Aug 26 13:10:17.126392: FIPS Product: YES Aug 26 13:10:17.126477: FIPS Kernel: NO Aug 26 13:10:17.126479: FIPS Mode: NO Aug 26 13:10:17.126481: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:10:17.126592: Initializing NSS Aug 26 13:10:17.126597: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:10:17.151602: NSS initialized Aug 26 13:10:17.151614: NSS crypto library initialized Aug 26 13:10:17.151616: FIPS HMAC integrity support [enabled] Aug 26 13:10:17.151617: FIPS mode disabled for pluto daemon Aug 26 13:10:17.184668: FIPS HMAC integrity verification self-test FAILED Aug 26 13:10:17.184968: libcap-ng support [enabled] Aug 26 13:10:17.184974: Linux audit support [enabled] Aug 26 13:10:17.185004: Linux audit activated Aug 26 13:10:17.185012: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:26352 Aug 26 13:10:17.185014: core dump dir: /tmp Aug 26 13:10:17.185016: secrets file: /etc/ipsec.secrets Aug 26 13:10:17.185018: leak-detective enabled Aug 26 13:10:17.185019: NSS crypto [enabled] Aug 26 13:10:17.185020: XAUTH PAM support [enabled] Aug 26 13:10:17.185076: | libevent is using pluto's memory allocator Aug 26 13:10:17.185081: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:10:17.185093: | libevent_malloc: new ptr-libevent@0x55abb30b45a8 size 40 Aug 26 13:10:17.185100: | libevent_malloc: new ptr-libevent@0x55abb3083cd8 size 40 Aug 26 13:10:17.185103: | libevent_malloc: new ptr-libevent@0x55abb3083dd8 size 40 Aug 26 13:10:17.185104: | creating event base Aug 26 13:10:17.185106: | libevent_malloc: new ptr-libevent@0x55abb31068a8 size 56 Aug 26 13:10:17.185110: | libevent_malloc: new ptr-libevent@0x55abb30b2d98 size 664 Aug 26 13:10:17.185119: | libevent_malloc: new ptr-libevent@0x55abb3106918 size 24 Aug 26 13:10:17.185121: | libevent_malloc: new ptr-libevent@0x55abb3106968 size 384 Aug 26 13:10:17.185128: | libevent_malloc: new ptr-libevent@0x55abb3106868 size 16 Aug 26 13:10:17.185130: | libevent_malloc: new ptr-libevent@0x55abb3083908 size 40 Aug 26 13:10:17.185132: | libevent_malloc: new ptr-libevent@0x55abb3083d38 size 48 Aug 26 13:10:17.185135: | libevent_realloc: new ptr-libevent@0x55abb30b2a28 size 256 Aug 26 13:10:17.185137: | libevent_malloc: new ptr-libevent@0x55abb3106b18 size 16 Aug 26 13:10:17.185141: | libevent_free: release ptr-libevent@0x55abb31068a8 Aug 26 13:10:17.185144: | libevent initialized Aug 26 13:10:17.185147: | libevent_realloc: new ptr-libevent@0x55abb31068a8 size 64 Aug 26 13:10:17.185151: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:10:17.185161: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:10:17.185163: NAT-Traversal support [enabled] Aug 26 13:10:17.185165: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:10:17.185169: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:10:17.185172: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:10:17.185199: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:10:17.185201: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:10:17.185203: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:10:17.185235: Encryption algorithms: Aug 26 13:10:17.185241: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:10:17.185244: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:10:17.185246: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:10:17.185249: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:10:17.185251: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:10:17.185257: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:10:17.185260: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:10:17.185262: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:10:17.185264: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:10:17.185267: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:10:17.185269: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:10:17.185271: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:10:17.185273: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:10:17.185276: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:10:17.185278: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:10:17.185280: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:10:17.185282: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:10:17.185287: Hash algorithms: Aug 26 13:10:17.185322: MD5 IKEv1: IKE IKEv2: Aug 26 13:10:17.185325: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:10:17.185327: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:10:17.185329: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:10:17.185331: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:10:17.185340: PRF algorithms: Aug 26 13:10:17.185342: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:10:17.185344: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:10:17.185346: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:10:17.185348: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:10:17.185350: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:10:17.185352: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:10:17.185381: Integrity algorithms: Aug 26 13:10:17.185383: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:10:17.185386: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:10:17.185388: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:10:17.185390: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:10:17.185393: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:10:17.185395: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:10:17.185397: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:10:17.185399: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:10:17.185401: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:10:17.185408: