Aug 26 13:10:12.873517: FIPS Product: YES Aug 26 13:10:12.873598: FIPS Kernel: NO Aug 26 13:10:12.873601: FIPS Mode: NO Aug 26 13:10:12.873603: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:10:12.873730: Initializing NSS Aug 26 13:10:12.873735: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:10:12.900232: NSS initialized Aug 26 13:10:12.900245: NSS crypto library initialized Aug 26 13:10:12.900247: FIPS HMAC integrity support [enabled] Aug 26 13:10:12.900249: FIPS mode disabled for pluto daemon Aug 26 13:10:12.925997: FIPS HMAC integrity verification self-test FAILED Aug 26 13:10:12.926286: libcap-ng support [enabled] Aug 26 13:10:12.926298: Linux audit support [enabled] Aug 26 13:10:12.926506: Linux audit activated Aug 26 13:10:12.926514: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:22977 Aug 26 13:10:12.926517: core dump dir: /tmp Aug 26 13:10:12.926519: secrets file: /etc/ipsec.secrets Aug 26 13:10:12.926520: leak-detective enabled Aug 26 13:10:12.926522: NSS crypto [enabled] Aug 26 13:10:12.926523: XAUTH PAM support [enabled] Aug 26 13:10:12.926582: | libevent is using pluto's memory allocator Aug 26 13:10:12.926587: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:10:12.926600: | libevent_malloc: new ptr-libevent@0x55fd6a4d1598 size 40 Aug 26 13:10:12.926605: | libevent_malloc: new ptr-libevent@0x55fd6a4a0cd8 size 40 Aug 26 13:10:12.926608: | libevent_malloc: new ptr-libevent@0x55fd6a4a0dd8 size 40 Aug 26 13:10:12.926610: | creating event base Aug 26 13:10:12.926612: | libevent_malloc: new ptr-libevent@0x55fd6a523898 size 56 Aug 26 13:10:12.926616: | libevent_malloc: new ptr-libevent@0x55fd6a4cfd88 size 664 Aug 26 13:10:12.926625: | libevent_malloc: new ptr-libevent@0x55fd6a523908 size 24 Aug 26 13:10:12.926627: | libevent_malloc: new ptr-libevent@0x55fd6a523958 size 384 Aug 26 13:10:12.926634: | libevent_malloc: new ptr-libevent@0x55fd6a523858 size 16 Aug 26 13:10:12.926636: | libevent_malloc: new ptr-libevent@0x55fd6a4a0908 size 40 Aug 26 13:10:12.926638: | libevent_malloc: new ptr-libevent@0x55fd6a4a0d38 size 48 Aug 26 13:10:12.926642: | libevent_realloc: new ptr-libevent@0x55fd6a4cfa18 size 256 Aug 26 13:10:12.926644: | libevent_malloc: new ptr-libevent@0x55fd6a523b08 size 16 Aug 26 13:10:12.926649: | libevent_free: release ptr-libevent@0x55fd6a523898 Aug 26 13:10:12.926651: | libevent initialized Aug 26 13:10:12.926654: | libevent_realloc: new ptr-libevent@0x55fd6a523898 size 64 Aug 26 13:10:12.926659: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:10:12.926670: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:10:12.926672: NAT-Traversal support [enabled] Aug 26 13:10:12.926674: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:10:12.926679: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:10:12.926681: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:10:12.926710: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:10:12.926712: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:10:12.926714: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:10:12.926748: Encryption algorithms: Aug 26 13:10:12.926753: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:10:12.926756: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:10:12.926758: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:10:12.926761: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:10:12.926763: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:10:12.926771: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:10:12.926774: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:10:12.926776: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:10:12.926778: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:10:12.926781: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:10:12.926783: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:10:12.926785: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:10:12.926788: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:10:12.926790: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:10:12.926793: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:10:12.926795: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:10:12.926797: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:10:12.926804: Hash algorithms: Aug 26 13:10:12.926806: MD5 IKEv1: IKE IKEv2: Aug 26 13:10:12.926808: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:10:12.926810: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:10:12.926812: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:10:12.926814: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:10:12.926823: PRF algorithms: Aug 26 13:10:12.926825: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:10:12.926827: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:10:12.926829: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:10:12.926831: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:10:12.926833: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:10:12.926835: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:10:12.926852: Integrity algorithms: Aug 26 13:10:12.926854: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:10:12.926857: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:10:12.926859: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:10:12.926862: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:10:12.926864: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:10:12.926866: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:10:12.926868: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:10:12.926870: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:10:12.926872: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:10:12.926880: DH algorithms: Aug 26 13:10:12.926882: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:10:12.926884: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:10:12.926886: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:10:12.926890: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:10:12.926892: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:10:12.926894: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:10:12.926896: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:10:12.926898: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:10:12.926900: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:10:12.926902: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:10:12.926904: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:10:12.926906: testing CAMELLIA_CBC: Aug 26 13:10:12.926908: Camellia: 16 bytes with 128-bit key Aug 26 13:10:12.926998: Camellia: 16 bytes with 128-bit key Aug 26 13:10:12.927017: Camellia: 16 bytes with 256-bit key Aug 26 13:10:12.927037: Camellia: 16 bytes with 256-bit key Aug 26 13:10:12.927055: testing AES_GCM_16: Aug 26 13:10:12.927058: empty string Aug 26 13:10:12.927076: one block Aug 26 13:10:12.927092: two blocks Aug 26 13:10:12.927109: two blocks with associated data Aug 26 13:10:12.927125: testing AES_CTR: Aug 26 13:10:12.927127: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:10:12.927144: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:10:12.927161: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:10:12.927179: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:10:12.927197: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:10:12.927214: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:10:12.927231: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:10:12.927248: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:10:12.927265: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:10:12.927282: testing AES_CBC: Aug 26 13:10:12.927284: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:10:12.927308: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:10:12.927329: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:10:12.927347: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:10:12.927367: testing AES_XCBC: Aug 26 13:10:12.927370: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:10:12.927443: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:10:12.927525: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:10:12.927602: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:10:12.927679: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:10:12.927756: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:10:12.927834: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:10:12.928002: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:10:12.928079: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:10:12.928163: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:10:12.928311: testing HMAC_MD5: Aug 26 13:10:12.928315: RFC 2104: MD5_HMAC test 1 Aug 26 13:10:12.928425: RFC 2104: MD5_HMAC test 2 Aug 26 13:10:12.928518: RFC 2104: MD5_HMAC test 3 Aug 26 13:10:12.928662: 8 CPU cores online Aug 26 13:10:12.928666: starting up 7 crypto helpers Aug 26 13:10:12.928691: started thread for crypto helper 0 Aug 26 13:10:12.928710: started thread for crypto helper 1 Aug 26 13:10:12.928727: | starting up helper thread 0 Aug 26 13:10:12.928737: | starting up helper thread 2 Aug 26 13:10:12.928743: | starting up helper thread 1 Aug 26 13:10:12.928759: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:10:12.928766: | crypto helper 1 waiting (nothing to do) Aug 26 13:10:12.928731: started thread for crypto helper 2 Aug 26 13:10:12.928746: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:10:12.928819: | starting up helper thread 3 Aug 26 13:10:12.928816: started thread for crypto helper 3 Aug 26 13:10:12.928753: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:10:12.928853: started thread for crypto helper 4 Aug 26 13:10:12.928856: | starting up helper thread 4 Aug 26 13:10:12.928865: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:10:12.928824: | crypto helper 0 waiting (nothing to do) Aug 26 13:10:12.928877: started thread for crypto helper 5 Aug 26 13:10:12.928832: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:10:12.928884: | crypto helper 2 waiting (nothing to do) Aug 26 13:10:12.928896: started thread for crypto helper 6 Aug 26 13:10:12.928897: | starting up helper thread 5 Aug 26 13:10:12.928904: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:10:12.928908: | starting up helper thread 6 Aug 26 13:10:12.928910: | crypto helper 5 waiting (nothing to do) Aug 26 13:10:12.928919: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:10:12.928926: | crypto helper 6 waiting (nothing to do) Aug 26 13:10:12.928904: | checking IKEv1 state table Aug 26 13:10:12.928949: | crypto helper 3 waiting (nothing to do) Aug 26 13:10:12.928959: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:12.928963: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:10:12.928965: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:12.928967: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:10:12.928969: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:10:12.928970: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:10:12.928972: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:12.928974: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:12.928975: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:10:12.928977: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:10:12.928979: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:12.928980: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:12.928982: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:10:12.928984: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:12.928985: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:12.928987: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:10:12.928989: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:10:12.928990: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:12.928992: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:12.928993: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:10:12.928995: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:10:12.929000: | -> UNDEFINED EVENT_NULL Aug 26 13:10:12.929003: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:10:12.929006: | -> UNDEFINED EVENT_NULL Aug 26 13:10:12.928994: | crypto helper 4 waiting (nothing to do) Aug 26 13:10:12.929008: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:12.929039: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:10:12.929042: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:12.929043: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:10:12.929045: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:10:12.929047: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:10:12.929048: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:10:12.929050: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:10:12.929052: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:10:12.929053: | -> UNDEFINED EVENT_NULL Aug 26 13:10:12.929055: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:10:12.929057: | -> UNDEFINED EVENT_NULL Aug 26 13:10:12.929059: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:10:12.929060: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:10:12.929065: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:10:12.929067: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:10:12.929069: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:10:12.929071: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:10:12.929073: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:10:12.929074: | -> UNDEFINED EVENT_NULL Aug 26 13:10:12.929076: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:10:12.929078: | -> UNDEFINED EVENT_NULL Aug 26 13:10:12.929079: | INFO: category: informational flags: 0: Aug 26 13:10:12.929081: | -> UNDEFINED EVENT_NULL Aug 26 13:10:12.929083: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:10:12.929085: | -> UNDEFINED EVENT_NULL Aug 26 13:10:12.929086: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:10:12.929088: | -> XAUTH_R1 EVENT_NULL Aug 26 13:10:12.929090: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:10:12.929091: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:12.929093: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:10:12.929095: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:10:12.929097: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:10:12.929098: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:10:12.929100: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:10:12.929102: | -> UNDEFINED EVENT_NULL Aug 26 13:10:12.929104: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:10:12.929105: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:12.929107: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:10:12.929109: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:10:12.929111: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:10:12.929112: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:10:12.929117: | checking IKEv2 state table Aug 26 13:10:12.929121: | PARENT_I0: category: ignore flags: 0: Aug 26 13:10:12.929123: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:10:12.929125: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:12.929128: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:10:12.929130: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:10:12.929132: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:10:12.929134: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:10:12.929136: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:10:12.929137: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:10:12.929139: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:10:12.929141: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:10:12.929143: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:10:12.929145: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:10:12.929147: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:10:12.929148: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:10:12.929150: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:10:12.929152: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:12.929154: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:10:12.929156: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:10:12.929158: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:10:12.929159: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:10:12.929161: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:10:12.929163: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:10:12.929168: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:10:12.929170: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:10:12.929171: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:10:12.929173: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:10:12.929175: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:10:12.929177: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:10:12.929179: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:10:12.929181: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:10:12.929183: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:10:12.929185: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:10:12.929187: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:10:12.929188: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:10:12.929190: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:10:12.929192: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:10:12.929194: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:10:12.929196: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:10:12.929198: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:10:12.929200: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:10:12.929202: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:10:12.929204: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:10:12.929206: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:10:12.929208: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:10:12.929210: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:10:12.929212: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:10:12.929221: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:10:12.929487: | Hard-wiring algorithms Aug 26 13:10:12.929494: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:10:12.929498: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:10:12.929500: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:10:12.929501: | adding 3DES_CBC to kernel algorithm db Aug 26 13:10:12.929503: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:10:12.929505: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:10:12.929507: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:10:12.929508: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:10:12.929510: | adding AES_CTR to kernel algorithm db Aug 26 13:10:12.929512: | adding AES_CBC to kernel algorithm db Aug 26 13:10:12.929513: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:10:12.929515: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:10:12.929517: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:10:12.929519: | adding NULL to kernel algorithm db Aug 26 