865544: | cleartext fragment 03 73 25 f6 c0 5a e3 b6 28 69 2e 0b c8 84 c7 a9 Aug 26 13:10:10.865548: | cleartext fragment 27 69 91 0e de b2 9f 60 7c 51 19 70 ae 75 be 41 Aug 26 13:10:10.865552: | cleartext fragment 6f fd ea 49 d6 f6 84 25 f8 55 b3 40 45 ea 75 39 Aug 26 13:10:10.865555: | cleartext fragment f0 78 2c 11 8e dd 3d 42 2f c2 54 75 ee 02 bd d4 Aug 26 13:10:10.865559: | cleartext fragment de 0f 48 25 60 8f 2e c3 d2 7e 49 34 2f 99 a0 d6 Aug 26 13:10:10.865563: | cleartext fragment 6b 3f 01 18 c0 f7 b9 12 0f eb af 00 b8 d2 4e 16 Aug 26 13:10:10.865567: | cleartext fragment 94 bb 20 c6 1b 37 fd 45 72 b9 ff 77 29 8e 99 b3 Aug 26 13:10:10.865571: | cleartext fragment 3b 03 a7 4a bc 94 22 c0 f5 c5 bb 9f 61 5c f5 f7 Aug 26 13:10:10.865575: | cleartext fragment 6a 2a eb 2c 00 00 a4 02 00 00 20 01 03 04 02 4e Aug 26 13:10:10.865579: | cleartext fragment ea 0a 18 03 00 00 0c 01 00 00 14 80 0e 01 00 00 Aug 26 13:10:10.865583: | cleartext fragment 00 00 08 05 00 00 00 02 00 00 20 02 03 04 02 4e Aug 26 13:10:10.865587: | cleartext fragment ea 0a 18 03 00 00 0c 01 00 00 14 80 0e 00 80 00 Aug 26 13:10:10.865591: | cleartext fragment 00 00 08 05 00 00 00 02 00 00 30 03 03 04 04 4e Aug 26 13:10:10.865595: | cleartext fragment ea 0a 18 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 Aug 26 13:10:10.865599: | cleartext fragment 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c 00 Aug 26 13:10:10.865602: | cleartext fragment 00 00 08 05 00 00 00 00 00 00 30 04 03 04 04 4e Aug 26 13:10:10.865606: | cleartext fragment ea 0a 18 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 Aug 26 13:10:10.865610: | cleartext fragment 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c 00 Aug 26 13:10:10.865614: | cleartext fragment 00 00 08 05 00 00 00 2d 00 00 18 01 00 00 Aug 26 13:10:10.865618: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:10.865623: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment Aug 26 13:10:10.865628: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment Aug 26 13:10:10.865632: | emitting length of IKEv2 Encrypted Fragment: 511 Aug 26 13:10:10.865636: | emitting length of ISAKMP Message: 539 Aug 26 13:10:10.865656: | **emit ISAKMP Message: Aug 26 13:10:10.865661: | initiator cookie: Aug 26 13:10:10.865665: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.865669: | responder cookie: Aug 26 13:10:10.865672: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.865676: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:10.865680: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:10.865684: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:10.865688: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:10.865692: | Message ID: 1 (0x1) Aug 26 13:10:10.865696: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:10.865701: | ***emit IKEv2 Encrypted Fragment: Aug 26 13:10:10.865705: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.865708: | flags: none (0x0) Aug 26 13:10:10.865712: | fragment number: 2 (0x2) Aug 26 13:10:10.865719: | total fragments: 2 (0x2) Aug 26 13:10:10.865724: | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE Aug 26 13:10:10.865729: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) Aug 26 13:10:10.865733: | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' Aug 26 13:10:10.865738: | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment Aug 26 13:10:10.865763: | emitting 41 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment Aug 26 13:10:10.865769: | cleartext fragment 00 07 00 00 10 00 00 ff ff c0 00 03 fe c0 00 03 Aug 26 13:10:10.865774: | cleartext fragment fe 00 00 00 18 01 00 00 00 07 00 00 10 00 00 ff Aug 26 13:10:10.865779: | cleartext fragment ff c0 00 02 00 c0 00 02 ff Aug 26 13:10:10.865784: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:10.865789: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment Aug 26 13:10:10.865795: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment Aug 26 13:10:10.865800: | emitting length of IKEv2 Encrypted Fragment: 74 Aug 26 13:10:10.865805: | emitting length of ISAKMP Message: 102 Aug 26 13:10:10.865829: | suspend processing: state #1 connection "north-east" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:10.865838: | start processing: state #2 connection "north-east" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:10.865847: | #2 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_OK Aug 26 13:10:10.865853: | IKEv2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2 Aug 26 13:10:10.865860: | child state #2: UNDEFINED(ignore) => PARENT_I2(open IKE SA) Aug 26 13:10:10.865866: | Message ID: updating counters for #2 to 0 after switching state Aug 26 13:10:10.865877: | Message ID: recv #1.#2 response 0; ike: initiator.sent=0 initiator.recv=-1->0 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=-1 Aug 26 13:10:10.865886: | Message ID: sent #1.#2 request 1; ike: initiator.sent=0->1 initiator.recv=0 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->1 wip.responder=-1 Aug 26 13:10:10.865895: "north-east" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:10:10.865905: | sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.33:500) Aug 26 13:10:10.865910: | sending fragments ... Aug 26 13:10:10.865921: | sending 539 bytes for STATE_PARENT_I1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:10:10.865926: | bf c4 e0 9e f3 c2 f5 83 c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.865931: | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff Aug 26 13:10:10.865936: | 00 01 00 02 2f 9c 6e 55 60 46 18 0d ca b7 12 27 Aug 26 13:10:10.865940: | 9a b6 e9 48 8c d8 10 ff c3 05 31 c7 e3 b2 02 4e Aug 26 13:10:10.865945: | b5 71 e9 f0 e9 23 a9 c8 61 9d db fb 5e c4 5a 5d Aug 26 13:10:10.865950: | e7 ae c2 e2 a8 74 dd 94 16 f2 9f f5 05 4b 87 54 Aug 26 13:10:10.865954: | f8 2d 6c 9e b3 69 ba 69 e0 9f a1 aa 48 47 bf 5b Aug 26 13:10:10.865959: | 3c de 77 16 16 da 5b 19 00 f7 f0 90 71 07 a5 40 Aug 26 13:10:10.865964: | 48 5b c9 c5 f4 b1 cf 89 c0 22 25 44 db f6 ce 57 Aug 26 13:10:10.865968: | 36 9f 37 1c 92 53 37 5b 70 c1 10 cb 0f a6 1b 3c Aug 26 13:10:10.865973: | c4 52 1e a6 ff 3b 4b 28 2d 04 0c 15 77 73 e8 d4 Aug 26 13:10:10.865978: | 73 68 65 f8 b2 02 a3 3a a7 d7 78 cc 6e 1d 12 40 Aug 26 13:10:10.865982: | 94 5f 55 08 a0 34 1c ed ae a6 cc 83 76 98 43 08 Aug 26 13:10:10.865987: | 68 f2 f3 3e 14 a5 ba 6d 97 28 2a ad 96 1f 39 81 Aug 26 13:10:10.865991: | f1 70 72 98 04 b8 46 dd 65 22 79 67 45 ad 02 f0 Aug 26 13:10:10.866000: | 8f d0 a0 a8 af 03 25 14 73 75 c8 8b a4 b7 e2 0c Aug 26 13:10:10.866005: | 81 53 d1 59 a5 b5 61 70 b6 dc bd b8 5d 65 80 db Aug 26 13:10:10.866009: | 25 5f 02 ad 11 8b 94 65 c1 7b b6 fa 65 73 da d9 Aug 26 13:10:10.866014: | 1e 6d b6 0f 9a 95 73 d1 29 7d c9 df c0 09 e0 d4 Aug 26 13:10:10.866019: | b1 f4 63 19 ff 87 60 f9 3a 55 71 50 f8 02 8e b9 Aug 26 13:10:10.866023: | f7 c5 1a 5d fd 1b 50 56 ec 62 ba 2b 4b f1 9c b1 Aug 26 13:10:10.866028: | 57 ba b4 37 7e f0 d9 fa 14 8e b3 4a ef a2 ce af Aug 26 13:10:10.866033: | d3 30 87 31 78 98 ae 6b e0 4a 96 a0 2c e2 ba 5c Aug 26 13:10:10.866037: | b2 03 32 f4 c8 c1 8c ff 0c aa d0 59 93 25 79 4a Aug 26 13:10:10.866042: | f0 a1 8c a3 6f 64 85 a0 91 ae 93 82 04 15 1c bd Aug 26 13:10:10.866047: | 6d ba c0 5c a3 aa e5 8f 2a 62 17 9b 94 87 fc 97 Aug 26 13:10:10.866051: | d0 96 e3 50 4e ed 69 7c 1c cf 65 27 09 93 11 84 Aug 26 13:10:10.866056: | 5a 3c 49 d7 38 da c2 c5 d7 1e 4c 17 fa 5a 08 b8 Aug 26 13:10:10.866061: | 29 cd 96 1d 79 62 25 1c 00 18 6e ea f6 dc 80 9b Aug 26 13:10:10.866065: | cc ca f4 da b8 90 8f f4 8e 9b 40 9e 75 1a ae bd Aug 26 13:10:10.866070: | 2e 4d 1a c3 71 e3 bf c8 ee 71 38 10 af 5b 74 b1 Aug 26 13:10:10.866075: | 7f 49 1d 6e b4 d6 4a 17 4b 2c d2 12 4a 29 97 b1 Aug 26 13:10:10.866079: | ef 59 33 b2 7e 67 b3 8a f8 50 4c f6 c1 44 ed f4 Aug 26 13:10:10.866084: | fa 62 72 fa 57 98 ed 64 f4 fe 25 Aug 26 13:10:10.866177: | sending 102 bytes for STATE_PARENT_I1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:10:10.866190: | bf c4 e0 9e f3 c2 f5 83 c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.866199: | 35 20 23 08 00 00 00 01 00 00 00 66 00 00 00 4a