DH algorithms: Aug 26 13:10:17.185410: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:10:17.185412: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:10:17.185414: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:10:17.185418: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:10:17.185419: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:10:17.185421: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:10:17.185423: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:10:17.185425: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:10:17.185427: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:10:17.185429: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:10:17.185431: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:10:17.185432: testing CAMELLIA_CBC: Aug 26 13:10:17.185434: Camellia: 16 bytes with 128-bit key Aug 26 13:10:17.185526: Camellia: 16 bytes with 128-bit key Aug 26 13:10:17.185545: Camellia: 16 bytes with 256-bit key Aug 26 13:10:17.185564: Camellia: 16 bytes with 256-bit key Aug 26 13:10:17.185581: testing AES_GCM_16: Aug 26 13:10:17.185583: empty string Aug 26 13:10:17.185601: one block Aug 26 13:10:17.185617: two blocks Aug 26 13:10:17.185633: two blocks with associated data Aug 26 13:10:17.185649: testing AES_CTR: Aug 26 13:10:17.185651: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:10:17.185667: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:10:17.185684: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:10:17.185701: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:10:17.185718: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:10:17.185735: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:10:17.185752: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:10:17.185768: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:10:17.185784: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:10:17.185801: testing AES_CBC: Aug 26 13:10:17.185803: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:10:17.185819: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:10:17.185836: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:10:17.185853: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:10:17.185873: testing AES_XCBC: Aug 26 13:10:17.185875: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:10:17.185947: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:10:17.186026: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:10:17.186100: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:10:17.186176: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:10:17.186252: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:10:17.186363: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:10:17.186531: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:10:17.186607: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:10:17.186688: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:10:17.186830: testing HMAC_MD5: Aug 26 13:10:17.186832: RFC 2104: MD5_HMAC test 1 Aug 26 13:10:17.186934: RFC 2104: MD5_HMAC test 2 Aug 26 13:10:17.187025: RFC 2104: MD5_HMAC test 3 Aug 26 13:10:17.187167: 8 CPU cores online Aug 26 13:10:17.187171: starting up 7 crypto helpers Aug 26 13:10:17.187197: started thread for crypto helper 0 Aug 26 13:10:17.187224: | starting up helper thread 0 Aug 26 13:10:17.187234: | starting up helper thread 1 Aug 26 13:10:17.187227: started thread for crypto helper 1 Aug 26 13:10:17.187255: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:10:17.187250: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:10:17.187259: | crypto helper 1 waiting (nothing to do) Aug 26 13:10:17.187271: | crypto helper 0 waiting (nothing to do) Aug 26 13:10:17.187274: started thread for crypto helper 2 Aug 26 13:10:17.187279: | starting up helper thread 2 Aug 26 13:10:17.187287: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:10:17.187296: started thread for crypto helper 3 Aug 26 13:10:17.187299: | starting up helper thread 3 Aug 26 13:10:17.187309: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:10:17.187299: | crypto helper 2 waiting (nothing to do) Aug 26 13:10:17.187324: started thread for crypto helper 4 Aug 26 13:10:17.187327: | starting up helper thread 4 Aug 26 13:10:17.187328: | crypto helper 3 waiting (nothing to do) Aug 26 13:10:17.187341: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:10:17.187355: | crypto helper 4 waiting (nothing to do) Aug 26 13:10:17.187359: started thread for crypto helper 5 Aug 26 13:10:17.187368: | starting up helper thread 5 Aug 26 13:10:17.187375: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:10:17.187376: started thread for crypto helper 6 Aug 26 13:10:17.187379: | starting up helper thread 6 Aug 26 13:10:17.187380: | crypto helper 5 waiting (nothing to do) Aug 26 13:10:17.187390: | checking IKEv1 state table Aug 26 13:10:17.187389: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:10:17.187398: | crypto helper 6 waiting (nothing to do) Aug 26 