13:10:12.929521: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:10:12.929522: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:10:12.929524: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:10:12.929526: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:10:12.929528: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:10:12.929529: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:10:12.929531: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:10:12.929533: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:10:12.929534: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:10:12.929536: | adding NONE to kernel algorithm db Aug 26 13:10:12.929554: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:10:12.929558: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:10:12.929560: | setup kernel fd callback Aug 26 13:10:12.929562: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55fd6a529118 Aug 26 13:10:12.929566: | libevent_malloc: new ptr-libevent@0x55fd6a50cb18 size 128 Aug 26 13:10:12.929568: | libevent_malloc: new ptr-libevent@0x55fd6a528678 size 16 Aug 26 13:10:12.929573: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55fd6a528568 Aug 26 13:10:12.929575: | libevent_malloc: new ptr-libevent@0x55fd6a4d2f78 size 128 Aug 26 13:10:12.929576: | libevent_malloc: new ptr-libevent@0x55fd6a529068 size 16 Aug 26 13:10:12.929721: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:10:12.929728: selinux support is enabled. Aug 26 13:10:12.930171: | unbound context created - setting debug level to 5 Aug 26 13:10:12.930193: | /etc/hosts lookups activated Aug 26 13:10:12.930204: | /etc/resolv.conf usage activated Aug 26 13:10:12.930240: | outgoing-port-avoid set 0-65535 Aug 26 13:10:12.930258: | outgoing-port-permit set 32768-60999 Aug 26 13:10:12.930260: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:10:12.930262: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:10:12.930265: | Setting up events, loop start Aug 26 13:10:12.930267: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55fd6a5290a8 Aug 26 13:10:12.930269: | libevent_malloc: new ptr-libevent@0x55fd6a535368 size 128 Aug 26 13:10:12.930271: | libevent_malloc: new ptr-libevent@0x55fd6a540678 size 16 Aug 26 13:10:12.930276: | libevent_realloc: new ptr-libevent@0x55fd6a5406b8 size 256 Aug 26 13:10:12.930278: | libevent_malloc: new ptr-libevent@0x55fd6a5407e8 size 8 Aug 26 13:10:12.930280: | libevent_realloc: new ptr-libevent@0x55fd6a4d02c8 size 144 Aug 26 13:10:12.930282: | libevent_malloc: new ptr-libevent@0x55fd6a4d43f8 size 152 Aug 26 13:10:12.930285: | libevent_malloc: new ptr-libevent@0x55fd6a540828 size 16 Aug 26 13:10:12.930291: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:10:12.930297: | libevent_malloc: new ptr-libevent@0x55fd6a540868 size 8 Aug 26 13:10:12.930299: | libevent_malloc: new ptr-libevent@0x55fd6a5408a8 size 152 Aug 26 13:10:12.930301: | signal event handler PLUTO_SIGTERM installed Aug 26 13:10:12.930303: | libevent_malloc: new ptr-libevent@0x55fd6a540978 size 8 Aug 26 13:10:12.930305: | libevent_malloc: new ptr-libevent@0x55fd6a5409b8 size 152 Aug 26 13:10:12.930307: | signal event handler PLUTO_SIGHUP installed Aug 26 13:10:12.930309: | libevent_malloc: new ptr-libevent@0x55fd6a540a88 size 8 Aug 26 13:10:12.930311: | libevent_realloc: release ptr-libevent@0x55fd6a4d02c8 Aug 26 13:10:12.930313: | libevent_realloc: new ptr-libevent@0x55fd6a540ac8 size 256 Aug 26 13:10:12.930315: | libevent_malloc: new ptr-libevent@0x55fd6a540bf8 size 152 Aug 26 13:10:12.930317: | signal event handler PLUTO_SIGSYS installed Aug 26 13:10:12.930558: | created addconn helper (pid:23014) using fork+execve Aug 26 13:10:12.930574: | forked child 23014 Aug 26 13:10:12.930958: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:12.931080: listening for IKE messages Aug 26 13:10:12.931326: | Inspecting interface lo Aug 26 13:10:12.931337: | found lo with address 127.0.0.1 Aug 26 13:10:12.931340: | Inspecting interface eth0 Aug 26 13:10:12.931344: | found eth0 with address 192.0.2.254 Aug 26 13:10:12.931346: | Inspecting interface eth1 Aug 26 13:10:12.931349: | found eth1 with address 192.1.2.23 Aug 26 13:10:12.931439: Kernel supports NIC esp-hw-offload Aug 26 13:10:12.931448: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:10:12.931482: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:12.931486: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:12.931488: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:10:12.931512: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:10:12.931527: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:12.931530: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:12.931532: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:10:12.931549: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:10:12.931564: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:12.931567: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:12.931570: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:10:12.931630: | no interfaces to sort Aug 26 13:10:12.931633: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:10:12.931639: | add_fd_read_event_handler: new ethX-pe@0x55fd6a541148 Aug 26 13:10:12.931641: | libevent_malloc: new ptr-libevent@0x55fd6a5352b8 size 128 Aug 26 13:10:12.931644: | libevent_malloc: new ptr-libevent@0x55fd6a5411b8 size 16 Aug 26 13:10:12.931648: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:10:12.931651: | add_fd_read_event_handler: new ethX-pe@0x55fd6a5411f8 Aug 26 13:10:12.931653: | libevent_malloc: new ptr-libevent@0x55fd6a4d11d8 size 128 Aug 26 13:10:12.931655: | libevent_malloc: new ptr-libevent@0x55fd6a541268 size 16 Aug 26 13:10:12.931659: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:10:12.931660: | add_fd_read_event_handler: new ethX-pe@0x55fd6a5412a8 Aug 26 13:10:12.931662: | libevent_malloc: new ptr-libevent@0x55fd6a4d3078 size 128 Aug 26 13:10:12.931664: | libevent_malloc: new ptr-libevent@0x55fd6a541318 size 16 Aug 26 13:10:12.931667: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:10:12.931669: | add_fd_read_event_handler: new ethX-pe@0x55fd6a541358 Aug 26 13:10:12.931672: | libevent_malloc: new ptr-libevent@0x55fd6a4d01c8 size 128 Aug 26 13:10:12.931674: | libevent_malloc: new ptr-libevent@0x55fd6a5413c8 size 16 Aug 26 13:10:12.931677: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:10:12.931678: | add_fd_read_event_handler: new ethX-pe@0x55fd6a541408 Aug 26 13:10:12.931681: | libevent_malloc: new ptr-libevent@0x55fd6a4a14e8 size 128 Aug 26 13:10:12.931683: | libevent_malloc: new ptr-libevent@0x55fd6a541478 size 16 Aug 26 13:10:12.931686: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:10:12.931688: | add_fd_read_event_handler: new ethX-pe@0x55fd6a5414b8 Aug 26 13:10:12.931690: | libevent_malloc: new ptr-libevent@0x55fd6a4a11d8 size 128 Aug 26 13:10:12.931691: | libevent_malloc: new ptr-libevent@0x55fd6a541528 size 16 Aug 26 13:10:12.931694: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:10:12.931698: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:12.931700: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:12.931714: loading secrets from "/etc/ipsec.secrets" Aug 26 13:10:12.931723: | id type added to secret(0x55fd6a49cc48) PKK_PSK: @east Aug 26 13:10:12.931726: | id type added to secret(0x55fd6a49cc48) PKK_PSK: %any Aug 26 13:10:12.931729: | Processing PSK at line 1: passed Aug 26 13:10:12.931731: | certs and keys locked by 'process_secret' Aug 26 13:10:12.931733: | certs and keys unlocked by 'process_secret' Aug 26 13:10:12.931739: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:12.931745: | spent 0.79 milliseconds in whack Aug 26 13:10:12.945143: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:12.945165: listening for IKE messages Aug 26 13:10:12.946033: | Inspecting interface lo Aug 26 13:10:12.946051: | found lo with address 127.0.0.1 Aug 26 13:10:12.946056: | Inspecting interface eth0 Aug 26 13:10:12.946060: | found eth0 with address 192.0.2.254 Aug 26 13:10:12.946063: | Inspecting interface eth1 Aug 26 13:10:12.946067: | found eth1 with address 192.1.2.23 Aug 26 13:10:12.946120: | no interfaces to sort Aug 26 13:10:12.946136: | libevent_free: release ptr-libevent@0x55fd6a5352b8 Aug 26 13:10:12.946140: | free_event_entry: release EVENT_NULL-pe@0x55fd6a541148 Aug 26 13:10:12.946144: | add_fd_read_event_handler: new ethX-pe@0x55fd6a541148 Aug 26 13:10:12.946148: | libevent_malloc: new ptr-libevent@0x55fd6a5352b8 size 128 Aug 26 13:10:12.946155: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:10:12.946159: | libevent_free: release ptr-libevent@0x55fd6a4d11d8 Aug 26 13:10:12.946162: | free_event_entry: release EVENT_NULL-pe@0x55fd6a5411f8 Aug 26 13:10:12.946165: | add_fd_read_event_handler: new ethX-pe@0x55fd6a5411f8 Aug 26 13:10:12.946168: | libevent_malloc: new ptr-libevent@0x55fd6a4d11d8 size 128 Aug 26 13:10:12.946174: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:10:12.946178: | libevent_free: release ptr-libevent@0x55fd6a4d3078 Aug 26 13:10:12.946181: | free_event_entry: release EVENT_NULL-pe@0x55fd6a5412a8 Aug 26 13:10:12.946184: | add_fd_read_event_handler: new ethX-pe@0x55fd6a5412a8 Aug 26 13:10:12.946187: | libevent_malloc: new ptr-libevent@0x55fd6a4d3078 size 128 Aug 26 13:10:12.946192: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:10:12.946196: | libevent_free: release ptr-libevent@0x55fd6a4d01c8 Aug 26 13:10:12.946200: | free_event_entry: release EVENT_NULL-pe@0x55fd6a541358 Aug 26 13:10:12.946203: | add_fd_read_event_handler: new ethX-pe@0x55fd6a541358 Aug 26 13:10:12.946206: | libevent_malloc: new ptr-libevent@0x55fd6a4d01c8 size 128 Aug 26 13:10:12.946211: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:10:12.946215: | libevent_free: release ptr-libevent@0x55fd6a4a14e8 Aug 26 13:10:12.946218: | free_event_entry: release EVENT_NULL-pe@0x55fd6a541408 Aug 26 13:10:12.946221: | add_fd_read_event_handler: new ethX-pe@0x55fd6a541408 Aug 26 13:10:12.946224: | libevent_malloc: new ptr-libevent@0x55fd6a4a14e8 size 128 Aug 26 13:10:12.946229: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:10:12.946233: | libevent_free: release ptr-libevent@0x55fd6a4a11d8 Aug 26 13:10:12.946236: | free_event_entry: release EVENT_NULL-pe@0x55fd6a5414b8 Aug 26 13:10:12.946239: | add_fd_read_event_handler: new ethX-pe@0x55fd6a5414b8 Aug 26 13:10:12.946242: | libevent_malloc: new ptr-libevent@0x55fd6a4a11d8 size 128 Aug 26 13:10:12.946247: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:10:12.946251: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:12.946254: forgetting secrets Aug 26 13:10:12.946265: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:12.946281: loading secrets from "/etc/ipsec.secrets" Aug 26 13:10:12.946297: | id type added to secret(0x55fd6a49cc48) PKK_PSK: @east Aug 26 13:10:12.946305: | id type added to secret(0x55fd6a49cc48) PKK_PSK: %any Aug 26 13:10:12.946310: | Processing PSK at line 1: passed Aug 26 13:10:12.946313: | certs and keys locked by 'process_secret' Aug 26 13:10:12.946316: | certs and keys unlocked by 'process_secret' Aug 26 13:10:12.946324: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:12.946333: | spent 0.359 milliseconds in whack Aug 26 13:10:12.947122: | processing signal PLUTO_SIGCHLD Aug 26 13:10:12.947135: | waitpid returned pid 23014 (exited with status 0) Aug 26 13:10:12.947138: | reaped addconn helper child (status 0) Aug 26 13:10:12.947142: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:12.947146: | spent 0.0139 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:13.010543: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:13.010573: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:13.010579: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:13.010584: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:13.010587: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:13.010593: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:13.010603: | Added new connection eastnet-any with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:13.010689: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:10:13.010698: | from whack: got --esp= Aug 26 13:10:13.010749: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 13:10:13.010758: | counting wild cards for (none) is 15 Aug 26 13:10:13.010764: | counting wild cards for @east is 0 Aug 26 13:10:13.010772: | based upon policy, the connection is a template. Aug 26 13:10:13.010782: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Aug 26 13:10:13.010787: | new hp@0x55fd6a543748 Aug 26 13:10:13.010794: added connection description "eastnet-any" Aug 26 13:10:13.010811: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:13.010825: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...%any===192.0.1.0/24 Aug 26 13:10:13.010838: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:13.010848: | spent 0.317 milliseconds in whack Aug 26 13:10:14.172840: | spent 0.00468 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:14.172894: | *received 828 bytes from 192.1.2.254:500 on eth1 (192.1.2.23:500) Aug 26 13:10:14.172902: | 09 89 39 54 70 14 c0 90 00 00 00 00 00 00 00 00 Aug 26 13:10:14.172908: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:10:14.172920: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:10:14.172925: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:10:14.172931: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:10:14.172935: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:10:14.172940: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:10:14.172946: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:10:14.172949: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:10:14.172952: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:10:14.172955: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:10:14.172958: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:10:14.172961: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:10:14.172964: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:10:14.172967: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:10:14.172970: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:10:14.172973: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:10:14.172976: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:10:14.172979: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:10:14.172982: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:10:14.172985: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:10:14.172988: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:10:14.172991: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:10:14.172994: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:10:14.172997: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:10:14.173000: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:10:14.173003: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:10:14.173006: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:10:14.173009: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:10:14.173016: | 28 00 01 08 00 0e 00 00 91 e6 32 82 65 26 74 06 Aug 26 13:10:14.173020: | 92 47 b2 0e 36 48 36 17 c5 5c 39 9d 3d e4 bf 5e Aug 26 13:10:14.173023: | 3b 76 fb e6 28 83 a0 1d 00 f0 29 0e 13 c8 08 b6 Aug 26 13:10:14.173026: | a8 90 e0 32 9e 54 3c 3a 8b 89 37 99 df fa d0 b1 Aug 26 13:10:14.173029: | b1 46 ae f9 13 31 85 8d d8 b0 24 d6 55 b2 55 de Aug 26 13:10:14.173032: | 3d c1 b7 2d c2 da 3e 8e 2d f9 5c 2b c2 0a 05 e7 Aug 26 13:10:14.173035: | 38 98 58 94 33 1d b0 8f 41 48 d3 59 7e a0 eb 21 Aug 26 13:10:14.173038: | dc c4 26 65 49 47 89 c9 04 dd 9e 5c 71 f7 4c 7d Aug 26 13:10:14.173041: | 73 bc 3d c6 40 2a 1a 37 81 8d 22 92 d9 36 25 ee Aug 26 13:10:14.173044: | 59 38 98 80 01 cb 3f 0a b3 71 ad 0d 93 74 a4 3f Aug 26 13:10:14.173047: | 12 eb b7 c1 c1 09 01 de 54 84 c0 a0 d3 d0 89 ab Aug 26 13:10:14.173050: | ca 8a e3 5f 2e c6 95 f8 26 01 56 19 e7 e6 02 3a Aug 26 13:10:14.173053: | cd ea 45 8a f7 1b 84 9e e7 12 13 de 91 c4 e5 6c Aug 26 13:10:14.173056: | 6f 5a 7d 1a 7a af 84 3b a0 ca d0 5b 3f 11 c3 cd Aug 26 13:10:14.173059: | 30 76 6b 79 3c bc a7 95 20 63 9f b2 0b b8 e6 90 Aug 26 13:10:14.173062: | 5b 97 d8 4c 5b e9 36 c0 e4 41 bd 71 71 ca 46 22 Aug 26 13:10:14.173065: | 2a bb 36 96 31 8d 63 26 29 00 00 24 aa e4 98 01 Aug 26 13:10:14.173068: | d5 6a cd e3 b4 03 6f 52 d7 bd e7 51 af 49 7b 67 Aug 26 13:10:14.173071: | 1b 8d da 38 35 12 5d 9e 8f 38 c0 4d 29 00 00 08 Aug 26 13:10:14.173073: | 00 00 40 2e 29 00 00 1c 00 00 40 04 5d aa 28 6b Aug 26 13:10:14.173076: | 3e a2 3e 60 7c 94 24 c6 03 ef 18 a9 bb a9 4f 6a Aug 26 13:10:14.173079: | 00 00 00 1c 00 00 40 05 0e 46 67 3c fd 72 8b b1 Aug 26 13:10:14.173082: | 51 53 a4 ee 89 f8 0c 8e 20 b7 b3 67 Aug 26 13:10:14.173091: | start processing: from 192.1.2.254:500 (in process_md() at demux.c:378) Aug 26 13:10:14.173096: | **parse ISAKMP Message: Aug 26 13:10:14.173100: | initiator cookie: Aug 26 13:10:14.173103: | 09 89 39 54 70 14 c0 90 Aug 26 13:10:14.173106: | responder cookie: Aug 26 13:10:14.173109: | 00 00 00 00 00 00 00 00 Aug 26 13:10:14.173113: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:14.173117: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:14.173120: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:10:14.173124: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:14.173127: | Message ID: 0 (0x0) Aug 26 13:10:14.173130: | length: 828 (0x33c) Aug 26 13:10:14.173134: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:10:14.173138: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:10:14.173143: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:10:14.173147: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:10:14.173151: | ***parse IKEv2 Security Association Payload: Aug 26 13:10:14.173155: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:10:14.173158: | flags: none (0x0) Aug 26 13:10:14.173161: | length: 436 (0x1b4) Aug 26 13:10:14.173165: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:10:14.173168: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:10:14.173171: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:10:14.173175: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:10:14.173178: | flags: none (0x0) Aug 26 13:10:14.173181: | length: 264 (0x108) Aug 26 13:10:14.173184: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:14.173187: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:10:14.173190: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:10:14.173193: | ***parse IKEv2 Nonce Payload: Aug 26 13:10:14.173197: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:14.173200: | flags: none (0x0) Aug 26 13:10:14.173203: | length: 36 (0x24) Aug 26 13:10:14.173206: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:10:14.173209: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:14.173215: | ***parse IKEv2 Notify Payload: Aug 26 13:10:14.173219: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:14.173222: | flags: none (0x0) Aug 26 13:10:14.173225: | length: 8 (0x8) Aug 26 13:10:14.173228: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:14.173231: | SPI size: 0 (0x0) Aug 26 13:10:14.173235: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:10:14.173239: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:10:14.173242: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:14.173245: | ***parse IKEv2 Notify Payload: Aug 26 13:10:14.173248: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:14.173251: | flags: none (0x0) Aug 26 13:10:14.173254: | length: 28 (0x1c) Aug 26 13:10:14.173257: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:14.173260: | SPI size: 0 (0x0) Aug 26 13:10:14.173263: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:10:14.173267: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:10:14.173270: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:14.173273: | ***parse IKEv2 Notify Payload: Aug 26 13:10:14.173276: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.173279: | flags: none (0x0) Aug 26 13:10:14.173282: | length: 28 (0x1c) Aug 26 13:10:14.173285: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:14.173295: | SPI size: 0 (0x0) Aug 26 13:10:14.173306: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:10:14.173311: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:10:14.173315: | DDOS disabled and no cookie sent, continuing Aug 26 13:10:14.173323: | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:10:14.173327: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:10:14.173331: | find_next_host_connection returns empty Aug 26 13:10:14.173336: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:10:14.173342: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:10:14.173346: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:10:14.173351: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Aug 26 13:10:14.173354: | find_next_host_connection returns empty Aug 26 13:10:14.173359: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:10:14.173365: | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:10:14.173369: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:10:14.173372: | find_next_host_connection returns empty Aug 26 13:10:14.173376: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:10:14.173382: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:10:14.173385: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:10:14.173389: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Aug 26 13:10:14.173392: | find_next_host_connection returns empty Aug 26 13:10:14.173397: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:10:14.173402: | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:10:14.173406: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:10:14.173409: | find_next_host_connection returns empty Aug 26 13:10:14.173413: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:10:14.173418: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:10:14.173425: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:10:14.173429: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Aug 26 13:10:14.173432: | find_next_host_connection returns eastnet-any Aug 26 13:10:14.173435: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:10:14.173438: | find_next_host_connection returns empty Aug 26 13:10:14.173441: | rw_instantiate Aug 26 13:10:14.173453: | connect_to_host_pair: 192.1.2.23:500 192.1.2.254:500 -> hp@(nil): none Aug 26 13:10:14.173457: | new hp@0x55fd6a5456d8 Aug 26 13:10:14.173466: | rw_instantiate() instantiated "eastnet-any"[1] 192.1.2.254 for 192.1.2.254 Aug 26 13:10:14.173471: | found connection: eastnet-any[1] 192.1.2.254 with policy PSK+IKEV2_ALLOW Aug 26 13:10:14.173477: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:10:14.173507: | creating state object #1 at 0x55fd6a545c28 Aug 26 13:10:14.173512: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:10:14.173522: | pstats #1 ikev2.ike started Aug 26 13:10:14.173527: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:10:14.173531: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:10:14.173537: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:14.173550: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:14.173554: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:14.173561: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:14.173565: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:10:14.173570: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:10:14.173576: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:10:14.173580: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:10:14.173583: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:10:14.173587: | Now let's proceed with state specific processing Aug 26 13:10:14.173590: | calling processor Respond to IKE_SA_INIT Aug 26 13:10:14.173597: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:10:14.173601: | constructing local IKE proposals for eastnet-any (IKE SA responder matching remote proposals) Aug 26 13:10:14.173611: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:14.173621: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:14.173626: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:14.173632: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:14.173637: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:14.173643: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:14.173648: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:14.173658: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:14.173672: "eastnet-any"[1] 192.1.2.254: constructed local IKE proposals for eastnet-any (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:14.173677: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:10:14.173681: | local proposal 1 type ENCR has 1 transforms Aug 26 13:10:14.173684: | local proposal 1 type PRF has 2 transforms Aug 26 13:10:14.173688: | local proposal 1 type INTEG has 1 transforms Aug 26 13:10:14.173691: | local proposal 1 type DH has 8 transforms Aug 26 13:10:14.173694: | local proposal 1 type ESN has 0 transforms Aug 26 13:10:14.173699: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:10:14.173702: | local proposal 2 type ENCR has 1 transforms Aug 26 13:10:14.173705: | local proposal 2 type PRF has 2 transforms Aug 26 13:10:14.173708: | local proposal 2 type INTEG has 1 transforms Aug 26 13:10:14.173711: | local proposal 2 type DH has 8 transforms Aug 26 13:10:14.173714: | local proposal 2 type ESN has 0 transforms Aug 26 13:10:14.173718: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:10:14.173721: | local proposal 3 type ENCR has 1 transforms Aug 26 13:10:14.173725: | local proposal 3 type PRF has 2 transforms Aug 26 13:10:14.173728: | local proposal 3 type INTEG has 2 transforms Aug 26 13:10:14.173731: | local proposal 3 type DH has 8 transforms Aug 26 13:10:14.173734: | local proposal 3 type ESN has 0 transforms Aug 26 13:10:14.173738: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:10:14.173741: | local proposal 4 type ENCR has 1 transforms Aug 26 13:10:14.173744: | local proposal 4 type PRF has 2 transforms Aug 26 13:10:14.173747: | local proposal 4 type INTEG has 2 transforms Aug 26 13:10:14.173750: | local proposal 4 type DH has 8 transforms Aug 26 13:10:14.173753: | local proposal 4 type ESN has 0 transforms Aug 26 13:10:14.173757: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:10:14.173761: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.173765: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:14.173768: | length: 100 (0x64) Aug 26 13:10:14.173771: | prop #: 1 (0x1) Aug 26 13:10:14.173774: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:14.173778: | spi size: 0 (0x0) Aug 26 13:10:14.173781: | # transforms: 11 (0xb) Aug 26 13:10:14.173785: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:10:14.173789: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173792: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173795: | length: 12 (0xc) Aug 26 13:10:14.173799: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.173802: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:14.173806: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.173809: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.173812: | length/value: 256 (0x100) Aug 26 13:10:14.173818: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:10:14.173821: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173827: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173830: | length: 8 (0x8) Aug 26 13:10:14.173834: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:14.173837: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:14.173841: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:10:14.173845: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:10:14.173849: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:10:14.173853: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:10:14.173856: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173860: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173863: | length: 8 (0x8) Aug 26 13:10:14.173866: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:14.173869: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:14.173872: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173875: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173878: | length: 8 (0x8) Aug 26 13:10:14.173881: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.173885: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:14.173889: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:10:14.173893: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:10:14.173897: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:10:14.173901: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:10:14.173904: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173907: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173910: | length: 8 (0x8) Aug 26 13:10:14.173913: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.173916: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:14.173920: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173923: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173926: | length: 8 (0x8) Aug 26 13:10:14.173929: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.173932: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:14.173935: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173939: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173942: | length: 8 (0x8) Aug 26 13:10:14.173945: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.173948: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:14.173951: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173954: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173957: | length: 8 (0x8) Aug 26 13:10:14.173960: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.173964: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:14.173967: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173970: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173973: | length: 8 (0x8) Aug 26 13:10:14.173976: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.173979: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:14.173983: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.173986: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.173989: | length: 8 (0x8) Aug 26 13:10:14.173992: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.173995: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:14.173998: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174001: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.174007: | length: 8 (0x8) Aug 26 13:10:14.174010: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174013: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:14.174018: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:10:14.174023: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:10:14.174027: | remote proposal 1 matches local proposal 1 Aug 26 13:10:14.174031: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.174034: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:14.174037: | length: 100 (0x64) Aug 26 13:10:14.174040: | prop #: 2 (0x2) Aug 26 13:10:14.174043: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:14.174046: | spi size: 0 (0x0) Aug 26 13:10:14.174049: | # transforms: 11 (0xb) Aug 26 13:10:14.174053: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:14.174057: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174060: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174063: | length: 12 (0xc) Aug 26 13:10:14.174066: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.174069: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:14.174072: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.174075: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.174078: | length/value: 128 (0x80) Aug 26 13:10:14.174082: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174085: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174088: | length: 8 (0x8) Aug 26 13:10:14.174091: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:14.174094: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:14.174098: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174101: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174104: | length: 8 (0x8) Aug 26 13:10:14.174107: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:14.174110: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:14.174113: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174117: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174119: | length: 8 (0x8) Aug 26 13:10:14.174123: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174126: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:14.174129: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174132: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174135: | length: 8 (0x8) Aug 26 13:10:14.174138: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174141: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:14.174145: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174148: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174151: | length: 8 (0x8) Aug 26 13:10:14.174154: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174157: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:14.174160: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174163: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174166: | length: 8 (0x8) Aug 26 13:10:14.174169: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174172: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:14.174176: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174179: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174182: | length: 8 (0x8) Aug 26 13:10:14.174185: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174188: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:14.174191: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174199: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174202: | length: 8 (0x8) Aug 26 13:10:14.174205: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174208: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:14.174212: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174215: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174218: | length: 8 (0x8) Aug 26 13:10:14.174221: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174224: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:14.174227: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174231: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.174234: | length: 8 (0x8) Aug 26 13:10:14.174237: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174240: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:14.174244: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:10:14.174248: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:10:14.174251: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.174255: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:14.174258: | length: 116 (0x74) Aug 26 13:10:14.174261: | prop #: 3 (0x3) Aug 26 13:10:14.174264: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:14.174267: | spi size: 0 (0x0) Aug 26 13:10:14.174270: | # transforms: 13 (0xd) Aug 26 13:10:14.174274: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:14.174277: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174280: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174283: | length: 12 (0xc) Aug 26 13:10:14.174286: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.174306: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:14.174310: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.174313: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.174316: | length/value: 256 (0x100) Aug 26 13:10:14.174320: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174323: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174326: | length: 8 (0x8) Aug 26 13:10:14.174329: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:14.174332: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:14.174336: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174339: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174342: | length: 8 (0x8) Aug 26 13:10:14.174345: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:14.174348: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:14.174351: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174354: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174357: | length: 8 (0x8) Aug 26 13:10:14.174360: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:14.174363: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:14.174367: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174370: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174373: | length: 8 (0x8) Aug 26 13:10:14.174376: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:14.174379: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:14.174382: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174386: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174389: | length: 8 (0x8) Aug 26 13:10:14.174392: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174395: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:14.174398: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174401: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174407: | length: 8 (0x8) Aug 26 13:10:14.174410: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174413: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:14.174416: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174419: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174422: | length: 8 (0x8) Aug 26 13:10:14.174425: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174429: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:14.174432: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174435: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174438: | length: 8 (0x8) Aug 26 13:10:14.174441: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174444: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:14.174447: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174451: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174453: | length: 8 (0x8) Aug 26 13:10:14.174457: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174460: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:14.174463: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174466: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174469: | length: 8 (0x8) Aug 26 13:10:14.174472: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174475: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:14.174479: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174482: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174485: | length: 8 (0x8) Aug 26 13:10:14.174488: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174491: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:14.174494: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174497: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.174500: | length: 8 (0x8) Aug 26 13:10:14.174503: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174507: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:14.174511: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:10:14.174515: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:10:14.174518: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.174522: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:14.174525: | length: 116 (0x74) Aug 26 13:10:14.174528: | prop #: 4 (0x4) Aug 26 13:10:14.174531: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:14.174534: | spi size: 0 (0x0) Aug 26 13:10:14.174537: | # transforms: 13 (0xd) Aug 26 13:10:14.174541: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:14.174544: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174547: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174550: | length: 12 (0xc) Aug 26 13:10:14.174553: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.174556: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:14.174559: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.174563: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.174566: | length/value: 128 (0x80) Aug 26 13:10:14.174569: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174572: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174575: | length: 8 (0x8) Aug 26 13:10:14.174578: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:14.174582: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:14.174585: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174588: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174591: | length: 8 (0x8) Aug 26 13:10:14.174594: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:14.174599: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:14.174602: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174606: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174609: | length: 8 (0x8) Aug 26 13:10:14.174612: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:14.174615: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:14.174618: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174621: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174624: | length: 8 (0x8) Aug 26 13:10:14.174627: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:14.174630: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:14.174634: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174637: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174640: | length: 8 (0x8) Aug 26 13:10:14.174643: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174646: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:14.174649: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174652: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174655: | length: 8 (0x8) Aug 26 13:10:14.174658: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174662: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:14.174665: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174668: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174671: | length: 8 (0x8) Aug 26 13:10:14.174674: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174677: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:14.174680: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174684: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174686: | length: 8 (0x8) Aug 26 13:10:14.174690: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174693: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:14.174696: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174699: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174702: | length: 8 (0x8) Aug 26 13:10:14.174705: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174708: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:14.174712: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174715: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174718: | length: 8 (0x8) Aug 26 13:10:14.174721: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174724: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:14.174727: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174730: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.174733: | length: 8 (0x8) Aug 26 13:10:14.174736: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174739: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:14.174743: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.174746: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.174749: | length: 8 (0x8) Aug 26 13:10:14.174752: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.174755: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:14.174760: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:10:14.174763: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:10:14.174770: "eastnet-any"[1] 192.1.2.254 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:10:14.174778: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:10:14.174781: | converting proposal to internal trans attrs Aug 26 13:10:14.174787: | natd_hash: rcookie is zero Aug 26 13:10:14.174803: | natd_hash: hasher=0x55fd68fc5800(20) Aug 26 13:10:14.174807: | natd_hash: icookie= 09 89 39 54 70 14 c0 90 Aug 26 13:10:14.174810: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:10:14.174813: | natd_hash: ip= c0 01 02 17 Aug 26 13:10:14.174816: | natd_hash: port=500 Aug 26 13:10:14.174820: | natd_hash: hash= 0e 46 67 3c fd 72 8b b1 51 53 a4 ee 89 f8 0c 8e Aug 26 13:10:14.174823: | natd_hash: hash= 20 b7 b3 67 Aug 26 13:10:14.174825: | natd_hash: rcookie is zero Aug 26 13:10:14.174836: | natd_hash: hasher=0x55fd68fc5800(20) Aug 26 13:10:14.174840: | natd_hash: icookie= 09 89 39 54 70 14 c0 90 Aug 26 13:10:14.174843: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:10:14.174846: | natd_hash: ip= c0 01 02 fe Aug 26 13:10:14.174849: | natd_hash: port=500 Aug 26 13:10:14.174852: | natd_hash: hash= 21 7d 13 34 6c f8 57 b9 df a3 7f a3 24 5a 72 f7 Aug 26 13:10:14.174855: | natd_hash: hash= 84 72 fa b1 Aug 26 13:10:14.174858: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:10:14.174861: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:10:14.174865: | NAT_TRAVERSAL that end is behind NAT 192.1.2.254 Aug 26 13:10:14.174869: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.254 Aug 26 13:10:14.174874: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:10:14.174877: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fd6a545808 Aug 26 13:10:14.174883: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:10:14.174887: | libevent_malloc: new ptr-libevent@0x55fd6a547f88 size 128 Aug 26 13:10:14.174902: | #1 spent 1.29 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:10:14.174912: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:14.174915: | crypto helper 1 resuming Aug 26 13:10:14.174916: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:10:14.174942: | crypto helper 1 starting work-order 1 for state #1 Aug 26 13:10:14.174956: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:10:14.174944: | suspending state #1 and saving MD Aug 26 13:10:14.174979: | #1 is busy; has a suspended MD Aug 26 13:10:14.174987: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:10:14.174993: | "eastnet-any"[1] 192.1.2.254 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:10:14.175000: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:14.175007: | #1 spent 2.11 milliseconds in ikev2_process_packet() Aug 26 13:10:14.175012: | stop processing: from 192.1.2.254:500 (in process_md() at demux.c:380) Aug 26 13:10:14.175016: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:14.175020: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:14.175025: | spent 2.13 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:14.176210: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001254 seconds Aug 26 13:10:14.176233: | (#1) spent 1.27 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:10:14.176239: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Aug 26 13:10:14.176243: | scheduling resume sending helper answer for #1 Aug 26 13:10:14.176248: | libevent_malloc: new ptr-libevent@0x7fd1dc002888 size 128 Aug 26 13:10:14.176258: | crypto helper 1 waiting (nothing to do) Aug 26 13:10:14.176273: | processing resume sending helper answer for #1 Aug 26 13:10:14.176304: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in resume_handler() at server.c:797) Aug 26 13:10:14.176319: | crypto helper 1 replies to request ID 1 Aug 26 13:10:14.176325: | calling continuation function 0x55fd68ef0b50 Aug 26 13:10:14.176331: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:10:14.176386: | **emit ISAKMP Message: Aug 26 13:10:14.176394: | initiator cookie: Aug 26 13:10:14.176399: | 09 89 39 54 70 14 c0 90 Aug 26 13:10:14.176405: | responder cookie: Aug 26 13:10:14.176409: | 8b 1d 75 ae 0c 16 35 05 Aug 26 13:10:14.176415: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:14.176421: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:14.176426: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:10:14.176432: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:14.176437: | Message ID: 0 (0x0) Aug 26 13:10:14.176443: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:14.176450: | Emitting ikev2_proposal ... Aug 26 13:10:14.176455: | ***emit IKEv2 Security Association Payload: Aug 26 13:10:14.176461: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.176466: | flags: none (0x0) Aug 26 13:10:14.176473: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:10:14.176479: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.176486: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.176492: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:14.176497: | prop #: 1 (0x1) Aug 26 13:10:14.176503: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:14.176508: | spi size: 0 (0x0) Aug 26 13:10:14.176513: | # transforms: 3 (0x3) Aug 26 13:10:14.176519: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:14.176525: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:14.176531: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.176537: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.176542: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:14.176548: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:14.176554: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.176560: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.176565: | length/value: 256 (0x100) Aug 26 13:10:14.176571: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:14.176576: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:14.176582: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.176588: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:14.176594: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:14.176600: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.176606: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:14.176616: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:14.176622: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:14.176628: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.176634: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:14.176640: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:14.176647: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.176653: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:14.176658: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:14.176665: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:10:14.176671: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:14.176676: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:10:14.176682: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:10:14.176690: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:10:14.176696: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.176702: | flags: none (0x0) Aug 26 13:10:14.176707: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:14.176714: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:10:14.176720: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.176728: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:10:14.176734: | ikev2 g^x 92 4b 0f 2a ce 14 d7 de da d0 87 c7 28 85 18 f2 Aug 26 13:10:14.176740: | ikev2 g^x 19 97 ac 1c 78 4f f6 a8 57 8a f7 f5 25 de 44 c9 Aug 26 13:10:14.176746: | ikev2 g^x 96 9c 84 49 d3 0e c8 cd bd ff c6 b0 30 e3 55 2a Aug 26 13:10:14.176751: | ikev2 g^x 12 e8 d7 fb d8 d5 2a fb 48 42 49 6c 9c 5a 86 2b Aug 26 13:10:14.176756: | ikev2 g^x 72 00 a8 af 76 0d cc e5 05 27 38 dc cf d3 4e 35 Aug 26 13:10:14.176762: | ikev2 g^x 5f 19 9f a7 c2 d3 91 84 55 56 5c 28 9f 4c d7 68 Aug 26 13:10:14.176768: | ikev2 g^x d2 4a 9f 22 ff 87 1b 24 c0 3a d8 f4 50 d0 77 19 Aug 26 13:10:14.176773: | ikev2 g^x e4 19 c6 41 84 b1 38 00 21 76 7e 0c 6f b3 5c a6 Aug 26 13:10:14.176778: | ikev2 g^x d4 79 f5 7d 4f 49 63 ea ea 71 d9 f3 72 34 5d d1 Aug 26 13:10:14.176782: | ikev2 g^x af b5 89 75 65 af 08 ff ff 5c b4 1f 38 ae be e3 Aug 26 13:10:14.176787: | ikev2 g^x 04 0e fe 48 61 0f b8 2b 3c 17 c2 f2 56 1d 1f ba Aug 26 13:10:14.176793: | ikev2 g^x dc 5f 1b 4d ad 4d 65 fb 09 d5 8b 33 c2 60 03 66 Aug 26 13:10:14.176798: | ikev2 g^x e4 c0 c4 e4 4d 2f de fc d1 a7 dc 1f 56 b2 e7 91 Aug 26 13:10:14.176803: | ikev2 g^x 6e 25 b3 0e 4f 9e 27 d1 9c 2a 00 9e 73 07 7f a4 Aug 26 13:10:14.176809: | ikev2 g^x 61 b8 db 6d d9 f6 7b 86 0a fa 61 95 66 f9 18 31 Aug 26 13:10:14.176814: | ikev2 g^x 06 90 d7 cf 81 24 d8 87 f9 11 07 ec f5 1c 17 c9 Aug 26 13:10:14.176820: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:10:14.176825: | ***emit IKEv2 Nonce Payload: Aug 26 13:10:14.176831: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:14.176836: | flags: none (0x0) Aug 26 13:10:14.176843: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:10:14.176850: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:10:14.176857: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.176864: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:10:14.176874: | IKEv2 nonce e8 b1 97 22 77 09 9a 56 8c 9d 54 15 1e 9a da 37 Aug 26 13:10:14.176879: | IKEv2 nonce d1 d4 18 58 a3 93 f6 84 e9 49 65 68 57 ab 80 d8 Aug 26 13:10:14.176884: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:10:14.176889: | Adding a v2N Payload Aug 26 13:10:14.176895: | ***emit IKEv2 Notify Payload: Aug 26 13:10:14.176901: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.176906: | flags: none (0x0) Aug 26 13:10:14.176911: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:14.176917: | SPI size: 0 (0x0) Aug 26 13:10:14.176923: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:10:14.176930: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:14.176936: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.176942: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:10:14.176949: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:10:14.176974: | natd_hash: hasher=0x55fd68fc5800(20) Aug 26 13:10:14.176981: | natd_hash: icookie= 09 89 39 54 70 14 c0 90 Aug 26 13:10:14.176987: | natd_hash: rcookie= 8b 1d 75 ae 0c 16 35 05 Aug 26 13:10:14.176993: | natd_hash: ip= c0 01 02 17 Aug 26 13:10:14.176997: | natd_hash: port=500 Aug 26 13:10:14.177002: | natd_hash: hash= d9 6f e9 78 7a a5 66 06 e1 b3 40 2a 81 15 de 7d Aug 26 13:10:14.177008: | natd_hash: hash= d8 85 a5 13 Aug 26 13:10:14.177013: | Adding a v2N Payload Aug 26 13:10:14.177019: | ***emit IKEv2 Notify Payload: Aug 26 13:10:14.177024: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.177029: | flags: none (0x0) Aug 26 13:10:14.177034: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:14.177040: | SPI size: 0 (0x0) Aug 26 13:10:14.177046: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:10:14.177053: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:14.177059: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.177066: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:10:14.177072: | Notify data d9 6f e9 78 7a a5 66 06 e1 b3 40 2a 81 15 de 7d Aug 26 13:10:14.177077: | Notify data d8 85 a5 13 Aug 26 13:10:14.177082: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:10:14.177097: | natd_hash: hasher=0x55fd68fc5800(20) Aug 26 13:10:14.177104: | natd_hash: icookie= 09 89 39 54 70 14 c0 90 Aug 26 13:10:14.177110: | natd_hash: rcookie= 8b 1d 75 ae 0c 16 35 05 Aug 26 13:10:14.177115: | natd_hash: ip= c0 01 02 fe Aug 26 13:10:14.177120: | natd_hash: port=500 Aug 26 13:10:14.177125: | natd_hash: hash= 56 89 e9 0d 33 6c 65 b4 90 a9 29 df 6c 4e a1 b6 Aug 26 13:10:14.177129: | natd_hash: hash= f1 40 b8 7c Aug 26 13:10:14.177134: | Adding a v2N Payload Aug 26 13:10:14.177139: | ***emit IKEv2 Notify Payload: Aug 26 13:10:14.177144: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.177150: | flags: none (0x0) Aug 26 13:10:14.177155: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:14.177161: | SPI size: 0 (0x0) Aug 26 13:10:14.177167: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:10:14.177173: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:14.177179: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.177186: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:10:14.177191: | Notify data 56 89 e9 0d 33 6c 65 b4 90 a9 29 df 6c 4e a1 b6 Aug 26 13:10:14.177195: | Notify data f1 40 b8 7c Aug 26 13:10:14.177200: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:10:14.177205: | emitting length of ISAKMP Message: 432 Aug 26 13:10:14.177224: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:14.177232: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:10:14.177239: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:10:14.177244: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:10:14.177250: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:10:14.177260: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:10:14.177269: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:10:14.177279: "eastnet-any"[1] 192.1.2.254 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:10:14.177296: | sending V2 new request packet to 192.1.2.254:500 (from 192.1.2.23:500) Aug 26 13:10:14.177317: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.254:500 (using #1) Aug 26 13:10:14.177324: | 09 89 39 54 70 14 c0 90 8b 1d 75 ae 0c 16 35 05 Aug 26 13:10:14.177329: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:10:14.177333: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:10:14.177338: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:10:14.177343: | 04 00 00 0e 28 00 01 08 00 0e 00 00 92 4b 0f 2a Aug 26 13:10:14.177348: | ce 14 d7 de da d0 87 c7 28 85 18 f2 19 97 ac 1c Aug 26 13:10:14.177353: | 78 4f f6 a8 57 8a f7 f5 25 de 44 c9 96 9c 84 49 Aug 26 13:10:14.177357: | d3 0e c8 cd bd ff c6 b0 30 e3 55 2a 12 e8 d7 fb Aug 26 13:10:14.177362: | d8 d5 2a fb 48 42 49 6c 9c 5a 86 2b 72 00 a8 af Aug 26 13:10:14.177367: | 76 0d cc e5 05 27 38 dc cf d3 4e 35 5f 19 9f a7 Aug 26 13:10:14.177372: | c2 d3 91 84 55 56 5c 28 9f 4c d7 68 d2 4a 9f 22 Aug 26 13:10:14.177377: | ff 87 1b 24 c0 3a d8 f4 50 d0 77 19 e4 19 c6 41 Aug 26 13:10:14.177382: | 84 b1 38 00 21 76 7e 0c 6f b3 5c a6 d4 79 f5 7d Aug 26 13:10:14.177386: | 4f 49 63 ea ea 71 d9 f3 72 34 5d d1 af b5 89 75 Aug 26 13:10:14.177391: | 65 af 08 ff ff 5c b4 1f 38 ae be e3 04 0e fe 48 Aug 26 13:10:14.177396: | 61 0f b8 2b 3c 17 c2 f2 56 1d 1f ba dc 5f 1b 4d Aug 26 13:10:14.177401: | ad 4d 65 fb 09 d5 8b 33 c2 60 03 66 e4 c0 c4 e4 Aug 26 