Aug 26 13:10:10.866206: | 00 02 00 02 1f 53 71 32 f7 6f 3f 17 cd 98 cb eb Aug 26 13:10:10.866213: | c2 fb 08 78 23 c0 6f 69 89 49 c6 7c e2 f9 46 79 Aug 26 13:10:10.866220: | 38 ab 91 d0 ca 8d 4c 97 36 c6 67 f1 2e c6 d7 1d Aug 26 13:10:10.866227: | 89 a2 68 29 61 23 9e b2 1c 44 00 d4 ef 05 a8 a3 Aug 26 13:10:10.866234: | cb bd 49 3a 54 a5 Aug 26 13:10:10.866277: | sent 2 fragments Aug 26 13:10:10.866301: | success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=500ms Aug 26 13:10:10.866319: | event_schedule: new EVENT_RETRANSMIT-pe@0x7f25b8002b78 Aug 26 13:10:10.866332: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2 Aug 26 13:10:10.866343: | libevent_malloc: new ptr-libevent@0x562c24bc7718 size 128 Aug 26 13:10:10.866360: | #2 STATE_PARENT_I2: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 10296.608781 Aug 26 13:10:10.866373: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:10:10.866390: | #1 spent 1.96 milliseconds Aug 26 13:10:10.866402: | #1 spent 10.7 milliseconds in resume sending helper answer Aug 26 13:10:10.866418: | stop processing: state #2 connection "north-east" from 192.1.2.23 (in resume_handler() at server.c:833) Aug 26 13:10:10.866429: | libevent_free: release ptr-libevent@0x7f25b0000f48 Aug 26 13:10:10.907405: | spent 0.00682 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:10.907462: | *received 435 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:10.907474: | bf c4 e0 9e f3 c2 f5 83 c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.907482: | 2e 20 23 20 00 00 00 01 00 00 01 b3 24 00 01 97 Aug 26 13:10:10.907491: | 1c 72 85 49 96 a2 ed 11 a4 b6 2e ae 30 ce 3b 8b Aug 26 13:10:10.907499: | d7 00 61 40 4a 0f 04 65 6b 39 62 bb 95 25 fc 4d Aug 26 13:10:10.907508: | 61 96 24 4d ab 0b e6 9c 98 fe d3 e7 f2 94 a1 f0 Aug 26 13:10:10.907516: | c6 78 2d 46 e4 a7 74 51 45 e7 5e 29 a1 e1 54 7e Aug 26 13:10:10.907524: | 07 1a 8c 60 1c 58 ea b7 c9 81 c5 86 d0 cd ea 53 Aug 26 13:10:10.907532: | 8a 0c e0 6b fe ca 7a 9d 93 55 8f d9 98 23 7c c2 Aug 26 13:10:10.907540: | 50 c9 94 6a ea 0e 52 96 16 73 f6 e1 aa 9c 8f 9d Aug 26 13:10:10.907548: | 6e 01 f4 ac 9e c4 95 e8 f9 97 61 4a 1f d4 9f b5 Aug 26 13:10:10.907566: | 03 c2 67 0b 3b d0 51 93 98 37 da 9f a7 48 80 16 Aug 26 13:10:10.907575: | f4 76 03 0d e9 e2 d6 2a 1a d7 c3 bf 48 27 27 72 Aug 26 13:10:10.907582: | 80 ad 98 65 96 a9 dd a2 51 50 46 57 b4 fa 64 f5 Aug 26 13:10:10.907590: | 3e 5f fc 68 79 d8 66 07 6a 39 75 c3 f8 c2 a9 73 Aug 26 13:10:10.907599: | 60 d2 7d d7 45 6c 41 62 48 1b a7 51 f5 9d 2a 22 Aug 26 13:10:10.907608: | a7 a4 06 07 8d 63 4c b9 cf 16 d2 57 26 73 9b 23 Aug 26 13:10:10.907616: | 26 14 70 c7 65 c0 04 d9 a3 07 d6 91 b1 53 ae 20 Aug 26 13:10:10.907625: | 7e 9a ee 59 13 96 a6 3d b1 14 31 89 c0 9f 31 02 Aug 26 13:10:10.907634: | a1 5e 62 a8 32 df 04 77 d3 04 d6 56 c5 6d ee 61 Aug 26 13:10:10.907641: | 8d 0c 75 29 35 fe 36 ba 44 51 bc f6 e5 22 3b 70 Aug 26 13:10:10.907649: | c8 e8 3c 94 83 23 58 c5 ff 00 12 5e 92 a1 93 1f Aug 26 13:10:10.907658: | 65 88 28 fd eb 97 c5 2b 2e 90 41 ee c8 d8 25 5a Aug 26 13:10:10.907663: | b3 b7 45 b3 1b 83 ec 09 f8 2f b1 36 97 8a 5e be Aug 26 13:10:10.907668: | cd c6 cf 7e 3d 1d 2e 8b b3 30 32 46 ce 0d 48 93 Aug 26 13:10:10.907673: | d9 c5 a1 e9 1c 85 3f 6f 74 66 8d fb d6 bb 48 3b Aug 26 13:10:10.907677: | b5 4d 18 d2 5d 36 4d bb c4 d3 f9 37 f8 45 4f 58 Aug 26 13:10:10.907682: | 01 3b 09 88 ec 86 d5 54 99 c2 91 19 00 3b 56 65 Aug 26 13:10:10.907686: | 63 5f 87 Aug 26 13:10:10.907697: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:10.907705: | **parse ISAKMP Message: Aug 26 13:10:10.907710: | initiator cookie: Aug 26 13:10:10.907715: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:10.907720: | responder cookie: Aug 26 13:10:10.907725: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:10.907731: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:10.907736: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:10.907741: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:10.907747: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:10.907752: | Message ID: 1 (0x1) Aug 26 13:10:10.907757: | length: 435 (0x1b3) Aug 26 13:10:10.907763: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:10:10.907770: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response Aug 26 13:10:10.907778: | State DB: found IKEv2 state #1 in PARENT_I2 (find_v2_ike_sa) Aug 26 13:10:10.907789: | start processing: state #1 connection "north-east" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:10.907796: | State DB: found IKEv2 state #2 in PARENT_I2 (find_v2_sa_by_initiator_wip) Aug 26 13:10:10.907804: | suspend processing: state #1 connection "north-east" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:10:10.907812: | start processing: state #2 connection "north-east" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062) Aug 26 13:10:10.907817: | #2 is idle Aug 26 13:10:10.907822: | #2 idle Aug 26 13:10:10.907826: | unpacking clear payload Aug 26 13:10:10.907831: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:10.907837: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:10.907842: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:10:10.907847: | flags: none (0x0) Aug 26 13:10:10.907852: | length: 407 (0x197) Aug 26 13:10:10.907857: | processing payload: ISAKMP_NEXT_v2SK (len=403) Aug 26 13:10:10.907863: | #2 in state PARENT_I2: sent v2I2, expected v2R2 Aug 26 13:10:10.907891: | #2 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:10:10.907898: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:10:10.907903: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:10:10.907908: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:10:10.907913: | flags: none (0x0) Aug 26 13:10:10.907918: | length: 12 (0xc) Aug 26 13:10:10.907923: | ID type: ID_FQDN (0x2) Aug 26 13:10:10.907928: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 13:10:10.907933: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:10:10.907943: | **parse IKEv2 Authentication Payload: Aug 26 13:10:10.907949: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:10.907954: | flags: none (0x0) Aug 26 13:10:10.907959: | length: 282 (0x11a) Aug 26 13:10:10.907963: | auth method: IKEv2_AUTH_RSA (0x1) Aug 26 13:10:10.907968: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Aug 26 13:10:10.907973: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:10:10.907978: | **parse IKEv2 Security Association Payload: Aug 26 13:10:10.907983: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:10:10.907988: | flags: none (0x0) Aug 26 13:10:10.907992: | length: 36 (0x24) Aug 26 13:10:10.907997: | processing payload: ISAKMP_NEXT_v2SA (len=32) Aug 26 13:10:10.908002: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:10:10.908007: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:10.908012: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:10:10.908017: | flags: none (0x0) Aug 26 13:10:10.908021: | length: 24 (0x18) Aug 26 13:10:10.908026: | number of TS: 1 (0x1) Aug 26 13:10:10.908031: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:10:10.908035: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:10:10.908040: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:10.908045: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:10.908050: | flags: none (0x0) Aug 26 13:10:10.908055: | length: 24 (0x18) Aug 26 13:10:10.908059: | number of TS: 1 (0x1) Aug 26 13:10:10.908064: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:10:10.908069: | selected state microcode Initiator: process IKE_AUTH response Aug 26 13:10:10.908074: | Now let's proceed with state specific processing Aug 26 13:10:10.908079: | calling processor Initiator: process IKE_AUTH response Aug 26 13:10:10.908090: | offered CA: '%none' Aug 26 13:10:10.908098: "north-east" #2: IKEv2 mode peer ID is ID_FQDN: '@east' Aug 26 13:10:10.908148: | verifying AUTH payload Aug 26 13:10:10.908174: | required RSA CA is '%any' Aug 26 13:10:10.908182: | checking RSA keyid '@east' for match with '@east' Aug 26 13:10:10.908188: | key issuer CA is '%any' Aug 26 13:10:10.908321: | an RSA Sig check passed with *AQO9bJbr3 [preloaded