13:10:17.187398: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:17.187420: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:10:17.187422: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:17.187424: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:10:17.187426: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:10:17.187427: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:10:17.187429: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:17.187430: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:17.187432: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:10:17.187433: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:10:17.187435: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:17.187436: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:10:17.187438: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:10:17.187440: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:17.187441: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:17.187442: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:10:17.187444: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:10:17.187446: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:17.187447: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:17.187449: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:10:17.187450: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:10:17.187452: | -> UNDEFINED EVENT_NULL Aug 26 13:10:17.187454: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:10:17.187455: | -> UNDEFINED EVENT_NULL Aug 26 13:10:17.187457: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:17.187458: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:10:17.187460: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:17.187462: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:10:17.187463: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:10:17.187465: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:10:17.187466: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:10:17.187468: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:10:17.187469: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:10:17.187471: | -> UNDEFINED EVENT_NULL Aug 26 13:10:17.187473: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:10:17.187474: | -> UNDEFINED EVENT_NULL Aug 26 13:10:17.187476: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:10:17.187477: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:10:17.187482: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:10:17.187483: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:10:17.187485: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:10:17.187486: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:10:17.187488: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:10:17.187490: | -> UNDEFINED EVENT_NULL Aug 26 13:10:17.187491: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:10:17.187493: | -> UNDEFINED EVENT_NULL Aug 26 13:10:17.187495: | INFO: category: informational flags: 0: Aug 26 13:10:17.187496: | -> UNDEFINED EVENT_NULL Aug 26 13:10:17.187498: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:10:17.187499: | -> UNDEFINED EVENT_NULL Aug 26 13:10:17.187501: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:10:17.187502: | -> XAUTH_R1 EVENT_NULL Aug 26 13:10:17.187504: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:10:17.187506: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:10:17.187507: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:10:17.187509: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:10:17.187511: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:10:17.187512: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:10:17.187514: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:10:17.187515: | -> UNDEFINED EVENT_NULL Aug 26 13:10:17.187517: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:10:17.187519: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:10:17.187520: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:10:17.187522: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:10:17.187524: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:10:17.187525: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:10:17.187530: | checking IKEv2 state table Aug 26 13:10:17.187534: | PARENT_I0: category: ignore flags: 0: Aug 26 13:10:17.187536: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:10:17.187538: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:10:17.187540: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:10:17.187542: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:10:17.187543: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:10:17.187545: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:10:17.187547: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:10:17.187549: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:10:17.187550: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:10:17.187552: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:10:17.187554: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:10:17.187556: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:10:17.187557: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:10:17.187559: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:10:17.187560: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:10:17.187562: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:10:17.187564: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:10:17.187566: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:10:17.187567: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:10:17.187569: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:10:17.187571: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:10:17.187573: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:10:17.187577: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:10:17.187579: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:10:17.187581: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