13:10:14.177406: | 4d 2f de fc d1 a7 dc 1f 56 b2 e7 91 6e 25 b3 0e Aug 26 13:10:14.177410: | 4f 9e 27 d1 9c 2a 00 9e 73 07 7f a4 61 b8 db 6d Aug 26 13:10:14.177415: | d9 f6 7b 86 0a fa 61 95 66 f9 18 31 06 90 d7 cf Aug 26 13:10:14.177420: | 81 24 d8 87 f9 11 07 ec f5 1c 17 c9 29 00 00 24 Aug 26 13:10:14.177425: | e8 b1 97 22 77 09 9a 56 8c 9d 54 15 1e 9a da 37 Aug 26 13:10:14.177430: | d1 d4 18 58 a3 93 f6 84 e9 49 65 68 57 ab 80 d8 Aug 26 13:10:14.177435: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:10:14.177440: | d9 6f e9 78 7a a5 66 06 e1 b3 40 2a 81 15 de 7d Aug 26 13:10:14.177445: | d8 85 a5 13 00 00 00 1c 00 00 40 05 56 89 e9 0d Aug 26 13:10:14.177449: | 33 6c 65 b4 90 a9 29 df 6c 4e a1 b6 f1 40 b8 7c Aug 26 13:10:14.177510: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:14.177520: | libevent_free: release ptr-libevent@0x55fd6a547f88 Aug 26 13:10:14.177527: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fd6a545808 Aug 26 13:10:14.177533: | event_schedule: new EVENT_SO_DISCARD-pe@0x55fd6a545808 Aug 26 13:10:14.177541: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:10:14.177547: | libevent_malloc: new ptr-libevent@0x55fd6a5490d8 size 128 Aug 26 13:10:14.177555: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:10:14.177567: | #1 spent 1.21 milliseconds in resume sending helper answer Aug 26 13:10:14.177585: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in resume_handler() at server.c:833) Aug 26 13:10:14.177592: | libevent_free: release ptr-libevent@0x7fd1dc002888 Aug 26 13:10:14.182137: | spent 0.00523 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:14.182183: | *received 365 bytes from 192.1.2.254:4500 on eth1 (192.1.2.23:4500) Aug 26 13:10:14.182193: | 09 89 39 54 70 14 c0 90 8b 1d 75 ae 0c 16 35 05 Aug 26 13:10:14.182199: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Aug 26 13:10:14.182205: | 06 c4 f9 a5 85 40 48 a1 fc 76 28 37 3a db 70 6e Aug 26 13:10:14.182211: | 35 da 98 7d 2d d1 5b 84 67 86 a0 ed 1d 01 43 78 Aug 26 13:10:14.182217: | da 38 16 4f b0 d4 0c 88 47 64 20 e2 d5 32 22 23 Aug 26 13:10:14.182222: | 34 78 39 bb 53 50 4b 85 25 df 7a 49 1b 52 20 46 Aug 26 13:10:14.182228: | 77 00 cf 10 59 09 74 d2 0e 1b 06 28 f4 9f d3 58 Aug 26 13:10:14.182234: | 4a b9 3a a7 d7 6a da 97 e9 07 3a b9 91 cf 94 f4 Aug 26 13:10:14.182239: | 4b 7d ff 06 a3 17 56 97 bc 1e 4f a5 fb f5 81 37 Aug 26 13:10:14.182245: | 47 14 01 bf 1f c1 cb 10 94 7a a4 95 de eb 7d 5c Aug 26 13:10:14.182251: | 91 5a 53 ac 2f 2c c7 3a 22 51 62 99 e5 89 3e d2 Aug 26 13:10:14.182256: | e4 c7 91 eb 5c 77 4b 51 0b f4 87 54 e1 fa 6e d3 Aug 26 13:10:14.182262: | 0b 33 e4 7a 33 07 ee e0 0a fb 1d c9 e6 a3 e6 93 Aug 26 13:10:14.182268: | 9b 3c a1 1d 62 f1 68 84 5b 17 b4 e8 87 93 4b 1a Aug 26 13:10:14.182274: | 6f 67 ef af 1b 8d 78 f9 c3 d5 6e cf 8d 9c 52 e9 Aug 26 13:10:14.182279: | 20 b6 bd 6f 67 03 7d 74 f4 a9 be 50 7d 8b e8 2b Aug 26 13:10:14.182285: | 69 85 d2 63 83 63 ed 3b 3d 04 b8 92 81 47 74 d6 Aug 26 13:10:14.182299: | 4f a7 14 08 3e 3e 50 1b e2 04 d0 94 3f ff cb 0a Aug 26 13:10:14.182306: | f8 b6 a8 fd 16 c7 2c 80 dd 36 53 ff e8 f5 51 94 Aug 26 13:10:14.182311: | ab 50 b9 5d 85 4d 91 c6 af 4f 1e f8 14 91 bb 7e Aug 26 13:10:14.182317: | c3 a5 a1 64 c5 b6 ed e4 dd d4 20 3e 18 ac 3b 33 Aug 26 13:10:14.182323: | 7c 7e 98 e1 ad 76 a2 a4 27 f2 58 dc 40 82 4e 61 Aug 26 13:10:14.182329: | 1d 4c fb 82 a7 da e7 89 f8 9f d5 ff 69 Aug 26 13:10:14.182340: | start processing: from 192.1.2.254:4500 (in process_md() at demux.c:378) Aug 26 13:10:14.182349: | **parse ISAKMP Message: Aug 26 13:10:14.182355: | initiator cookie: Aug 26 13:10:14.182361: | 09 89 39 54 70 14 c0 90 Aug 26 13:10:14.182367: | responder cookie: Aug 26 13:10:14.182372: | 8b 1d 75 ae 0c 16 35 05 Aug 26 13:10:14.182378: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:14.182383: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:14.182387: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:14.182392: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:14.182396: | Message ID: 1 (0x1) Aug 26 13:10:14.182401: | length: 365 (0x16d) Aug 26 13:10:14.182406: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:10:14.182412: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:10:14.182418: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:10:14.182430: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:14.182438: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:14.182452: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:14.182459: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:10:14.182468: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:10:14.182473: | unpacking clear payload Aug 26 13:10:14.182479: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:14.182484: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:14.182493: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:10:14.182496: | flags: none (0x0) Aug 26 13:10:14.182500: | length: 337 (0x151) Aug 26 13:10:14.182503: | processing payload: ISAKMP_NEXT_v2SK (len=333) Aug 26 13:10:14.182509: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:10:14.182513: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:10:14.182517: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:10:14.182520: | Now let's proceed with state specific processing Aug 26 13:10:14.182523: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:10:14.182528: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:10:14.182534: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:10:14.182538: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:10:14.182542: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:10:14.182546: | libevent_free: release ptr-libevent@0x55fd6a5490d8 Aug 26 13:10:14.182551: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55fd6a545808 Aug 26 13:10:14.182555: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fd6a545808 Aug 26 13:10:14.182559: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:10:14.182563: | libevent_malloc: new ptr-libevent@0x7fd1dc002888 size 128 Aug 26 13:10:14.182577: | #1 spent 0.0469 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:10:14.182585: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:14.182590: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:10:14.182594: | suspending state #1 and saving MD Aug 26 13:10:14.182597: | #1 is busy; has a suspended MD Aug 26 13:10:14.182603: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:10:14.182609: | "eastnet-any"[1] 192.1.2.254 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:10:14.182615: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:14.182620: | #1 spent 0.452 milliseconds in ikev2_process_packet() Aug 26 13:10:14.182623: | crypto helper 0 resuming Aug 26 13:10:14.182648: | crypto helper 0 starting work-order 2 for state #1 Aug 26 13:10:14.182626: | stop processing: from 192.1.2.254:4500 (in process_md() at demux.c:380) Aug 26 13:10:14.182655: | crypto helper 0 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:10:14.182665: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:14.182681: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:14.182688: | spent 0.51 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:14.183687: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:10:14.184180: | crypto helper 0 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001525 seconds Aug 26 13:10:14.184192: | (#1) spent 1.52 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:10:14.184197: | crypto helper 0 sending results from work-order 2 for state #1 to event queue Aug 26 13:10:14.184200: | scheduling resume sending helper answer for #1 Aug 26 13:10:14.184205: | libevent_malloc: new ptr-libevent@0x7fd1d4000f48 size 128 Aug 26 13:10:14.184215: | crypto helper 0 waiting (nothing to do) Aug 26 13:10:14.184261: | processing resume sending helper answer for #1 Aug 26 13:10:14.184280: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.254 from 192.1.2.254:500 (in resume_handler() at server.c:797) Aug 26 13:10:14.184300: | crypto helper 0 replies to request ID 2 Aug 26 13:10:14.184310: | calling continuation function 0x55fd68ef0b50 Aug 26 13:10:14.184314: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:10:14.184318: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:10:14.184337: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:10:14.184342: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:10:14.184347: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:10:14.184350: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:10:14.184354: | flags: none (0x0) Aug 26 13:10:14.184357: | length: 12 (0xc) Aug 26 13:10:14.184360: | ID type: ID_IPV4_ADDR (0x1) Aug 26 13:10:14.184364: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:10:14.184367: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:10:14.184370: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:10:14.184374: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:10:14.184377: | flags: none (0x0) Aug 26 13:10:14.184380: | length: 12 (0xc) Aug 26 13:10:14.184383: | ID type: ID_FQDN (0x2) Aug 26 13:10:14.184386: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 13:10:14.184389: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:10:14.184393: | **parse IKEv2 Authentication Payload: Aug 26 13:10:14.184396: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:14.184399: | flags: none (0x0) Aug 26 13:10:14.184402: | length: 72 (0x48) Aug 26 13:10:14.184405: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:10:14.184409: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:10:14.184412: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:10:14.184415: | **parse IKEv2 Security Association Payload: Aug 26 13:10:14.184418: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:10:14.184421: | flags: none (0x0) Aug 26 13:10:14.184424: | length: 164 (0xa4) Aug 26 13:10:14.184427: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 13:10:14.184430: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:10:14.184434: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:14.184437: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:10:14.184440: | flags: none (0x0) Aug 26 13:10:14.184443: | length: 24 (0x18) Aug 26 13:10:14.184446: | number of TS: 1 (0x1) Aug 26 13:10:14.184449: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:10:14.184453: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:10:14.184456: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:14.184459: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.184462: | flags: none (0x0) Aug 26 13:10:14.184465: | length: 24 (0x18) Aug 26 13:10:14.184468: | number of TS: 1 (0x1) Aug 26 13:10:14.184471: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:10:14.184474: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:10:14.184478: | Now let's proceed with state specific processing Aug 26 13:10:14.184481: | calling processor Responder: process IKE_AUTH request Aug 26 13:10:14.184489: "eastnet-any"[1] 192.1.2.254 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 13:10:14.184497: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:4500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:10:14.184502: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 13:10:14.184506: | peer ID c0 01 03 d1 Aug 26 13:10:14.184509: | received IDr payload - extracting our alleged ID Aug 26 13:10:14.184514: | refine_host_connection for IKEv2: starting with "eastnet-any"[1] 192.1.2.254 Aug 26 13:10:14.184521: | match_id a=192.1.3.209 Aug 26 13:10:14.184524: | b=192.1.2.254 Aug 26 13:10:14.184527: | results fail Aug 26 13:10:14.184537: | refine_host_connection: checking "eastnet-any"[1] 192.1.2.254 against "eastnet-any"[1] 192.1.2.254, best=(none) with match=0(id=0(0)/ca=1(0)/reqca=1(0)) Aug 26 13:10:14.184541: | Warning: not switching back to template of current instance Aug 26 13:10:14.184545: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 13:10:14.184549: | This connection's local id is @east (ID_FQDN) Aug 26 13:10:14.184552: | skipping because peer_id does not match Aug 26 13:10:14.184555: | refine going into 2nd loop allowing instantiated conns as well Aug 26 13:10:14.184561: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:10:14.184566: | match_id a=192.1.3.209 Aug 26 13:10:14.184569: | b=(none) Aug 26 13:10:14.184572: | results matched Aug 26 13:10:14.184578: | refine_host_connection: checking "eastnet-any"[1] 192.1.2.254 against "eastnet-any", best=(none) with match=1(id=1(15)/ca=1(0)/reqca=1(0)) Aug 26 13:10:14.184581: | Warning: not switching back to template of current instance Aug 26 13:10:14.184584: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 13:10:14.184588: | This connection's local id is @east (ID_FQDN) Aug 26 13:10:14.184593: | refine_host_connection: checked eastnet-any[1] 192.1.2.254 against eastnet-any, now for see if best Aug 26 13:10:14.184597: | started looking for secret for @east->(none) of kind PKK_PSK Aug 26 13:10:14.184600: | instantiating him to %ANYADDR Aug 26 13:10:14.184604: | actually looking for secret for @east->%any of kind PKK_PSK Aug 26 13:10:14.184609: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:14.184613: | 1: compared key %any to @east / %any -> 002 Aug 26 13:10:14.184617: | 2: compared key @east to @east / %any -> 012 Aug 26 13:10:14.184620: | line 1: match=012 Aug 26 13:10:14.184624: | match 012 beats previous best_match 000 match=0x55fd6a49cc48 (line=1) Aug 26 13:10:14.184628: | concluding with best_match=012 best=0x55fd6a49cc48 (lineno=1) Aug 26 13:10:14.184632: | refine_host_connection: picking new best "eastnet-any" (wild=15, peer_pathlen=0/our=0) Aug 26 13:10:14.184635: | returning since no better match than original best_found Aug 26 13:10:14.184641: "eastnet-any"[1] 192.1.2.254 #1: switched from "eastnet-any"[1] 192.1.2.254 to "eastnet-any" Aug 26 13:10:14.184647: | match_id a=192.1.3.209 Aug 26 13:10:14.184650: | b=(none) Aug 26 13:10:14.184653: | results matched Aug 26 13:10:14.184661: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.254:500 but ignoring ports Aug 26 13:10:14.184666: | connect_to_host_pair: 192.1.2.23:500 192.1.2.254:500 -> hp@0x55fd6a5456d8: eastnet-any Aug 26 13:10:14.184672: | rw_instantiate() instantiated "eastnet-any"[2] 192.1.2.254 for 192.1.2.254 Aug 26 13:10:14.184676: | in connection_discard for connection eastnet-any Aug 26 13:10:14.184679: | connection is instance Aug 26 13:10:14.184682: | not in pending use Aug 26 13:10:14.184685: | State DB: state not found (connection_discard) Aug 26 13:10:14.184689: | no states use this connection instance, deleting Aug 26 13:10:14.184694: | start processing: connection "eastnet-any"[1] 192.1.2.254 (BACKGROUND) (in delete_connection() at connections.c:189) Aug 26 13:10:14.184701: "eastnet-any"[2] 192.1.2.254 #1: deleting connection "eastnet-any"[1] 192.1.2.254 instance with peer 192.1.2.254 {isakmp=#0/ipsec=#0} Aug 26 13:10:14.184705: | Deleting states for connection - not including other IPsec SA's Aug 26 13:10:14.184708: | pass 0 Aug 26 13:10:14.184711: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:14.184714: | state #1 Aug 26 13:10:14.184717: | pass 1 Aug 26 13:10:14.184720: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:14.184723: | state #1 Aug 26 13:10:14.184727: | flush revival: connection 'eastnet-any' wasn't on the list Aug 26 13:10:14.184732: | stop processing: connection "eastnet-any"[1] 192.1.2.254 (BACKGROUND) (in discard_connection() at connections.c:249) Aug 26 13:10:14.184737: | retrying ikev2_decode_peer_id_and_certs() with new conn Aug 26 13:10:14.184744: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 13:10:14.184747: | peer ID c0 01 03 d1 Aug 26 13:10:14.184750: | received IDr payload - extracting our alleged ID Aug 26 13:10:14.184754: | refine_host_connection for IKEv2: starting with "eastnet-any"[2] 192.1.2.254 Aug 26 13:10:14.184760: | match_id a=192.1.3.209 Aug 26 13:10:14.184763: | b=192.1.3.209 Aug 26 13:10:14.184766: | results matched Aug 26 13:10:14.184772: | refine_host_connection: checking "eastnet-any"[2] 192.1.2.254 against "eastnet-any"[2] 192.1.2.254, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:10:14.184775: | Warning: not switching back to template of current instance Aug 26 13:10:14.184779: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 13:10:14.184782: | This connection's local id is @east (ID_FQDN) Aug 26 13:10:14.184787: | refine_host_connection: checked eastnet-any[2] 192.1.2.254 against eastnet-any[2] 192.1.2.254, now for see if best Aug 26 13:10:14.184792: | started looking for secret for @east->192.1.3.209 of kind PKK_PSK Aug 26 13:10:14.184796: | actually looking for secret for @east->192.1.3.209 of kind PKK_PSK Aug 26 13:10:14.184801: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:14.184805: | 1: compared key %any to @east / 192.1.3.209 -> 002 Aug 26 13:10:14.184809: | 2: compared key @east to @east / 192.1.3.209 -> 012 Aug 26 13:10:14.184812: | line 1: match=012 Aug 26 13:10:14.184815: | match 012 beats previous best_match 000 match=0x55fd6a49cc48 (line=1) Aug 26 13:10:14.184819: | concluding with best_match=012 best=0x55fd6a49cc48 (lineno=1) Aug 26 13:10:14.184822: | returning because exact peer id match Aug 26 13:10:14.184825: | offered CA: '%none' Aug 26 13:10:14.184830: "eastnet-any"[2] 192.1.2.254 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.209' Aug 26 13:10:14.184856: | verifying AUTH payload Aug 26 13:10:14.184861: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:10:14.184866: | started looking for secret for @east->192.1.3.209 of kind PKK_PSK Aug 26 13:10:14.184871: | actually looking for secret for @east->192.1.3.209 of kind PKK_PSK Aug 26 13:10:14.184875: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:14.184879: | 1: compared key %any to @east / 192.1.3.209 -> 002 Aug 26 13:10:14.184882: | 2: compared key @east to @east / 192.1.3.209 -> 012 Aug 26 13:10:14.184885: | line 1: match=012 Aug 26 13:10:14.184889: | match 012 beats previous best_match 000 match=0x55fd6a49cc48 (line=1) Aug 26 13:10:14.184892: | concluding with best_match=012 best=0x55fd6a49cc48 (lineno=1) Aug 26 13:10:14.184962: "eastnet-any"[2] 192.1.2.254 #1: Authenticated using authby=secret Aug 26 13:10:14.184969: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:10:14.184975: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:10:14.184978: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:14.184982: | libevent_free: release ptr-libevent@0x7fd1dc002888 Aug 26 13:10:14.184986: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fd6a545808 Aug 26 13:10:14.184990: | event_schedule: new EVENT_SA_REKEY-pe@0x55fd6a545808 Aug 26 13:10:14.184995: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 13:10:14.184998: | libevent_malloc: new ptr-libevent@0x55fd6a5490d8 size 128 Aug 26 13:10:14.185459: | pstats #1 ikev2.ike established Aug 26 13:10:14.185475: | **emit ISAKMP Message: Aug 26 13:10:14.185479: | initiator cookie: Aug 26 13:10:14.185482: | 09 89 39 54 70 14 c0 90 Aug 26 13:10:14.185485: | responder cookie: Aug 26 13:10:14.185488: | 8b 1d 75 ae 0c 16 35 05 Aug 26 13:10:14.185492: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:14.185496: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:14.185499: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:14.185506: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:14.185509: | Message ID: 1 (0x1) Aug 26 13:10:14.185513: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:14.185517: | IKEv2 CERT: send a certificate? Aug 26 13:10:14.185521: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:10:14.185524: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:14.185528: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.185531: | flags: none (0x0) Aug 26 13:10:14.185535: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:14.185539: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.185543: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:14.185553: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:10:14.185571: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:10:14.185575: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.185578: | flags: none (0x0) Aug 26 13:10:14.185582: | ID type: ID_FQDN (0x2) Aug 26 13:10:14.185586: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:10:14.185589: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.185594: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:10:14.185597: | my identity 65 61 73 74 Aug 26 13:10:14.185600: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:10:14.185610: | assembled IDr payload Aug 26 13:10:14.185613: | CHILD SA proposals received Aug 26 13:10:14.185616: | going to assemble AUTH payload Aug 26 13:10:14.185620: | ****emit IKEv2 Authentication Payload: Aug 26 13:10:14.185623: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:14.185626: | flags: none (0x0) Aug 26 13:10:14.185630: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:10:14.185634: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:10:14.185638: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:10:14.185641: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.185645: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:10:14.185651: | started looking for secret for @east->192.1.3.209 of kind PKK_PSK Aug 26 13:10:14.185656: | actually looking for secret for @east->192.1.3.209 of kind PKK_PSK Aug 26 13:10:14.185660: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:14.185665: | 1: compared key %any to @east / 192.1.3.209 -> 002 Aug 26 13:10:14.185669: | 2: compared key @east to @east / 192.1.3.209 -> 012 Aug 26 13:10:14.185672: | line 1: match=012 Aug 26 13:10:14.185675: | match 012 beats previous best_match 000 match=0x55fd6a49cc48 (line=1) Aug 26 13:10:14.185679: | concluding with best_match=012 best=0x55fd6a49cc48 (lineno=1) Aug 26 13:10:14.185741: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:10:14.185746: | PSK auth 4f 92 e0 41 92 53 95 1c 21 69 c2 65 3e f2 99 49 Aug 26 13:10:14.185749: | PSK auth ed 2e 99 2a 4d a7 c9 da 56 29 03 8e 03 fb 2c b4 Aug 26 13:10:14.185752: | PSK auth 3d b2 f8 c0 b1 21 7f 9f 36 cd 8c 4d cd 6e b5 5e Aug 26 13:10:14.185756: | PSK auth 20 38 ba e7 bc 6b 7b 3f 1e 35 9e eb 9c f8 b5 ef Aug 26 13:10:14.185759: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:10:14.185765: | creating state object #2 at 0x55fd6a546718 Aug 26 13:10:14.185771: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:10:14.185776: | pstats #2 ikev2.child started Aug 26 13:10:14.185781: | duplicating state object #1 "eastnet-any"[2] 192.1.2.254 as #2 for IPSEC SA Aug 26 13:10:14.185787: | #2 setting local endpoint to 192.1.2.23:4500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:10:14.185795: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:14.185801: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:10:14.185806: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:10:14.185810: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:10:14.185814: | TSi: parsing 1 traffic selectors Aug 26 13:10:14.185817: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:14.185821: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:14.185824: | IP Protocol ID: 0 (0x0) Aug 26 13:10:14.185828: | length: 16 (0x10) Aug 26 13:10:14.185831: | start port: 0 (0x0) Aug 26 13:10:14.185834: | end port: 65535 (0xffff) Aug 26 13:10:14.185838: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:14.185841: | TS low c0 00 01 00 Aug 26 13:10:14.185844: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:14.185847: | TS high c0 00 01 ff Aug 26 13:10:14.185850: | TSi: parsed 1 traffic selectors Aug 26 13:10:14.185853: | TSr: parsing 1 traffic selectors Aug 26 13:10:14.185857: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:14.185860: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:14.185863: | IP Protocol ID: 0 (0x0) Aug 26 13:10:14.185866: | length: 16 (0x10) Aug 26 13:10:14.185869: | start port: 0 (0x0) Aug 26 13:10:14.185872: | end port: 65535 (0xffff) Aug 26 13:10:14.185875: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:14.185878: | TS low c0 00 02 00 Aug 26 13:10:14.185881: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:14.185884: | TS high c0 00 02 ff Aug 26 13:10:14.185887: | TSr: parsed 1 traffic selectors Aug 26 13:10:14.185890: | looking for best SPD in current connection Aug 26 13:10:14.185898: | evaluating our conn="eastnet-any"[2] 192.1.2.254 I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:14.185904: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:14.185911: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:10:14.185915: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:14.185919: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:14.185923: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:14.185927: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:14.185932: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:14.185938: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:14.185942: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:14.185945: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:14.185948: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:14.185952: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:14.185955: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:14.185959: | found better spd route for TSi[0],TSr[0] Aug 26 13:10:14.185962: | looking for better host pair Aug 26 13:10:14.185967: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.254:500 but ignoring ports Aug 26 13:10:14.185973: | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found Aug 26 13:10:14.185979: | investigating connection "eastnet-any" as a better match Aug 26 13:10:14.185984: | match_id a=192.1.3.209 Aug 26 13:10:14.185987: | b=192.1.3.209 Aug 26 13:10:14.185990: | results matched Aug 26 13:10:14.185997: | evaluating our conn="eastnet-any"[2] 192.1.2.254 I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:14.186002: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:14.186008: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:10:14.186012: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:14.186015: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:14.186019: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:14.186022: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:14.186027: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:14.186034: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:14.186037: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:14.186040: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:14.186044: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:14.186047: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:14.186050: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:14.186053: | did not find a better connection using host pair Aug 26 13:10:14.186056: | printing contents struct traffic_selector Aug 26 13:10:14.186060: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:10:14.186063: | ipprotoid: 0 Aug 26 13:10:14.186066: | port range: 0-65535 Aug 26 13:10:14.186070: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:10:14.186073: | printing contents struct traffic_selector Aug 26 13:10:14.186076: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:10:14.186079: | ipprotoid: 0 Aug 26 13:10:14.186082: | port range: 0-65535 Aug 26 13:10:14.186086: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:10:14.186091: | constructing ESP/AH proposals with all DH removed for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:10:14.186100: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:10:14.186107: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:10:14.186111: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:10:14.186116: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:10:14.186121: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:14.186126: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:14.186130: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:14.186135: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:14.186145: "eastnet-any"[2] 192.1.2.254: constructed local ESP/AH proposals for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:14.186149: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:10:14.186154: | local proposal 1 type ENCR has 1 transforms Aug 26 13:10:14.186157: | local proposal 1 type PRF has 0 transforms Aug 26 13:10:14.186161: | local proposal 1 type INTEG has 1 transforms Aug 26 13:10:14.186164: | local proposal 1 type DH has 1 transforms Aug 26 13:10:14.186167: | local proposal 1 type ESN has 1 transforms Aug 26 13:10:14.186171: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:10:14.186176: | local proposal 2 type ENCR has 1 transforms Aug 26 13:10:14.186180: | local proposal 2 type PRF has 0 transforms Aug 26 13:10:14.186183: | local proposal 2 type INTEG has 1 transforms Aug 26 13:10:14.186186: | local proposal 2 type DH has 1 transforms Aug 26 13:10:14.186189: | local proposal 2 type ESN has 1 transforms Aug 26 13:10:14.186193: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:10:14.186196: | local proposal 3 type ENCR has 1 transforms Aug 26 13:10:14.186199: | local proposal 3 type PRF has 0 transforms Aug 26 13:10:14.186202: | local proposal 3 type INTEG has 2 transforms Aug 26 13:10:14.186206: | local proposal 3 type DH has 1 transforms Aug 26 13:10:14.186209: | local proposal 3 type ESN has 1 transforms Aug 26 13:10:14.186212: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:10:14.186216: | local proposal 4 type ENCR has 1 transforms Aug 26 13:10:14.186219: | local proposal 4 type PRF has 0 transforms Aug 26 13:10:14.186222: | local proposal 4 type INTEG has 2 transforms Aug 26 13:10:14.186225: | local proposal 4 type DH has 1 transforms Aug 26 13:10:14.186228: | local proposal 4 type ESN has 1 transforms Aug 26 13:10:14.186232: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:10:14.186236: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.186239: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:14.186242: | length: 32 (0x20) Aug 26 13:10:14.186246: | prop #: 1 (0x1) Aug 26 13:10:14.186249: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:14.186252: | spi size: 4 (0x4) Aug 26 13:10:14.186255: | # transforms: 2 (0x2) Aug 26 13:10:14.186259: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:14.186262: | remote SPI 33 4e e6 00 Aug 26 13:10:14.186266: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:10:14.186270: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186273: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186276: | length: 12 (0xc) Aug 26 13:10:14.186280: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.186283: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:14.186287: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.186302: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.186309: | length/value: 256 (0x100) Aug 26 13:10:14.186315: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:10:14.186319: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186323: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.186326: | length: 8 (0x8) Aug 26 13:10:14.186329: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:14.186332: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:14.186336: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:10:14.186340: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:10:14.186344: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:10:14.186348: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:10:14.186353: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 13:10:14.186358: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 13:10:14.186361: | remote proposal 1 matches local proposal 1 Aug 26 13:10:14.186365: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.186368: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:14.186371: | length: 32 (0x20) Aug 26 13:10:14.186374: | prop #: 2 (0x2) Aug 26 13:10:14.186380: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:14.186383: | spi size: 4 (0x4) Aug 26 13:10:14.186386: | # transforms: 2 (0x2) Aug 26 13:10:14.186390: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:14.186393: | remote SPI 33 4e e6 00 Aug 26 13:10:14.186397: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:14.186400: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186403: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186406: | length: 12 (0xc) Aug 26 13:10:14.186410: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.186413: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:14.186416: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.186419: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.186422: | length/value: 128 (0x80) Aug 26 13:10:14.186426: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186429: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.186432: | length: 8 (0x8) Aug 26 13:10:14.186435: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:14.186438: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:14.186442: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 13:10:14.186446: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 13:10:14.186449: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.186453: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:14.186456: | length: 48 (0x30) Aug 26 13:10:14.186459: | prop #: 3 (0x3) Aug 26 13:10:14.186462: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:14.186465: | spi size: 4 (0x4) Aug 26 13:10:14.186467: | # transforms: 4 (0x4) Aug 26 13:10:14.186471: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:14.186474: | remote SPI 33 4e e6 00 Aug 26 13:10:14.186478: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:14.186481: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186484: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186487: | length: 12 (0xc) Aug 26 13:10:14.186490: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.186493: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:14.186496: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.186499: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.186502: | length/value: 256 (0x100) Aug 26 13:10:14.186506: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186509: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186512: | length: 8 (0x8) Aug 26 13:10:14.186515: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:14.186519: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:14.186522: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186525: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186528: | length: 8 (0x8) Aug 26 13:10:14.186531: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:14.186534: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:14.186538: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186541: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.186544: | length: 8 (0x8) Aug 26 13:10:14.186547: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:14.186550: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:14.186554: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:10:14.186558: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:10:14.186561: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.186564: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:14.186569: | length: 48 (0x30) Aug 26 13:10:14.186572: | prop #: 4 (0x4) Aug 26 13:10:14.186575: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:14.186578: | spi size: 4 (0x4) Aug 26 13:10:14.186581: | # transforms: 4 (0x4) Aug 26 13:10:14.186585: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:14.186588: | remote SPI 33 4e e6 00 Aug 26 13:10:14.186591: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:14.186595: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186598: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186601: | length: 12 (0xc) Aug 26 13:10:14.186604: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.186607: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:14.186610: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.186613: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.186616: | length/value: 128 (0x80) Aug 26 13:10:14.186620: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186623: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186626: | length: 8 (0x8) Aug 26 13:10:14.186629: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:14.186632: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:14.186635: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186638: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186641: | length: 8 (0x8) Aug 26 13:10:14.186644: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:14.186648: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:14.186651: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186654: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.186657: | length: 8 (0x8) Aug 26 13:10:14.186660: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:14.186663: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:14.186667: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:10:14.186671: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:10:14.186679: "eastnet-any"[2] 192.1.2.254 #1: proposal 1:ESP:SPI=334ee600;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 13:10:14.186685: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=334ee600;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 13:10:14.186688: | converting proposal to internal trans attrs Aug 26 13:10:14.186710: | netlink_get_spi: allocated 0xb61b630e for esp.0@192.1.2.23 Aug 26 13:10:14.186714: | Emitting ikev2_proposal ... Aug 26 13:10:14.186718: | ****emit IKEv2 Security Association Payload: Aug 26 13:10:14.186721: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.186725: | flags: none (0x0) Aug 26 13:10:14.186729: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:10:14.186733: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.186737: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:14.186740: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:14.186743: | prop #: 1 (0x1) Aug 26 13:10:14.186746: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:14.186749: | spi size: 4 (0x4) Aug 26 13:10:14.186752: | # transforms: 2 (0x2) Aug 26 13:10:14.186756: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:14.186760: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:10:14.186766: | our spi b6 1b 63 0e Aug 26 