key] Aug 26 13:10:10.908342: | #1 spent 0.134 milliseconds in try_all_RSA_keys() trying a pubkey Aug 26 13:10:10.908349: "north-east" #2: Authenticated using RSA Aug 26 13:10:10.908357: | #1 spent 0.19 milliseconds in ikev2_verify_rsa_hash() Aug 26 13:10:10.908365: | parent state #1: PARENT_I2(open IKE SA) => PARENT_I3(established IKE SA) Aug 26 13:10:10.908374: | #1 will start re-keying in 2607 seconds with margin of 993 seconds (attempting re-key) Aug 26 13:10:10.908380: | state #1 requesting EVENT_SA_REPLACE to be deleted Aug 26 13:10:10.908388: | libevent_free: release ptr-libevent@0x7f25b8002888 Aug 26 13:10:10.908394: | free_event_entry: release EVENT_SA_REPLACE-pe@0x562c24bc4578 Aug 26 13:10:10.908400: | event_schedule: new EVENT_SA_REKEY-pe@0x562c24bc4578 Aug 26 13:10:10.908407: | inserting event EVENT_SA_REKEY, timeout in 2607 seconds for #1 Aug 26 13:10:10.908413: | libevent_malloc: new ptr-libevent@0x7f25b0000f48 size 128 Aug 26 13:10:10.908581: | pstats #1 ikev2.ike established Aug 26 13:10:10.908596: | TSi: parsing 1 traffic selectors Aug 26 13:10:10.908603: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:10.908608: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:10.908614: | IP Protocol ID: 0 (0x0) Aug 26 13:10:10.908618: | length: 16 (0x10) Aug 26 13:10:10.908623: | start port: 0 (0x0) Aug 26 13:10:10.908628: | end port: 65535 (0xffff) Aug 26 13:10:10.908634: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:10.908639: | TS low c0 00 03 fe Aug 26 13:10:10.908645: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:10.908649: | TS high c0 00 03 fe Aug 26 13:10:10.908654: | TSi: parsed 1 traffic selectors Aug 26 13:10:10.908664: | TSr: parsing 1 traffic selectors Aug 26 13:10:10.908670: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:10.908675: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:10.908679: | IP Protocol ID: 0 (0x0) Aug 26 13:10:10.908684: | length: 16 (0x10) Aug 26 13:10:10.908689: | start port: 0 (0x0) Aug 26 13:10:10.908693: | end port: 65535 (0xffff) Aug 26 13:10:10.908698: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:10.908703: | TS low c0 00 02 00 Aug 26 13:10:10.908708: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:10.908712: | TS high c0 00 02 ff Aug 26 13:10:10.908717: | TSr: parsed 1 traffic selectors Aug 26 13:10:10.908728: | evaluating our conn="north-east" I=192.0.3.254/32:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:10.908738: | TSi[0] .net=192.0.3.254-192.0.3.254 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:10.908750: | match address end->client=192.0.3.254/32 == TSi[0]net=192.0.3.254-192.0.3.254: YES fitness 32 Aug 26 13:10:10.908757: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:10.908762: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:10.908768: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:10.908774: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:10.908782: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:10.908792: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:10.908798: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:10.908802: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:10.908808: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:10.908813: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:10.908818: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:10.908823: | found an acceptable TSi/TSr Traffic Selector Aug 26 13:10:10.908828: | printing contents struct traffic_selector Aug 26 13:10:10.908833: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Aug 26 13:10:10.908837: | ipprotoid: 0 Aug 26 13:10:10.908842: | port range: 0-65535 Aug 26 13:10:10.908849: | ip range: 192.0.3.254-192.0.3.254 Aug 26 13:10:10.908854: | printing contents struct traffic_selector Aug 26 13:10:10.908858: | ts_type: IKEv2_TS_IPV6_ADDR_RANGE Aug 26 13:10:10.908863: | ipprotoid: 0 Aug 26 13:10:10.908867: | port range: 0-65535 Aug 26 13:10:10.908874: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:10:10.908899: | using existing local ESP/AH proposals for north-east (IKE_AUTH initiator accepting remote ESP/AH proposal): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:10.908905: | Comparing remote proposals against IKE_AUTH initiator accepting remote ESP/AH proposal 4 local proposals Aug 26 13:10:10.908914: | local proposal 1 type ENCR has 1 transforms Aug 26 13:10:10.908919: | local proposal 1 type PRF has 0 transforms Aug 26 13:10:10.908924: | local proposal 1 type INTEG has 1 transforms Aug 26 13:10:10.908929: | local proposal 1 type DH has 1 transforms Aug 26 13:10:10.908934: | local proposal 1 type ESN has 1 transforms Aug 26 13:10:10.908940: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:10:10.908945: | local proposal 2 type ENCR has 1 transforms Aug 26 13:10:10.908950: | local proposal 2 type PRF has 0 transforms Aug 26 13:10:10.908955: | local proposal 2 type INTEG has 1 transforms Aug 26 13:10:10.908960: | local proposal 2 type DH has 1 transforms Aug 26 13:10:10.908965: | local proposal 2 type ESN has 1 transforms Aug 26 13:10:10.908971: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:10:10.908975: | local proposal 3 type ENCR has 1 transforms Aug 26 13:10:10.908984: | local proposal 3 type PRF has 0 transforms Aug 26 13:10:10.908989: | local proposal 3 type INTEG has 2 transforms Aug 26 13:10:10.908994: | local proposal 3 type DH has 1 transforms Aug 26 13:10:10.908998: | local proposal 3 type ESN has 1 transforms Aug 26 13:10:10.909004: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:10:10.909009: | local proposal 4 type ENCR has 1 transforms Aug 26 13:10:10.909014: | local proposal 4 type PRF has 0 transforms Aug 26 13:10:10.909019: | local proposal 4 type INTEG has 2 transforms Aug 26 13:10:10.909023: | local proposal 4 type DH has 1 transforms Aug 26 13:10:10.909028: | local proposal 4 type ESN has 1 transforms Aug 26 13:10:10.909034: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:10:10.909040: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:10.909045: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:10.909050: | length: 32 (0x20) Aug 26 13:10:10.909055: | prop #: 1 (0x1) Aug 26 13:10:10.909060: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:10.909065: | spi size: 4 (0x4) Aug 26 13:10:10.909069: | # transforms: 2 (0x2) Aug 26 13:10:10.909076: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:10.909080: | remote SPI 33 5f 51 70 Aug 26 13:10:10.909087: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..1] of 4 local proposals Aug 26 13:10:10.909092: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:10.909098: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:10.909102: | length: 12 (0xc) Aug 26 13:10:10.909107: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:10.909112: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:10.909118: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:10.909123: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:10.909128: | length/value: 256 (0x100) Aug 26 13:10:10.909136: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:10:10.909142: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:10.909147: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:10.909151: | length: 8 (0x8) Aug 26 13:10:10.909156: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:10.909161: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:10.909168: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:10:10.909175: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 13:10:10.909183: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 13:10:10.909188: | remote proposal 1 matches local proposal 1 Aug 26 13:10:10.909195: | remote accepted the proposal 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] Aug 26 13:10:10.909204: | IKE_AUTH initiator accepting remote ESP/AH proposal ikev2_proposal: 1:ESP:SPI=335f5170;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 13:10:10.909209: | converting proposal to internal trans attrs Aug 26 13:10:10.909221: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:10:10.909525: | #1 spent 1.15 milliseconds Aug 