:10:17.187583: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:10:17.187584: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:10:17.187586: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:10:17.187588: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:10:17.187590: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:10:17.187591: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:10:17.187593: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:10:17.187595: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:10:17.187597: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:10:17.187599: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:10:17.187600: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:10:17.187602: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:10:17.187604: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:10:17.187606: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:10:17.187607: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:10:17.187609: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:10:17.187611: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:10:17.187613: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:10:17.187615: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:10:17.187616: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:10:17.187618: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:10:17.187645: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:10:17.187887: | Hard-wiring algorithms Aug 26 13:10:17.187890: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:10:17.187893: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:10:17.187895: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:10:17.187897: | adding 3DES_CBC to kernel algorithm db Aug 26 13:10:17.187898: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:10:17.187900: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:10:17.187901: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:10:17.187903: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:10:17.187905: | adding AES_CTR to kernel algorithm db Aug 26 13:10:17.187906: | adding AES_CBC to kernel algorithm db Aug 26 13:10:17.187908: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:10:17.187909: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:10:17.187911: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:10:17.187913: | adding NULL to kernel algorithm db Aug 26 13:10:17.187914: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:10:17.187916: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:10:17.187918: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:10:17.187919: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:10:17.187921: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:10:17.187922: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:10:17.187924: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:10:17.187925: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:10:17.187927: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:10:17.187929: | adding NONE to kernel algorithm db Aug 26 13:10:17.187945: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:10:17.187949: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:10:17.187951: | setup kernel fd callback Aug 26 13:10:17.187953: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55abb310c128 Aug 26 13:10:17.187956: | libevent_malloc: new ptr-libevent@0x55abb30efb28 size 128 Aug 26 13:10:17.187958: | libevent_malloc: new ptr-libevent@0x55abb310b688 size 16 Aug 26 13:10:17.187962: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55abb310b578 Aug 26 13:10:17.187965: | libevent_malloc: new ptr-libevent@0x55abb30b5f88 size 128 Aug 26 13:10:17.187967: | libevent_malloc: new ptr-libevent@0x55abb310c078 size 16 Aug 26 13:10:17.188107: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:10:17.188113: selinux support is enabled. Aug 26 13:10:17.188590: | unbound context created - setting debug level to 5 Aug 26 13:10:17.188613: | /etc/hosts lookups activated Aug 26 13:10:17.188639: | /etc/resolv.conf usage activated Aug 26 13:10:17.188688: | outgoing-port-avoid set 0-65535 Aug 26 13:10:17.188705: | outgoing-port-permit set 32768-60999 Aug 26 13:10:17.188707: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:10:17.188709: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:10:17.188712: | Setting up events, loop start Aug 26 13:10:17.188714: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55abb310c0b8 Aug 26 13:10:17.188716: | libevent_malloc: new ptr-libevent@0x55abb3118378 size 128 Aug 26 13:10:17.188718: | libevent_malloc: new ptr-libevent@0x55abb3123688 size 16 Aug 26 13:10:17.188722: | libevent_realloc: new ptr-libevent@0x55abb31236c8 size 256 Aug 26 13:10:17.188724: | libevent_malloc: new ptr-libevent@0x55abb31237f8 size 8 Aug 26 13:10:17.188726: | libevent_realloc: new ptr-libevent@0x55abb30b32d8 size 144 Aug 26 13:10:17.188728: | libevent_malloc: new ptr-libevent@0x55abb30b7408 size 152 Aug 26 13:10:17.188731: | libevent_malloc: new ptr-libevent@0x55abb3123838 size 16 Aug 26 13:10:17.188733: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:10:17.188735: | libevent_malloc: new ptr-libevent@0x55abb3123878 size 8 Aug 26 13:10:17.188737: | libevent_malloc: new ptr-libevent@0x55abb31238b8 size 152 Aug 26 13:10:17.188739: | signal event handler PLUTO_SIGTERM installed Aug 26 13:10:17.188741: | libevent_malloc: new ptr-libevent@0x55abb3123988 size 8 Aug 26 13:10:17.188742: | libevent_malloc: new ptr-libevent@0x55abb31239c8 