13:10:14.186769: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186772: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186775: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:14.186779: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:14.186782: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:14.186786: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:14.186789: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:14.186792: | length/value: 256 (0x100) Aug 26 13:10:14.186796: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:14.186799: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:14.186802: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:14.186805: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:14.186808: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:14.186812: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:14.186816: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:14.186820: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:14.186823: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:10:14.186827: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:14.186830: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 13:10:14.186833: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:10:14.186837: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:14.186841: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.186844: | flags: none (0x0) Aug 26 13:10:14.186847: | number of TS: 1 (0x1) Aug 26 13:10:14.186851: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:10:14.186855: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.186858: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:14.186861: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:14.186864: | IP Protocol ID: 0 (0x0) Aug 26 13:10:14.186868: | start port: 0 (0x0) Aug 26 13:10:14.186871: | end port: 65535 (0xffff) Aug 26 13:10:14.186875: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:14.186878: | ipv4 start c0 00 01 00 Aug 26 13:10:14.186881: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:14.186884: | ipv4 end c0 00 01 ff Aug 26 13:10:14.186888: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:14.186891: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:10:14.186894: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:14.186897: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:14.186900: | flags: none (0x0) Aug 26 13:10:14.186903: | number of TS: 1 (0x1) Aug 26 13:10:14.186907: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:10:14.186911: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:14.186914: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:14.186917: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:14.186922: | IP Protocol ID: 0 (0x0) Aug 26 13:10:14.186925: | start port: 0 (0x0) Aug 26 13:10:14.186928: | end port: 65535 (0xffff) Aug 26 13:10:14.186932: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:14.186935: | ipv4 start c0 00 02 00 Aug 26 13:10:14.186938: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:14.186941: | ipv4 end c0 00 02 ff Aug 26 13:10:14.186944: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:14.186948: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:10:14.186951: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:10:14.186955: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:10:14.187134: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:10:14.187144: | #1 spent 2.64 milliseconds Aug 26 13:10:14.187148: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:10:14.187152: | could_route called for eastnet-any (kind=CK_INSTANCE) Aug 26 13:10:14.187155: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:14.187159: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:14.187163: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:14.187167: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:14.187170: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:14.187176: | route owner of "eastnet-any"[2] 192.1.2.254 unrouted: NULL; eroute owner: NULL Aug 26 13:10:14.187181: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:14.187185: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:14.187189: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:14.187192: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:14.187197: | setting IPsec SA replay-window to 32 Aug 26 13:10:14.187201: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Aug 26 13:10:14.187204: | netlink: enabling tunnel mode Aug 26 13:10:14.187208: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:14.187211: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:14.187304: | netlink response for Add SA esp.334ee600@192.1.2.254 included non-error error Aug 26 13:10:14.187316: | set up outgoing SA, ref=0/0 Aug 26 13:10:14.187321: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:14.187324: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:14.187328: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:14.187331: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:14.187336: | setting IPsec SA replay-window to 32 Aug 26 13:10:14.187339: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Aug 26 13:10:14.187342: | netlink: enabling tunnel mode Aug 26 13:10:14.187346: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:14.187349: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:14.187401: | netlink response for Add SA esp.b61b630e@192.1.2.23 included non-error error Aug 26 13:10:14.187408: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:14.187417: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:10:14.187420: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:14.187450: | raw_eroute result=success Aug 26 13:10:14.187455: | set up incoming SA, ref=0/0 Aug 26 13:10:14.187459: | sr for #2: unrouted Aug 26 13:10:14.187463: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:10:14.187466: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:14.187469: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:14.187473: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:14.187476: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:14.187480: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:14.187489: | route owner of "eastnet-any"[2] 192.1.2.254 unrouted: NULL; eroute owner: NULL Aug 26 13:10:14.187494: | route_and_eroute with c: eastnet-any (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:10:14.187498: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:14.187506: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.254 (raw_eroute) Aug 26 13:10:14.187510: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:14.187525: | raw_eroute result=success Aug 26 13:10:14.187531: | running updown command "ipsec _updown" for verb up Aug 26 13:10:14.187534: | command executing up-client Aug 26 13:10:14.187564: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x334ee600 Aug 26 13:10:14.187569: | popen cmd is 1034 chars long Aug 26 13:10:14.187573: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_: Aug 26 13:10:14.187577: | cmd( 80):INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=: Aug 26 13:10:14.187580: | cmd( 160):'@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_: Aug 26 13:10:14.187583: | cmd( 240):CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQ: Aug 26 13:10:14.187587: | cmd( 320):ID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.2: Aug 26 13:10:14.187590: | cmd( 400):09' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEE: Aug 26 13:10:14.187593: | cmd( 480):R_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Aug 26 13:10:14.187597: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT: Aug 26 13:10:14.187600: | cmd( 640):+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_I: Aug 26 13:10:14.187603: | cmd( 720):NSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLU: Aug 26 13:10:14.187606: | cmd( 800):TO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SER: Aug 26 13:10:14.187610: | cmd( 880):VER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n: Aug 26 13:10:14.187613: | cmd( 960):o' VTI_SHARED='no' SPI_IN=0x334ee600 SPI_OUT=0xb61b630e ipsec _updown 2>&1: Aug 26 13:10:14.200972: | route_and_eroute: firewall_notified: true Aug 26 13:10:14.200991: | running updown command "ipsec _updown" for verb prepare Aug 26 13:10:14.200996: | command executing prepare-client Aug 26 13:10:14.201029: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN= Aug 26 13:10:14.201041: | popen cmd is 1039 chars long Aug 26 13:10:14.201045: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Aug 26 13:10:14.201048: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_M: Aug 26 13:10:14.201051: | cmd( 160):Y_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUT: Aug 26 13:10:14.201053: | cmd( 240):O_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_S: Aug 26 13:10:14.201056: | cmd( 320):A_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.: Aug 26 13:10:14.201059: | cmd( 400):1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUT: Aug 26 13:10:14.201062: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Aug 26 13:10:14.201064: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+EN: Aug 26 13:10:14.201067: | cmd( 640):CRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND=: Aug 26 13:10:14.201070: | cmd( 720):'CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0: Aug 26 13:10:14.201073: | cmd( 800):' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF: Aug 26 13:10:14.201076: | cmd( 880):G_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTI: Aug 26 13:10:14.201078: | cmd( 960):NG='no' VTI_SHARED='no' SPI_IN=0x334ee600 SPI_OUT=0xb61b630e ipsec _updown 2>&1: Aug 26 13:10:14.210359: | running updown command "ipsec _updown" for verb route Aug 26 13:10:14.210373: | command executing route-client Aug 26 13:10:14.210400: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x33 Aug 26 13:10:14.210405: | popen cmd is 1037 chars long Aug 26 13:10:14.210408: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLU: Aug 26 13:10:14.210410: | cmd( 80):TO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_: Aug 26 13:10:14.210413: | cmd( 160):ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_: Aug 26 13:10:14.210415: | cmd( 240):MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_: Aug 26 13:10:14.210417: | cmd( 320):REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.: Aug 26 13:10:14.210420: | cmd( 400):3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_: Aug 26 13:10:14.210422: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: Aug 26 13:10:14.210428: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCR: Aug 26 13:10:14.210430: | cmd( 640):YPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='C: Aug 26 13:10:14.210433: | cmd( 720):K_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' : Aug 26 13:10:14.210435: | cmd( 800):PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_: Aug 26 13:10:14.210437: | cmd( 880):SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING: Aug 26 13:10:14.210440: | cmd( 960):='no' VTI_SHARED='no' SPI_IN=0x334ee600 SPI_OUT=0xb61b630e ipsec _updown 2>&1: Aug 26 13:10:14.223675: | route_and_eroute: instance "eastnet-any"[2] 192.1.2.254, setting eroute_owner {spd=0x55fd6a549838,sr=0x55fd6a549838} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:10:14.223760: | #1 spent 1.95 milliseconds in install_ipsec_sa() Aug 26 13:10:14.223768: | ISAKMP_v2_IKE_AUTH: instance eastnet-any[2], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:10:14.223771: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:14.223774: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:14.223778: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:14.223781: | emitting length of IKEv2 Encryption Payload: 197 Aug 26 13:10:14.223783: | emitting length of ISAKMP Message: 225 Aug 26 13:10:14.223811: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:10:14.223817: | #1 spent 4.65 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:10:14.223825: | suspend processing: state #1 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:14.223830: | start processing: state #2 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:14.223834: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:10:14.223837: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:10:14.223840: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:10:14.223842: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:10:14.223847: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:10:14.223851: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:10:14.223853: | pstats #2 ikev2.child established Aug 26 13:10:14.223861: "eastnet-any"[2] 192.1.2.254 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:10:14.223865: | NAT-T: NAT Traversal detected - their IKE port is '500' Aug 26 13:10:14.223867: | NAT-T: encaps is 'auto' Aug 26 13:10:14.223872: "eastnet-any"[2] 192.1.2.254 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP/NAT=>0x334ee600 <0xb61b630e xfrm=AES_GCM_16_256-NONE NATOA=none NATD=192.1.2.254:4500 DPD=passive} Aug 26 13:10:14.223877: | sending V2 new request packet to 192.1.2.254:4500 (from 192.1.2.23:4500) Aug 26 13:10:14.223883: | sending 229 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:4500 to 192.1.2.254:4500 (using #1) Aug 26 13:10:14.223886: | 00 00 00 00 09 89 39 54 70 14 c0 90 8b 1d 75 ae Aug 26 13:10:14.223888: | 0c 16 35 05 2e 20 23 20 00 00 00 01 00 00 00 e1 Aug 26 13:10:14.223890: | 24 00 00 c5 e1 99 1c 24 73 c9 1e ea 4b 3a 4d 37 Aug 26 13:10:14.223892: | 2f 69 cc b0 ed 3f d9 27 b5 e3 37 be 90 f4 86 29 Aug 26 13:10:14.223897: | 0a 81 03 dd fa 37 d4 b4 16 36 6a 5a 5c 2a a9 1d Aug 26 13:10:14.223899: | ea 97 b9 7b e4 4c ad b7 77 03 d8 46 6a 22 f7 4b Aug 26 13:10:14.223901: | 14 59 40 60 70 0d 19 de a1 9d a1 01 e3 19 bb 6d Aug 26 13:10:14.223903: | a7 08 0a b0 13 04 0a e3 a5 2d 0a 6d f7 45 c0 15 Aug 26 13:10:14.223905: | 55 bf 6b d7 51 c0 c1 73 2d 19 f6 4c 18 37 6c 69 Aug 26 13:10:14.223907: | 45 e2 49 99 6c 94 dd 9e c1 81 1a 62 70 ed ed c2 Aug 26 13:10:14.223908: | 62 00 cf 19 94 cf 1a 82 dc be 45 87 c8 a4 e5 9d Aug 26 13:10:14.223910: | 16 ac 18 0b f1 19 89 d6 0c ad 97 5b 9f c9 75 1b Aug 26 13:10:14.223912: | 01 d5 8d f1 e5 72 83 9b f3 5e d2 12 e7 fc 07 be Aug 26 13:10:14.223914: | bb f1 f2 86 80 6d 3e a1 fd 75 8b c6 57 ae 38 3b Aug 26 13:10:14.223916: | 2b 07 df 3e bf Aug 26 13:10:14.223963: | releasing whack for #2 (sock=fd@-1) Aug 26 13:10:14.223968: | releasing whack and unpending for parent #1 Aug 26 13:10:14.223973: | unpending state #1 connection "eastnet-any"[2] 192.1.2.254 Aug 26 13:10:14.223978: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:10:14.223982: | event_schedule: new EVENT_SA_REKEY-pe@0x7fd1dc002b78 Aug 26 13:10:14.223986: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 13:10:14.223990: | libevent_malloc: new ptr-libevent@0x55fd6a545108 size 128 Aug 26 13:10:14.224008: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:10:14.224018: | #1 spent 5.01 milliseconds in resume sending helper answer Aug 26 13:10:14.224026: | stop processing: state #2 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in resume_handler() at server.c:833) Aug 26 13:10:14.224033: | libevent_free: release ptr-libevent@0x7fd1d4000f48 Aug 26 13:10:14.224050: | processing signal PLUTO_SIGCHLD Aug 26 13:10:14.224056: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:14.224062: | spent 0.00607 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:14.224065: | processing signal PLUTO_SIGCHLD Aug 26 13:10:14.224070: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:14.224075: | spent 0.00472 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:14.224078: | processing signal PLUTO_SIGCHLD Aug 26 13:10:14.224083: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:14.224088: | spent 0.00486 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:14.477670: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:14.477918: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:14.477923: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:14.477997: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:10:14.478001: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:14.478012: | get_sa_info esp.b61b630e@192.1.2.23 Aug 26 13:10:14.478026: | get_sa_info esp.334ee600@192.1.2.254 Aug 26 13:10:14.478042: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:14.478049: | spent 0.387 milliseconds in whack Aug 26 13:10:15.428316: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:15.428335: shutting down Aug 26 13:10:15.428354: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:10:15.428359: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:15.428361: forgetting secrets Aug 26 13:10:15.428367: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:15.428372: | start processing: connection "eastnet-any"[2] 192.1.2.254 (in delete_connection() at connections.c:189) Aug 26 13:10:15.428376: "eastnet-any"[2] 192.1.2.254: deleting connection "eastnet-any"[2] 192.1.2.254 instance with peer 192.1.2.254 {isakmp=#1/ipsec=#2} Aug 26 13:10:15.428378: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:10:15.428380: | pass 0 Aug 26 13:10:15.428385: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:15.428387: | state #2 Aug 26 13:10:15.428390: | suspend processing: connection "eastnet-any"[2] 192.1.2.254 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:15.428394: | start processing: state #2 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:15.428396: | pstats #2 ikev2.child deleted completed Aug 26 13:10:15.428400: | [RE]START processing: state #2 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in delete_state() at state.c:879) Aug 26 13:10:15.428403: "eastnet-any"[2] 192.1.2.254 #2: deleting state (STATE_V2_IPSEC_R) aged 1.242s and sending notification Aug 26 13:10:15.428406: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:10:15.428409: | get_sa_info esp.334ee600@192.1.2.254 Aug 26 13:10:15.428421: | get_sa_info esp.b61b630e@192.1.2.23 Aug 26 13:10:15.428427: "eastnet-any"[2] 192.1.2.254 #2: ESP traffic information: in=0B out=0B Aug 26 13:10:15.428430: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:10:15.428432: | Opening output PBS informational exchange delete request Aug 26 13:10:15.428435: | **emit ISAKMP Message: Aug 26 13:10:15.428437: | initiator cookie: Aug 26 13:10:15.428438: | 09 89 39 54 70 14 c0 90 Aug 26 13:10:15.428440: | responder cookie: Aug 26 13:10:15.428441: | 8b 1d 75 ae 0c 16 35 05 Aug 26 13:10:15.428443: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:15.428445: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:15.428447: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:15.428449: | flags: none (0x0) Aug 26 13:10:15.428451: | Message ID: 0 (0x0) Aug 26 13:10:15.428453: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:15.428455: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:15.428457: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:15.428459: | flags: none (0x0) Aug 26 13:10:15.428461: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:15.428463: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:15.428465: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:15.428477: | ****emit IKEv2 Delete Payload: Aug 26 13:10:15.428479: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:15.428481: | flags: none (0x0) Aug 26 13:10:15.428483: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:15.428485: | SPI size: 4 (0x4) Aug 26 13:10:15.428486: | number of SPIs: 1 (0x1) Aug 26 13:10:15.428488: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:15.428490: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:15.428492: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:10:15.428494: | local spis b6 1b 63 0e Aug 26 13:10:15.428496: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:10:15.428498: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:15.428500: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:15.428502: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:15.428504: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:10:15.428505: | emitting length of ISAKMP Message: 69 Aug 26 13:10:15.428526: | sending 73 bytes for delete notification through eth1 from 192.1.2.23:4500 to 192.1.2.254:4500 (using #2) Aug 26 13:10:15.428530: | 00 00 00 00 09 89 39 54 70 14 c0 90 8b 1d 75 ae Aug 26 13:10:15.428531: | 0c 16 35 05 2e 20 25 00 00 00 00 00 00 00 00 45 Aug 26 13:10:15.428534: | 2a 00 00 29 b6 a6 67 a2 a4 19 ad aa 32 8d 7a 6c Aug 26 13:10:15.428536: | 8e 65 4e 85 c4 c2 23 6a 87 9a f7 9e 82 cb 54 f5 Aug 26 13:10:15.428538: | 87 70 8c 53 40 90 10 b4 4b Aug 26 13:10:15.428852: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 13:10:15.428857: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 13:10:15.428862: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:10:15.428865: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:15.428870: | libevent_free: release ptr-libevent@0x55fd6a545108 Aug 26 13:10:15.428873: | free_event_entry: release EVENT_SA_REKEY-pe@0x7fd1dc002b78 Aug 26 13:10:15.428952: | running updown command "ipsec _updown" for verb down Aug 26 13:10:15.428956: | command executing down-client Aug 26 13:10:15.429001: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825014' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SP Aug 26 13:10:15.429005: | popen cmd is 1047 chars long Aug 26 13:10:15.429009: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUT: Aug 26 13:10:15.429012: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_I: Aug 26 13:10:15.429015: | cmd( 160):D='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_M: Aug 26 13:10:15.429018: | cmd( 240):Y_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_R: Aug 26 13:10:15.429021: | cmd( 320):EQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3: Aug 26 13:10:15.429024: | cmd( 400):.