26 13:10:10.909542: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:10:10.909549: | could_route called for north-east (kind=CK_PERMANENT) Aug 26 13:10:10.909555: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:10.909561: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 13:10:10.909567: | conn north-east mark 0/00000000, 0/00000000 Aug 26 13:10:10.909574: | route owner of "north-east" prospective erouted: self; eroute owner: self Aug 26 13:10:10.909581: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:10.909588: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:10.909598: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:10.909604: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:10.909613: | setting IPsec SA replay-window to 32 Aug 26 13:10:10.909618: | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 Aug 26 13:10:10.909624: | netlink: enabling tunnel mode Aug 26 13:10:10.909630: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:10.909635: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:10.909765: | netlink response for Add SA esp.335f5170@192.1.2.23 included non-error error Aug 26 13:10:10.909775: | set up outgoing SA, ref=0/0 Aug 26 13:10:10.909781: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:10.909787: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:10.909791: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:10.909796: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:10.909803: | setting IPsec SA replay-window to 32 Aug 26 13:10:10.909809: | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 Aug 26 13:10:10.909814: | netlink: enabling tunnel mode Aug 26 13:10:10.909819: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:10.909824: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:10.909905: | netlink response for Add SA esp.4eea0a18@192.1.3.33 included non-error error Aug 26 13:10:10.909915: | priority calculation of connection "north-east" is 0xfdfe7 Aug 26 13:10:10.909928: | add inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.254/32:0 => tun.10000@192.1.3.33 (raw_eroute) Aug 26 13:10:10.909935: | IPsec Sa SPD priority set to 1040359 Aug 26 13:10:10.909985: | raw_eroute result=success Aug 26 13:10:10.909992: | set up incoming SA, ref=0/0 Aug 26 13:10:10.909997: | sr for #2: prospective erouted Aug 26 13:10:10.910003: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:10:10.910008: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:10.910014: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 13:10:10.910019: | conn north-east mark 0/00000000, 0/00000000 Aug 26 13:10:10.910026: | route owner of "north-east" prospective erouted: self; eroute owner: self Aug 26 13:10:10.910033: | route_and_eroute with c: north-east (next: none) ero:north-east esr:{(nil)} ro:north-east rosr:{(nil)} and state: #2 Aug 26 13:10:10.910039: | priority calculation of connection "north-east" is 0xfdfe7 Aug 26 13:10:10.910054: | eroute_connection replace eroute 192.0.3.254/32:0 --0-> 192.0.2.0/24:0 => tun.0@192.1.2.23>tun.0@192.1.2.23 (raw_eroute) Aug 26 13:10:10.910059: | IPsec Sa SPD priority set to 1040359 Aug 26 13:10:10.910086: | raw_eroute result=success Aug 26 13:10:10.910094: | running updown command "ipsec _updown" for verb up Aug 26 13:10:10.910100: | command executing up-client Aug 26 13:10:10.910149: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x335f51 Aug 26 13:10:10.910156: | popen cmd is 1036 chars long Aug 26 13:10:10.910167: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_I: Aug 26 13:10:10.910173: | cmd( 80):NTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@: Aug 26 13:10:10.910178: | cmd( 160):north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' PLUTO_: Aug 26 13:10:10.910183: | cmd( 240):MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_S: Aug 26 13:10:10.910188: | cmd( 320):A_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east: Aug 26 13:10:10.910193: | cmd( 400):' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_: Aug 26 13:10:10.910199: | cmd( 480):CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PE: Aug 26 13:10:10.910204: | cmd( 560):ER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYP: Aug 26 13:10:10.910209: | cmd( 640):T+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_: Aug 26 13:10:10.910214: | cmd( 720):PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P: Aug 26 13:10:10.910219: | cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: Aug 26 13:10:10.910224: | cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: Aug 26 13:10:10.910229: | cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x335f5170 SPI_OUT=0x4eea0a18 ipsec _updown 2>&1: Aug 26 13:10:10.935056: | route_and_eroute: firewall_notified: true Aug 26 13:10:10.935096: | route_and_eroute: instance "north-east", setting eroute_owner {spd=0x562c24bc27d8,sr=0x562c24bc27d8} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:10:10.935262: | #1 spent 1.65 milliseconds in install_ipsec_sa() Aug 26 13:10:10.935304: | inR2: instance north-east[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:10:10.935326: | state #2 requesting EVENT_RETRANSMIT to be deleted Aug 26 13:10:10.935341: | #2 STATE_PARENT_I2: retransmits: cleared Aug 26 13:10:10.935372: | libevent_free: release ptr-libevent@0x562c24bc7718 Aug 26 13:10:10.935392: | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f25b8002b78 Aug 26 13:10:10.935415: | #2 spent 3.21 milliseconds in processing: Initiator: process IKE_AUTH response in ikev2_process_state_packet() Aug 26 13:10:10.935444: | [RE]START processing: state #2 connection "north-east" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:10.935459: | #2 complete_v2_state_transition() PARENT_I2->V2_IPSEC_I with status STF_OK Aug 26 13:10:10.935472: | IKEv2: transition from state STATE_PARENT_I2 to state STATE_V2_IPSEC_I Aug 26 13:10:10.935485: | child state #2: PARENT_I2(open IKE SA) => V2_IPSEC_I(established CHILD SA) Aug 26 13:10:10.935497: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:10:10.935517: | Message ID: recv #1.#2 response 1; ike: initiator.sent=1 initiator.recv=0->1 responder.sent=-1 responder.recv=-1; child: wip.initiator=1->-1 wip.responder=-1 Aug 26 13:10:10.935536: | Message ID: #1.#2 skipping update_send as nothing to send; initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1 Aug 26 13:10:10.935546: | pstats #2 ikev2.child established Aug 26 13:10:10.935576: "north-east" #2: negotiated connection [192.0.3.254-192.0.3.254:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] Aug 26 13:10:10.935590: | NAT-T: encaps is 'auto' Aug 26 13:10:10.935603: "north-east" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0x335f5170 <0x4eea0a18 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 13:10:10.935610: | releasing whack for #2 (sock=fd@-1) Aug 26 13:10:10.935615: | releasing whack and unpending for parent #1 Aug 26 13:10:10.935621: | unpending state #1 connection "north-east" Aug 26 13:10:10.935630: | delete from pending Child SA with 192.1.2.23 "north-east" Aug 26 13:10:10.935636: | removing pending policy for no connection {0x562c24bb52f8} Aug 26 13:10:10.935656: | #2 will start re-keying in 28048 seconds with margin of 752 seconds (attempting re-key) Aug 26 13:10:10.935663: | event_schedule: new EVENT_SA_REKEY-pe@0x7f25b8002b78 Aug 26 13:10:10.935670: | inserting event EVENT_SA_REKEY, timeout in 28048 seconds for #2 Aug 26 13:10:10.935680: | libevent_malloc: new ptr-libevent@0x562c24bcf228 size 128 Aug 26 13:10:10.935692: | stop processing: state #2 connection "north-east" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:10.935705: | #1 spent 4.16 milliseconds in ikev2_process_packet() Aug 26 13:10:10.935716: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:10.935726: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:10.935733: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:10.935741: | spent 4.2 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:10.935768: | processing signal PLUTO_SIGCHLD Aug 26 13:10:10.935779: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:10.935788: | spent 0.0106 