size 152 Aug 26 13:10:17.188744: | signal event handler PLUTO_SIGHUP installed Aug 26 13:10:17.188746: | libevent_malloc: new ptr-libevent@0x55abb3123a98 size 8 Aug 26 13:10:17.188748: | libevent_realloc: release ptr-libevent@0x55abb30b32d8 Aug 26 13:10:17.188750: | libevent_realloc: new ptr-libevent@0x55abb3123ad8 size 256 Aug 26 13:10:17.188752: | libevent_malloc: new ptr-libevent@0x55abb3123c08 size 152 Aug 26 13:10:17.188754: | signal event handler PLUTO_SIGSYS installed Aug 26 13:10:17.189020: | created addconn helper (pid:26399) using fork+execve Aug 26 13:10:17.189035: | forked child 26399 Aug 26 13:10:17.189111: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:17.189338: listening for IKE messages Aug 26 13:10:17.189627: | Inspecting interface lo Aug 26 13:10:17.189633: | found lo with address 127.0.0.1 Aug 26 13:10:17.189635: | Inspecting interface eth0 Aug 26 13:10:17.189638: | found eth0 with address 192.0.2.254 Aug 26 13:10:17.189640: | Inspecting interface eth1 Aug 26 13:10:17.189643: | found eth1 with address 192.1.2.23 Aug 26 13:10:17.189739: Kernel supports NIC esp-hw-offload Aug 26 13:10:17.189748: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:10:17.189809: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:17.189813: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:17.189816: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:10:17.189854: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:10:17.189870: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:17.189873: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:17.189876: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:10:17.189906: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:10:17.189933: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:10:17.189935: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:10:17.189938: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:10:17.190024: | no interfaces to sort Aug 26 13:10:17.190028: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:10:17.190033: | add_fd_read_event_handler: new ethX-pe@0x55abb3124158 Aug 26 13:10:17.190036: | libevent_malloc: new ptr-libevent@0x55abb31182c8 size 128 Aug 26 13:10:17.190038: | libevent_malloc: new ptr-libevent@0x55abb31241c8 size 16 Aug 26 13:10:17.190042: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:10:17.190044: | add_fd_read_event_handler: new ethX-pe@0x55abb3124208 Aug 26 13:10:17.190047: | libevent_malloc: new ptr-libevent@0x55abb30b41e8 size 128 Aug 26 13:10:17.190049: | libevent_malloc: new ptr-libevent@0x55abb3124278 size 16 Aug 26 13:10:17.190052: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:10:17.190054: | add_fd_read_event_handler: new ethX-pe@0x55abb31242b8 Aug 26 13:10:17.190056: | libevent_malloc: new ptr-libevent@0x55abb30b6088 size 128 Aug 26 13:10:17.190058: | libevent_malloc: new ptr-libevent@0x55abb3124328 size 16 Aug 26 13:10:17.190061: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:10:17.190063: | add_fd_read_event_handler: new ethX-pe@0x55abb3124368 Aug 26 13:10:17.190065: | libevent_malloc: new ptr-libevent@0x55abb30b31d8 size 128 Aug 26 13:10:17.190067: | libevent_malloc: new ptr-libevent@0x55abb31243d8 size 16 Aug 26 13:10:17.190070: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:10:17.190072: | add_fd_read_event_handler: new ethX-pe@0x55abb3124418 Aug 26 13:10:17.190075: | libevent_malloc: new ptr-libevent@0x55abb30844e8 size 128 Aug 26 13:10:17.190076: | libevent_malloc: new ptr-libevent@0x55abb3124488 size 16 Aug 26 13:10:17.190079: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:10:17.190081: | add_fd_read_event_handler: new ethX-pe@0x55abb31244c8 Aug 26 13:10:17.190083: | libevent_malloc: new ptr-libevent@0x55abb30841d8 size 128 Aug 26 13:10:17.190085: | libevent_malloc: new ptr-libevent@0x55abb3124538 size 16 Aug 26 13:10:17.190088: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:10:17.190091: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:17.190093: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:17.190108: loading secrets from "/etc/ipsec.secrets" Aug 26 13:10:17.190117: | id type added to secret(0x55abb307fc48) PKK_PSK: @east Aug 26 13:10:17.190120: | id type added to secret(0x55abb307fc48) PKK_PSK: @north Aug 26 13:10:17.190123: | Processing PSK at line 1: passed Aug 26 13:10:17.190125: | certs and keys locked by 'process_secret' Aug 26 13:10:17.190127: | certs and keys unlocked by 'process_secret' Aug 26 13:10:17.190134: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:17.190140: | spent 1.03 milliseconds in whack Aug 26 13:10:17.206814: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:17.206835: listening for IKE messages Aug 26 13:10:17.206881: | Inspecting interface lo Aug 26 13:10:17.206900: | found lo with address 127.0.0.1 Aug 26 13:10:17.206902: | Inspecting interface eth0 Aug 26 13:10:17.206905: | found eth0 with address 192.0.2.254 Aug 26 13:10:17.206907: | Inspecting interface eth1 Aug 26 13:10:17.206909: | found eth1 with address 192.1.2.23 Aug 26 13:10:17.206958: | no interfaces to sort Aug 26 13:10:17.206969: | libevent_free: release ptr-libevent@0x55abb31182c8 Aug 26 13:10:17.206972: | free_event_entry: release EVENT_NULL-pe@0x55abb3124158 Aug 26 13:10:17.206974: | add_fd_read_event_handler: new ethX-pe@0x55abb3124158 Aug 26 13:10:17.206976: | libevent_malloc: new ptr-libevent@0x55abb31182c8 size 128 Aug 26 13:10:17.206981: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:10:17.206984: | libevent_free: release ptr-libevent@0x55abb30b41e8 Aug 26 