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_P: Aug 26 13:10:15.429026: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 13:10:15.429029: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825014' PLUTO_CONN_POLICY=': Aug 26 13:10:15.429032: | cmd( 640):PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: Aug 26 13:10:15.429035: | cmd( 720):_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Aug 26 13:10:15.429037: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Aug 26 13:10:15.429040: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Aug 26 13:10:15.429043: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x334ee600 SPI_OUT=0xb61b630e ipsec _updo: Aug 26 13:10:15.429045: | cmd(1040):wn 2>&1: Aug 26 13:10:15.436960: | shunt_eroute() called for connection 'eastnet-any' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:10:15.436973: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:15.436977: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:15.436980: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:15.437032: | delete esp.334ee600@192.1.2.254 Aug 26 13:10:15.437047: | netlink response for Del SA esp.334ee600@192.1.2.254 included non-error error Aug 26 13:10:15.437051: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:15.437055: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:10:15.437077: | raw_eroute result=success Aug 26 13:10:15.437082: | delete esp.b61b630e@192.1.2.23 Aug 26 13:10:15.437091: | netlink response for Del SA esp.b61b630e@192.1.2.23 included non-error error Aug 26 13:10:15.437103: | stop processing: connection "eastnet-any"[2] 192.1.2.254 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:10:15.437107: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:10:15.437108: | in connection_discard for connection eastnet-any Aug 26 13:10:15.437111: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 13:10:15.437116: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:10:15.437122: | stop processing: state #2 from 192.1.2.254:4500 (in delete_state() at state.c:1143) Aug 26 13:10:15.437132: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:10:15.437134: | state #1 Aug 26 13:10:15.437136: | pass 1 Aug 26 13:10:15.437138: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:15.437139: | state #1 Aug 26 13:10:15.437143: | start processing: state #1 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:15.437146: | pstats #1 ikev2.ike deleted completed Aug 26 13:10:15.437152: | #1 spent 11.6 milliseconds in total Aug 26 13:10:15.437156: | [RE]START processing: state #1 connection "eastnet-any"[2] 192.1.2.254 from 192.1.2.254:4500 (in delete_state() at state.c:879) Aug 26 13:10:15.437159: "eastnet-any"[2] 192.1.2.254 #1: deleting state (STATE_PARENT_R2) aged 1.263s and sending notification Aug 26 13:10:15.437161: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 13:10:15.437200: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 13:10:15.437204: | Opening output PBS informational exchange delete request Aug 26 13:10:15.437206: | **emit ISAKMP Message: Aug 26 13:10:15.437209: | initiator cookie: Aug 26 13:10:15.437210: | 09 89 39 54 70 14 c0 90 Aug 26 13:10:15.437212: | responder cookie: Aug 26 13:10:15.437214: | 8b 1d 75 ae 0c 16 35 05 Aug 26 13:10:15.437216: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:15.437218: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:15.437220: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:15.437223: | flags: none (0x0) Aug 26 13:10:15.437226: | Message ID: 1 (0x1) Aug 26 13:10:15.437229: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:15.437232: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:15.437235: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:15.437238: | flags: none (0x0) Aug 26 13:10:15.437242: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:15.437245: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:15.437249: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:15.437265: | ****emit IKEv2 Delete Payload: Aug 26 13:10:15.437268: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:15.437271: | flags: none (0x0) Aug 26 13:10:15.437273: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:10:15.437276: | SPI size: 0 (0x0) Aug 26 13:10:15.437278: | number of SPIs: 0 (0x0) Aug 26 13:10:15.437282: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:15.437287: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:15.437302: | emitting length of IKEv2 Delete Payload: 8 Aug 26 13:10:15.437305: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:15.437308: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:15.437311: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:15.437314: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 13:10:15.437316: | emitting length of ISAKMP Message: 65 Aug 26 13:10:15.437346: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:4500 to 192.1.2.254:4500 (using #1) Aug 26 13:10:15.437351: | 00 00 00 00 09 89 39 54 70 14 c0 90 8b 1d 75 ae Aug 26 13:10:15.437354: | 0c 16 35 05 2e 20 25 00 00 00 00 01 00 00 00 41 Aug 26 13:10:15.437357: | 2a 00 00 25 de 2b e9 66 fd 38 48 2b ae 63 c3 43 Aug 26 13:10:15.437359: | 85 c2 55 33 16 ba 23 83 fb bd d1 a0 76 6e 22 56 Aug 26 13:10:15.437362: | 05 fb e6 22 95 Aug 26 13:10:15.437428: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 13:10:15.437433: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 13:10:15.437438: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Aug 26 13:10:15.437443: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Aug 26 13:10:15.437447: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:15.437472: | libevent_free: release ptr-libevent@0x55fd6a5490d8 Aug 26 13:10:15.437476: | free_event_entry: release EVENT_SA_REKEY-pe@0x55fd6a545808 Aug 26 13:10:15.437480: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:10:15.437483: | in connection_discard for connection eastnet-any Aug 26 13:10:15.437486: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 13:10:15.437489: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 13:10:15.437525: | stop processing: state #1 from 192.1.2.254:4500 (in delete_state() at state.c:1143) Aug 26 13:10:15.437551: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:10:15.437554: | shunt_eroute() called for connection 'eastnet-any' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:10:15.437556: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:15.437559: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:15.437573: | priority calculation of connection "eastnet-any" is 0xfe7e7 Aug 26 13:10:15.437580: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:15.437583: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:15.437585: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:15.437587: | conn eastnet-any mark 0/00000000, 0/00000000 vs Aug 26 13:10:15.437589: | conn eastnet-any mark 0/00000000, 0/00000000 Aug 26 13:10:15.437591: | route owner of "eastnet-any" unrouted: NULL Aug 26 13:10:15.437594: | running updown command "ipsec _updown" for verb unroute Aug 26 13:10:15.437595: | command executing unroute-client Aug 26 13:10:15.437614: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Aug 26 13:10:15.437618: | popen cmd is 1028 chars long Aug 26 13:10:15.437620: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Aug 26 13:10:15.437622: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_M: Aug 26 13:10:15.437624: | cmd( 160):Y_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUT: Aug 26 13:10:15.437626: | cmd( 240):O_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_S: Aug 26 13:10:15.437627: | cmd( 320):A_REQID='16396' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='192: Aug 26 13:10:15.437629: | cmd( 400):.1.3.209' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLU: Aug 26 13:10:15.437631: | cmd( 480):TO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : Aug 26 13:10:15.437633: | cmd( 560):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+E: Aug 26 13:10:15.437634: | cmd( 640):NCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND: Aug 26 13:10:15.437636: | cmd( 720):='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO: Aug 26 13:10:15.437638: | cmd( 800):='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO: Aug 26 13:10:15.437640: | cmd( 880):_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_RO: Aug 26 13:10:15.437642: | cmd( 960):UTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:10:15.446525: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446543: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446545: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446548: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446549: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446551: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446552: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446555: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446561: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446610: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446617: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446836: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446842: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446844: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446846: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446848: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446850: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446857: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446899: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446902: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446904: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446906: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446908: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446912: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446916: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446958: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446961: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446963: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446964: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446967: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446969: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446978: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446987: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.446996: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.447005: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:15.456121: | free hp@0x55fd6a5456d8 Aug 26 13:10:15.456134: | flush revival: connection 'eastnet-any' wasn't on the list Aug 26 13:10:15.456137: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:10:15.456146: | start processing: connection "eastnet-any" (in delete_connection() at connections.c:189) Aug 26 13:10:15.456148: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:10:15.456150: | pass 0 Aug 26 13:10:15.456152: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:15.456153: | pass 1 Aug 26 13:10:15.456155: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:15.456158: | free hp@0x55fd6a543748 Aug 26 13:10:15.456160: | flush revival: connection 'eastnet-any' wasn't on the list Aug 26 13:10:15.456163: | stop processing: connection "eastnet-any" (in discard_connection() at connections.c:249) Aug 26 13:10:15.456171: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:10:15.456173: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:10:15.456180: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:10:15.456182: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:10:15.456185: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 13:10:15.456186: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 13:10:15.456189: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 13:10:15.456190: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 13:10:15.456193: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:10:15.456202: | libevent_free: release ptr-libevent@0x55fd6a5352b8 Aug 26 13:10:15.456205: | free_event_entry: release EVENT_NULL-pe@0x55fd6a541148 Aug 26 13:10:15.456213: | libevent_free: release ptr-libevent@0x55fd6a4d11d8 Aug 26 13:10:15.456215: | free_event_entry: release EVENT_NULL-pe@0x55fd6a5411f8 Aug 26 13:10:15.456221: | libevent_free: release ptr-libevent@0x55fd6a4d3078 Aug 26 13:10:15.456223: | free_event_entry: release EVENT_NULL-pe@0x55fd6a5412a8 Aug 26 13:10:15.456228: | libevent_free: release ptr-libevent@0x55fd6a4d01c8 Aug 26 13:10:15.456230: | free_event_entry: release EVENT_NULL-pe@0x55fd6a541358 Aug 26 13:10:15.456235: | libevent_free: release ptr-libevent@0x55fd6a4a14e8 Aug 26 13:10:15.456237: | free_event_entry: release EVENT_NULL-pe@0x55fd6a541408 Aug 26 13:10:15.456242: | libevent_free: release ptr-libevent@0x55fd6a4a11d8 Aug 26 13:10:15.456244: | free_event_entry: release EVENT_NULL-pe@0x55fd6a5414b8 Aug 26 13:10:15.456247: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:10:15.456677: | libevent_free: release ptr-libevent@0x55fd6a535368 Aug 26 13:10:15.456685: | free_event_entry: release EVENT_NULL-pe@0x55fd6a5290a8 Aug 26 13:10:15.456690: | libevent_free: release ptr-libevent@0x55fd6a4d2f78 Aug 26 13:10:15.456693: | free_event_entry: release EVENT_NULL-pe@0x55fd6a528568 Aug 26 13:10:15.456696: | libevent_free: release ptr-libevent@0x55fd6a50cb18 Aug 26 13:10:15.456701: | free_event_entry: release EVENT_NULL-pe@0x55fd6a529118 Aug 26 13:10:15.456704: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:10:15.456706: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:10:15.456708: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:10:15.456710: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:10:15.456712: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:10:15.456713: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:10:15.456715: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:10:15.456716: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:10:15.456718: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:10:15.456722: | libevent_free: release ptr-libevent@0x55fd6a4d43f8 Aug 26 13:10:15.456724: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:10:15.456727: | libevent_free: release ptr-libevent@0x55fd6a5408a8 Aug 26 13:10:15.456728: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:10:15.456731: | libevent_free: release ptr-libevent@0x55fd6a5409b8 Aug 26 13:10:15.456732: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:10:15.456734: | libevent_free: release ptr-libevent@0x55fd6a540bf8 Aug 26 13:10:15.456736: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:10:15.456738: | releasing event base Aug 26 13:10:15.456747: | libevent_free: release ptr-libevent@0x55fd6a540ac8 Aug 26 13:10:15.456749: | libevent_free: release ptr-libevent@0x55fd6a523958 Aug 26 13:10:15.456752: | libevent_free: release ptr-libevent@0x55fd6a523908 Aug 26 13:10:15.456754: | libevent_free: release ptr-libevent@0x55fd6a523898 Aug 26 13:10:15.456756: | libevent_free: release ptr-libevent@0x55fd6a523858 Aug 26 13:10:15.456757: | libevent_free: release ptr-libevent@0x55fd6a540678 Aug 26 13:10:15.456759: | libevent_free: release ptr-libevent@0x55fd6a540828 Aug 26 13:10:15.456761: | libevent_free: release ptr-libevent@0x55fd6a523b08 Aug 26 13:10:15.456762: | libevent_free: release ptr-libevent@0x55fd6a528678 Aug 26 13:10:15.456764: | libevent_free: release ptr-libevent@0x55fd6a529068 Aug 26 13:10:15.456766: | libevent_free: release ptr-libevent@0x55fd6a541528 Aug 26 13:10:15.456767: | libevent_free: release ptr-libevent@0x55fd6a541478 Aug 26 13:10:15.456769: | libevent_free: release ptr-libevent@0x55fd6a5413c8 Aug 26 13:10:15.456771: | libevent_free: release ptr-libevent@0x55fd6a541318 Aug 26 13:10:15.456772: | libevent_free: release ptr-libevent@0x55fd6a541268 Aug 26 13:10:15.456774: | libevent_free: release ptr-libevent@0x55fd6a5411b8 Aug 26 13:10:15.456776: | libevent_free: release ptr-libevent@0x55fd6a4cfa18 Aug 26 13:10:15.456777: | libevent_free: release ptr-libevent@0x55fd6a540978 Aug 26 13:10:15.456779: | libevent_free: release ptr-libevent@0x55fd6a540868 Aug 26 13:10:15.456781: | libevent_free: release ptr-libevent@0x55fd6a5407e8 Aug 26 13:10:15.456782: | libevent_free: release ptr-libevent@0x55fd6a540a88 Aug 26 13:10:15.456784: | libevent_free: release ptr-libevent@0x55fd6a5406b8 Aug 26 13:10:15.456786: | libevent_free: release ptr-libevent@0x55fd6a4a0908 Aug 26 13:10:15.456788: | libevent_free: release ptr-libevent@0x55fd6a4a0d38 Aug 26 13:10:15.456789: | libevent_free: release ptr-libevent@0x55fd6a4cfd88 Aug 26 13:10:15.456791: | releasing global libevent data Aug 26 13:10:15.456793: | libevent_free: release ptr-libevent@0x55fd6a4d1598 Aug 26 13:10:15.456795: | libevent_free: release ptr-libevent@0x55fd6a4a0cd8 Aug 26 13:10:15.456797: | libevent_free: release ptr-libevent@0x55fd6a4a0dd8 Aug 26 13:10:15.456819: leak detective found no leaks