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:11.909784: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:11.909840: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:10:11.909850: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:11.909864: | get_sa_info esp.4eea0a18@192.1.3.33 Aug 26 13:10:11.909895: | get_sa_info esp.335f5170@192.1.2.23 Aug 26 13:10:11.909935: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:11.909950: | spent 0.185 milliseconds in whack Aug 26 13:10:15.181316: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:15.181368: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:10:15.181378: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:15.181392: | get_sa_info esp.4eea0a18@192.1.3.33 Aug 26 13:10:15.181423: | get_sa_info esp.335f5170@192.1.2.23 Aug 26 13:10:15.181466: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:15.181481: | spent 0.187 milliseconds in whack Aug 26 13:10:16.421468: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:16.421794: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:16.421802: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:16.421883: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:10:16.421888: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:16.421904: | get_sa_info esp.4eea0a18@192.1.3.33 Aug 26 13:10:16.421925: | get_sa_info esp.335f5170@192.1.2.23 Aug 26 13:10:16.421951: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:16.421960: | spent 0.5 milliseconds in whack Aug 26 13:10:16.894321: | spent 0.00324 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:16.894344: | *received 69 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:16.894349: | bf c4 e0 9e f3 c2 f5 83 c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:16.894353: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:10:16.894355: | f5 e0 1d 4a 05 2f 36 32 47 57 8d 78 eb b5 64 e5 Aug 26 13:10:16.894356: | be 31 7d 5f fc cc dd ee 75 7d f8 b8 09 8d 9f c8 Aug 26 13:10:16.894358: | 82 f4 ca 77 c4 Aug 26 13:10:16.894361: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:16.894363: | **parse ISAKMP Message: Aug 26 13:10:16.894365: | initiator cookie: Aug 26 13:10:16.894367: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:16.894369: | responder cookie: Aug 26 13:10:16.894370: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:16.894372: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:16.894374: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:16.894376: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:16.894383: | flags: none (0x0) Aug 26 13:10:16.894387: | Message ID: 0 (0x0) Aug 26 13:10:16.894393: | length: 69 (0x45) Aug 26 13:10:16.894400: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:10:16.894403: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Aug 26 13:10:16.894409: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Aug 26 13:10:16.894422: | start processing: state #1 connection "north-east" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:16.894425: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:16.894429: | [RE]START processing: state #1 connection "north-east" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:16.894431: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:10:16.894435: | Message ID: #1 not a duplicate - message is new; initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 Aug 26 13:10:16.894437: | unpacking clear payload Aug 26 13:10:16.894439: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:16.894442: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:16.894444: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:10:16.894446: | flags: none (0x0) Aug 26 13:10:16.894449: | length: 41 (0x29) Aug 26 13:10:16.894451: | processing payload: ISAKMP_NEXT_v2SK (len=37) Aug 26 13:10:16.894455: | Message ID: start-responder #1 request 0; ike: initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:10:16.894457: | #1 in state PARENT_I3: PARENT SA established Aug 26 13:10:16.894477: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:10:16.894480: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:10:16.894482: | **parse IKEv2 Delete Payload: Aug 26 13:10:16.894485: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:16.894487: | flags: none (0x0) Aug 26 13:10:16.894489: | length: 12 (0xc) Aug 26 13:10:16.894491: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:16.894492: | SPI size: 4 (0x4) Aug 26 13:10:16.894494: | number of SPIs: 1 (0x1) Aug 26 13:10:16.894496: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:10:16.894497: | selected state microcode I3: INFORMATIONAL Request Aug 26 13:10:16.894499: | Now let's proceed with state specific processing Aug 26 13:10:16.894501: | calling processor I3: INFORMATIONAL Request Aug 26 13:10:16.894503: | an informational request should send a response Aug 26 13:10:16.894523: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:10:16.894525: | **emit ISAKMP Message: Aug 26 13:10:16.894527: | initiator cookie: Aug 26 13:10:16.894529: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:16.894530: | responder cookie: Aug 26 13:10:16.894532: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:16.894533: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:16.894535: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:16.894537: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:16.894539: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Aug 26 13:10:16.894540: | Message ID: 0 (0x0) Aug 26 13:10:16.894542: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:16.894544: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:16.894546: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:16.894548: | flags: none (0x0) Aug 26 13:10:16.894550: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:16.894552: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:16.894554: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:16.894564: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:10:16.894568: | SPI 33 5f 51 70 Aug 26 13:10:16.894570: | delete PROTO_v2_ESP SA(0x335f5170) Aug 26 13:10:16.894572: | v2 CHILD SA #2 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_I Aug 26 13:10:16.894574: | State DB: found IKEv2 state #2 in V2_IPSEC_I (find_v2_child_sa_by_outbound_spi) Aug 26 13:10:16.894575: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x335f5170) Aug 26 13:10:16.894578: "north-east" #1: received Delete SA payload: delete IPsec State #2 now Aug 26 13:10:16.894580: | pstats #2 ikev2.child deleted completed Aug 26 13:10:16.894582: | #2 spent 3.21 milliseconds in total Aug 26 13:10:16.894585: | suspend processing: state #1 connection "north-east" from 192.1.2.23 (in delete_state() at state.c:879) Aug 26 13:10:16.894588: | start processing: state #2 connection "north-east" from 192.1.2.23 (in delete_state() at state.c:879) Aug 26 13:10:16.894590: "north-east" #2: deleting other state #2 (STATE_V2_IPSEC_I) aged 6.038s and NOT sending notification Aug 26 13:10:16.894592: | child state #2: V2_IPSEC_I(established CHILD SA) => delete Aug 26 13:10:16.894595: | get_sa_info esp.335f5170@192.1.2.23 Aug 26 13:10:16.894605: | get_sa_info esp.4eea0a18@192.1.3.33 Aug 26 13:10:16.894610: "north-east" #2: ESP traffic information: in=336B out=336B Aug 26 13:10:16.894613: | child state #2: V2_IPSEC_I(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:10:16.894615: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:16.894618: | libevent_free: release ptr-libevent@0x562c24bcf228 Aug 26 13:10:16.894620: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f25b8002b78 Aug 26 13:10:16.894654: | running updown command "ipsec _updown" for verb down Aug 26 13:10:16.894657: | command executing down-client Aug 26 13:10:16.894674: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825010' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SP Aug 26 13:10:16.894676: | popen cmd is 1047 chars long Aug 26 13:10:16.894678: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO: Aug 26 13:10:16.894680: | cmd( 80):_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID=: Aug 26 13:10:16.894682: | cmd( 160):'@north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' PLUT: Aug 26 13:10:16.894684: | cmd( 240):O_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO: Aug 26 13:10:16.894685: | cmd( 320):_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@ea: Aug 26 13:10:16.894687: | cmd( 400):st' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEE: Aug 26 13:10:16.894689: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Aug 26 13:10:16.894690: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825010' PLUTO_CONN_POLICY='RS: Aug 26 13:10:16.894692: | cmd( 640):ASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: Aug 26 13:10:16.894694: | cmd( 720):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Aug 26 13:10:16.894697: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Aug 26 13:10:16.894699: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Aug 26 13:10:16.894701: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x335f5170 SPI_OUT=0x4eea0a18 ipsec _updo: Aug 26 13:10:16.894702: | cmd(1040):wn 2>&1: Aug 26 13:10:16.903213: | shunt_eroute() called for connection 'north-east' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:10:16.903225: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:16.903228: | priority calculation of connection "north-east" is 0xfdfe7 Aug 26 13:10:16.903232: | IPsec Sa SPD priority set to 1040359 Aug 26 13:10:16.903257: | delete esp.335f5170@192.1.2.23 Aug 26 13:10:16.903270: | netlink response for Del SA esp.335f5170@192.1.2.23 included non-error error Aug 26 13:10:16.903273: | priority calculation of connection "north-east" is 0xfdfe7 Aug 26 13:10:16.903277: | delete inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.254/32:0 => unk255.10000@192.1.3.33 (raw_eroute) Aug 26 13:10:16.903302: | raw_eroute result=success Aug 26 13:10:16.903309: | delete esp.4eea0a18@192.1.3.33 Aug 26 13:10:16.903318: | netlink response for Del SA esp.4eea0a18@192.1.3.33 included non-error error Aug 26 13:10:16.903327: | in connection_discard for connection north-east Aug 26 13:10:16.903330: | State DB: deleting IKEv2 state #2 in CHILDSA_DEL Aug 26 13:10:16.903335: | child state #2: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:10:16.903341: | stop processing: state #2 from 192.1.2.23 (in delete_state() at state.c:1143) Aug 26 13:10:16.903344: | resume processing: state #1 connection "north-east" from 192.1.2.23 (in delete_state() at state.c:1143) Aug 26 13:10:16.903357: | ****emit IKEv2 Delete Payload: Aug 26 13:10:16.903359: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:16.903361: | flags: none (0x0) Aug 26 13:10:16.903363: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:16.903365: | SPI size: 4 (0x4) Aug 26 13:10:16.903367: | number of SPIs: 1 (0x1) Aug 26 13:10:16.903370: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:16.903372: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:16.903375: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:10:16.903377: | local SPIs 4e ea 0a 18 Aug 26 13:10:16.903378: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:10:16.903380: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:16.903383: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:16.903385: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:16.903387: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:10:16.903388: | emitting length of ISAKMP Message: 69 Aug 26 13:10:16.903414: | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:10:16.903419: | bf c4 e0 9e f3 c2 f5 83 c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:16.903420: | 2e 20 25 28 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:10:16.903422: | d8 e4 0f 3a 2d 90 8a 12 a5 53 a1 10 f1 c3 9c 01 Aug 26 13:10:16.903423: | 29 8b b9 56 eb 3e f6 5e cc 1f 3f 7c dc 87 01 a5 Aug 26 13:10:16.903425: | 8b e0 40 3a 71 Aug 26 13:10:16.903458: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=1 initiator.recv=1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=0 Aug 26 13:10:16.903462: | Message ID: sent #1 response 0; ike: initiator.sent=1 initiator.recv=1 responder.sent=-1->0 responder.recv=-1 wip.initiator=-1 wip.responder=0 Aug 26 13:10:16.903470: | #1 spent 0.829 milliseconds in processing: I3: INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:10:16.903475: | [RE]START processing: state #1 connection "north-east" from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:16.903478: | #1 complete_v2_state_transition() PARENT_I3->PARENT_I3 with status STF_OK Aug 26 13:10:16.903480: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:10:16.903483: | Message ID: recv #1 request 0; ike: initiator.sent=1 initiator.recv=1 responder.sent=0 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:10:16.903486: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=1 initiator.recv=1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:10:16.903488: "north-east" #1: STATE_PARENT_I3: PARENT SA established Aug 26 13:10:16.903491: | stop processing: state #1 connection "north-east" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:16.903494: | #1 spent 1.02 milliseconds in ikev2_process_packet() Aug 26 13:10:16.903498: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:16.903502: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:16.903504: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:16.903507: | spent 1.03 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:16.903520: | spent 0.00138 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:16.903529: | *received 65 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) Aug 26 13:10:16.903531: | bf c4 e0 9e f3 c2 f5 83 c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:16.903533: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 13:10:16.903534: | ba 6b ee cd 6f c4 3b 82 08 0a 83 89 63 50 6c 12 Aug 26 13:10:16.903536: | 25 45 80 22 8e 3e fb 6c 24 79 6b 18 2f cd 92 16 Aug 26 13:10:16.903537: | df Aug 26 13:10:16.903540: | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) Aug 26 13:10:16.903543: | **parse ISAKMP Message: Aug 26 13:10:16.903545: | initiator cookie: Aug 26 13:10:16.903546: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:16.903548: | responder cookie: Aug 26 13:10:16.903549: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:16.903551: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:16.903553: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:16.903555: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:16.903556: | flags: none (0x0) Aug 26 13:10:16.903558: | Message ID: 1 (0x1) Aug 26 13:10:16.903559: | length: 65 (0x41) Aug 26 13:10:16.903561: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:10:16.903564: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Aug 26 13:10:16.903566: | State DB: found IKEv2 state #1 in PARENT_I3 (find_v2_ike_sa) Aug 26 13:10:16.903569: | start processing: state #1 connection "north-east" from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:16.903571: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:16.903574: | [RE]START processing: state #1 connection "north-east" from 192.1.2.23 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:16.903576: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:10:16.903578: | Message ID: #1 not a duplicate - message is new; initiator.sent=1 initiator.recv=1 responder.sent=0 responder.recv=0 Aug 26 13:10:16.903580: | unpacking clear payload Aug 26 13:10:16.903582: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:16.903584: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:16.903585: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:10:16.903587: | flags: none (0x0) Aug 26 13:10:16.903590: | length: 37 (0x25) Aug 26 13:10:16.903593: | processing payload: ISAKMP_NEXT_v2SK (len=33) Aug 26 13:10:16.903599: | Message ID: start-responder #1 request 1; ike: initiator.sent=1 initiator.recv=1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:10:16.903602: | #1 in state PARENT_I3: PARENT SA established Aug 26 13:10:16.903615: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:10:16.903619: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:10:16.903622: | **parse IKEv2 Delete Payload: Aug 26 13:10:16.903625: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:16.903628: | flags: none (0x0) Aug 26 13:10:16.903631: | length: 8 (0x8) Aug 26 13:10:16.903634: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:10:16.903636: | SPI size: 0 (0x0) Aug 26 13:10:16.903639: | number of SPIs: 0 (0x0) Aug 26 13:10:16.903642: | processing payload: ISAKMP_NEXT_v2D (len=0) Aug 26 13:10:16.903645: | selected state microcode I3: INFORMATIONAL Request Aug 26 13:10:16.903647: | Now let's proceed with state specific processing Aug 26 13:10:16.903650: | calling processor I3: INFORMATIONAL Request Aug 26 13:10:16.903654: | an informational request should send a response Aug 26 13:10:16.903678: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:10:16.903682: | **emit ISAKMP Message: Aug 26 13:10:16.903685: | initiator cookie: Aug 26 13:10:16.903687: | bf c4 e0 9e f3 c2 f5 83 Aug 26 13:10:16.903690: | responder cookie: Aug 26 13:10:16.903692: | c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:16.903695: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:16.903698: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:16.903700: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:16.903704: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Aug 26 13:10:16.903706: | Message ID: 1 (0x1) Aug 26 13:10:16.903709: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:16.903712: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:16.903715: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:16.903717: | flags: none (0x0) Aug 26 13:10:16.903720: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:16.903723: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:10:16.903726: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:16.903739: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:16.903743: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:16.903746: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:16.903749: | emitting length of IKEv2 Encryption Payload: 29 Aug 26 13:10:16.903751: | emitting length of ISAKMP Message: 57 Aug 26 13:10:16.903764: | sending 57 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) Aug 26 13:10:16.903768: | bf c4 e0 9e f3 c2 f5 83 c0 4e d2 c1 d5 88 03 5a Aug 26 13:10:16.903770: | 2e 20 25 28 00 00 00 01 00 00 00 39 00 00 00 1d Aug 26 13:10:16.903773: | 54 53 44 2e f7 58 7d 5b 91 e3 ad 8b 74 04 2e 30 Aug 26 13:10:16.903775: | 5c f5 a7 39 62 49 a6 c3 74 Aug 26 13:10:16.903796: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=1 initiator.recv=1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 Aug 26 13:10:16.903802: | Message ID: sent #1 response 1; ike: initiator.sent=1 initiator.recv=1 responder.sent=0->1 responder.recv=0 wip.initiator=-1 wip.responder=1 Aug 26 13:10:16.903806: | State DB: IKEv2 state not found (delete_my_family) Aug 26 13:10:16.903809: | parent state #1: PARENT_I3(established IKE SA) => IKESA_DEL(established IKE SA) Aug 26 13:10:16.903813: | pstats #1 ikev2.ike deleted completed Aug 26 13:10:16.903819: | #1 spent 21.8 milliseconds in total Aug 26 13:10:16.903824: | [RE]START processing: state #1 connection "north-east" from 192.1.2.23 (in delete_state() at state.c:879) Aug 26 13:10:16.903828: "north-east" #1: deleting state (STATE_IKESA_DEL) aged 6.058s and NOT sending notification Aug 26 13:10:16.903832: | parent state #1: IKESA_DEL(established IKE SA) => delete Aug 26 13:10:16.903879: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:16.903887: | libevent_free: release ptr-libevent@0x7f25b0000f48 Aug 26 13:10:16.903892: | free_event_entry: release EVENT_SA_REKEY-pe@0x562c24bc4578 Aug 26 13:10:16.903896: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:10:16.903900: | in connection_discard for connection north-east Aug 26 13:10:16.903903: | State DB: deleting IKEv2 state #1 in IKESA_DEL Aug 26 13:10:16.903906: | parent state #1: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) Aug 26 13:10:16.903911: | unreference key: 0x562c24bc4808 @east cnt 2-- Aug 26 13:10:16.903939: | stop processing: state #1 from 192.1.2.23 (in delete_state() at state.c:1143) Aug 26 13:10:16.903968: | in statetime_stop() and could not find #1 Aug 26 13:10:16.903973: | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:16.903978: | #0 complete_v2_state_transition() md.from_state=PARENT_I3 md.svm.state[from]=PARENT_I3 UNDEFINED->PARENT_I3 with status STF_OK Aug 26 13:10:16.903981: | STF_OK but no state object remains Aug 26 13:10:16.903984: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:16.903987: | in statetime_stop() and could not find #1 Aug 26 13:10:16.903992: | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) Aug 26 13:10:16.903995: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:16.903998: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:16.904004: | spent 0.472 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:16.904012: | processing signal PLUTO_SIGCHLD Aug 26 13:10:16.904019: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:16.904024: | spent 0.0065 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:17.403013: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:17.403040: shutting down Aug 26 13:10:17.403049: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:10:17.403054: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:17.403056: forgetting secrets Aug 26 13:10:17.403070: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:17.403075: | unreference key: 0x562c24bc4808 @east cnt 1-- Aug 26 13:10:17.403080: | unreference key: 0x562c24b1bc48 @north cnt 1-- Aug 26 13:10:17.403085: | start processing: connection "north-east" (in delete_connection() at connections.c:189) Aug 26 13:10:17.403089: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:10:17.403092: | pass 0 Aug 26 13:10:17.403094: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:17.403097: | pass 1 Aug 26 13:10:17.403099: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:17.403104: | shunt_eroute() called for connection 'north-east' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:10:17.403108: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:17.403111: | priority calculation of connection "north-east" is 0xfdfe7 Aug 26 13:10:17.403152: | priority calculation of connection "north-east" is 0xfdfe7 Aug 26 13:10:17.403168: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:17.403172: | conn north-east mark 0/00000000, 0/00000000 vs Aug 26 13:10:17.403175: | conn north-east mark 0/00000000, 0/00000000 Aug 26 13:10:17.403179: | route owner of "north-east" unrouted: NULL Aug 26 13:10:17.403187: | running updown command "ipsec _updown" for verb unroute Aug 26 13:10:17.403190: | command executing unroute-client Aug 26 13:10:17.403219: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Aug 26 13:10:17.403223: | popen cmd is 1028 chars long Aug 26 13:10:17.403226: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PL: Aug 26 13:10:17.403229: | cmd( 80):UTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_: Aug 26 13:10:17.403232: | cmd( 160):ID='@north' PLUTO_MY_CLIENT='192.0.3.254/32' PLUTO_MY_CLIENT_NET='192.0.3.254' P: Aug 26 13:10:17.403235: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Aug 26 13:10:17.403237: | cmd( 320):UTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID=: Aug 26 13:10:17.403240: | cmd( 400):'@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO: Aug 26 13:10:17.403243: | cmd( 480):_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Aug 26 13:10:17.403246: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+: Aug 26 13:10:17.403248: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIN: Aug 26 13:10:17.403251: | cmd( 720):D='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO: Aug 26 13:10:17.403254: | cmd( 800):='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO: Aug 26 13:10:17.403257: | cmd( 880):_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_RO: Aug 26 13:10:17.403259: | cmd( 960):UTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:10:17.421724: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.421761: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.421770: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.421820: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.421885: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.421931: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.421960: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.421986: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422010: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422053: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422100: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422130: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422165: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422180: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422204: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422615: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422638: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422655: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422671: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422686: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422710: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422743: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422767: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422792: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422817: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422836: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422860: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422880: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422902: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422924: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422946: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422970: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.422992: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.423013: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.423035: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.423057: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.423081: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.423102: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.423124: "north-east": unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:17.430970: | free hp@0x562c24bc4498 Aug 26 13:10:17.430996: | flush revival: connection 'north-east' wasn't on the list Aug 26 13:10:17.431006: | stop processing: connection "north-east" (in discard_connection() at connections.c:249) Aug 26 13:10:17.431044: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:10:17.431051: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:10:17.431075: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:10:17.431083: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:10:17.431090: shutting down interface eth0/eth0 192.0.3.254:4500 Aug 26 13:10:17.431096: shutting down interface eth0/eth0 192.0.3.254:500 Aug 26 13:10:17.431104: shutting down interface eth1/eth1 192.1.3.33:4500 Aug 26 13:10:17.431110: shutting down interface eth1/eth1 192.1.3.33:500 Aug 26 13:10:17.431118: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:10:17.431138: | libevent_free: release ptr-libevent@0x562c24bb5e68 Aug 26 13:10:17.431146: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1b68 Aug 26 13:10:17.431166: | libevent_free: release ptr-libevent@0x562c24b4b088 Aug 26 13:10:17.431174: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1c18 Aug 26 13:10:17.431188: | libevent_free: release ptr-libevent@0x562c24b4af28 Aug 26 13:10:17.431195: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1cc8 Aug 26 13:10:17.431207: | libevent_free: release ptr-libevent@0x562c24b4c888 Aug 26 13:10:17.431213: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1d78 Aug 26 13:10:17.431230: | libevent_free: release ptr-libevent@0x562c24b204e8 Aug 26 13:10:17.431237: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1e28 Aug 26 13:10:17.431248: | libevent_free: release ptr-libevent@0x562c24b201d8 Aug 26 13:10:17.431255: | free_event_entry: release EVENT_NULL-pe@0x562c24bc1ed8 Aug 26 13:10:17.431265: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:10:17.432041: | libevent_free: release ptr-libevent@0x562c24bb5f18 Aug 26 13:10:17.432057: | free_event_entry: release EVENT_NULL-pe@0x562c24ba9d08 Aug 26 13:10:17.432068: | libevent_free: release ptr-libevent@0x562c24b4afd8 Aug 26 13:10:17.432075: | free_event_entry: release EVENT_NULL-pe@0x562c24ba9c98 Aug 26 13:10:17.432084: | libevent_free: release ptr-libevent@0x562c24b8d618 Aug 26 13:10:17.432090: | free_event_entry: release EVENT_NULL-pe@0x562c24ba9158 Aug 26 13:10:17.432099: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:10:17.432105: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:10:17.432110: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:10:17.432115: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:10:17.432121: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:10:17.432126: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:10:17.432131: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:10:17.432137: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:10:17.432143: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:10:17.432152: | libevent_free: release ptr-libevent@0x562c24b4b578 Aug 26 13:10:17.432158: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:10:17.432165: | libevent_free: release ptr-libevent@0x562c24b4cd18 Aug 26 13:10:17.432171: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:10:17.432177: | libevent_free: release ptr-libevent@0x562c24bc1458 Aug 26 13:10:17.432183: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:10:17.432190: | libevent_free: release ptr-libevent@0x562c24bc1698 Aug 26 13:10:17.432195: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:10:17.432200: | releasing event base Aug 26 13:10:17.432220: | libevent_free: release ptr-libevent@0x562c24bc1568 Aug 26 13:10:17.432227: | libevent_free: release ptr-libevent@0x562c24ba45d8 Aug 26 13:10:17.432235: | libevent_free: release ptr-libevent@0x562c24ba4588 Aug 26 13:10:17.432241: | libevent_free: release ptr-libevent@0x562c24ba4518 Aug 26 13:10:17.432247: | libevent_free: release ptr-libevent@0x562c24ba44d8 Aug 26 13:10:17.432253: | libevent_free: release ptr-libevent@0x562c24bc11e8 Aug 26 13:10:17.432259: | libevent_free: release ptr-libevent@0x562c24bc1398 Aug 26 13:10:17.432264: | libevent_free: release ptr-libevent@0x562c24ba4788 Aug 26 13:10:17.432270: | libevent_free: release ptr-libevent@0x562c24ba9268 Aug 26 13:10:17.432275: | libevent_free: release ptr-libevent@0x562c24ba9c58 Aug 26 13:10:17.432281: | libevent_free: release ptr-libevent@0x562c24bc1f48 Aug 26 13:10:17.432286: | libevent_free: release ptr-libevent@0x562c24bc1e98 Aug 26 13:10:17.432298: | libevent_free: release ptr-libevent@0x562c24bc1de8 Aug 26 13:10:17.432304: | libevent_free: release ptr-libevent@0x562c24bc1d38 Aug 26 13:10:17.432310: | libevent_free: release ptr-libevent@0x562c24bc1c88 Aug 26 13:10:17.432315: | libevent_free: release ptr-libevent@0x562c24bc1bd8 Aug 26 13:10:17.432320: | libevent_free: release ptr-libevent@0x562c24b483d8 Aug 26 13:10:17.432326: | libevent_free: release ptr-libevent@0x562c24bc1418 Aug 26 13:10:17.432334: | libevent_free: release ptr-libevent@0x562c24bc13d8 Aug 26 13:10:17.432340: | libevent_free: release ptr-libevent@0x562c24bc1358 Aug 26 13:10:17.432346: | libevent_free: release ptr-libevent@0x562c24bc1528 Aug 26 13:10:17.432351: | libevent_free: release ptr-libevent@0x562c24bc1228 Aug 26 13:10:17.432357: | libevent_free: release ptr-libevent@0x562c24b1f908 Aug 26 13:10:17.432363: | libevent_free: release ptr-libevent@0x562c24b1fd38 Aug 26 13:10:17.432369: | libevent_free: release ptr-libevent@0x562c24b48748 Aug 26 13:10:17.432378: | releasing global libevent data Aug 26 13:10:17.432384: | libevent_free: release ptr-libevent@0x562c24b1b0c8 Aug 26 13:10:17.432390: | libevent_free: release ptr-libevent@0x562c24b1fcd8 Aug 26 13:10:17.432396: | libevent_free: release ptr-libevent@0x562c24b1fdd8 Aug 26 13:10:17.432465: leak detective found no leaks