13:10:17.206986: | free_event_entry: release EVENT_NULL-pe@0x55abb3124208 Aug 26 13:10:17.206987: | add_fd_read_event_handler: new ethX-pe@0x55abb3124208 Aug 26 13:10:17.206989: | libevent_malloc: new ptr-libevent@0x55abb30b41e8 size 128 Aug 26 13:10:17.206992: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:10:17.206994: | libevent_free: release ptr-libevent@0x55abb30b6088 Aug 26 13:10:17.206996: | free_event_entry: release EVENT_NULL-pe@0x55abb31242b8 Aug 26 13:10:17.206998: | add_fd_read_event_handler: new ethX-pe@0x55abb31242b8 Aug 26 13:10:17.207000: | libevent_malloc: new ptr-libevent@0x55abb30b6088 size 128 Aug 26 13:10:17.207003: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:10:17.207005: | libevent_free: release ptr-libevent@0x55abb30b31d8 Aug 26 13:10:17.207007: | free_event_entry: release EVENT_NULL-pe@0x55abb3124368 Aug 26 13:10:17.207009: | add_fd_read_event_handler: new ethX-pe@0x55abb3124368 Aug 26 13:10:17.207010: | libevent_malloc: new ptr-libevent@0x55abb30b31d8 size 128 Aug 26 13:10:17.207013: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:10:17.207016: | libevent_free: release ptr-libevent@0x55abb30844e8 Aug 26 13:10:17.207017: | free_event_entry: release EVENT_NULL-pe@0x55abb3124418 Aug 26 13:10:17.207019: | add_fd_read_event_handler: new ethX-pe@0x55abb3124418 Aug 26 13:10:17.207021: | libevent_malloc: new ptr-libevent@0x55abb30844e8 size 128 Aug 26 13:10:17.207024: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:10:17.207026: | libevent_free: release ptr-libevent@0x55abb30841d8 Aug 26 13:10:17.207028: | free_event_entry: release EVENT_NULL-pe@0x55abb31244c8 Aug 26 13:10:17.207029: | add_fd_read_event_handler: new ethX-pe@0x55abb31244c8 Aug 26 13:10:17.207031: | libevent_malloc: new ptr-libevent@0x55abb30841d8 size 128 Aug 26 13:10:17.207034: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:10:17.207036: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:17.207038: forgetting secrets Aug 26 13:10:17.207043: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:17.207067: loading secrets from "/etc/ipsec.secrets" Aug 26 13:10:17.207074: | id type added to secret(0x55abb307fc48) PKK_PSK: @east Aug 26 13:10:17.207077: | id type added to secret(0x55abb307fc48) PKK_PSK: @north Aug 26 13:10:17.207080: | Processing PSK at line 1: passed Aug 26 13:10:17.207082: | certs and keys locked by 'process_secret' Aug 26 13:10:17.207083: | certs and keys unlocked by 'process_secret' Aug 26 13:10:17.207090: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:17.207096: | spent 0.302 milliseconds in whack Aug 26 13:10:17.207456: | processing signal PLUTO_SIGCHLD Aug 26 13:10:17.207471: | waitpid returned pid 26399 (exited with status 0) Aug 26 13:10:17.207474: | reaped addconn helper child (status 0) Aug 26 13:10:17.207478: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:17.207481: | spent 0.0138 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:17.264763: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:17.264791: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:17.264795: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:17.264797: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:17.264799: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:17.264803: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:17.264809: | Added new connection northnet-eastnet/0x1 with policy PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:17.264858: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:10:17.264862: | from whack: got --esp= Aug 26 13:10:17.264887: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 13:10:17.264891: | counting wild cards for @north is 0 Aug 26 13:10:17.264893: | counting wild cards for @east is 0 Aug 26 13:10:17.264901: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Aug 26 13:10:17.264903: | new hp@0x55abb31268a8 Aug 26 13:10:17.264907: added connection description "northnet-eastnet/0x1" Aug 26 13:10:17.264917: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:17.264929: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Aug 26 13:10:17.264938: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:17.264946: | spent 0.192 milliseconds in whack Aug 26 13:10:17.264979: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:17.264988: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:17.264991: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:17.264993: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:17.264995: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:10:17.264997: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:10:17.265001: | Added new connection northnet-eastnet/0x2 with policy PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:17.265034: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:10:17.265037: | from whack: got --esp= Aug 26 13:10:17.265064: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 13:10:17.265067: | counting wild cards for @north is 0 Aug 26 13:10:17.265069: | counting wild cards for @east is 0 Aug 26 13:10:17.265074: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 13:10:17.265078: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@0x55abb31268a8: northnet-eastnet/0x1 Aug 26 13:10:17.265080: added connection description "northnet-eastnet/0x2" Aug 26 13:10:17.265088: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:10:17.265097: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Aug 26 13:10:17.265104: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:17.265109: | spent 0.135 milliseconds in whack Aug 26 13:10:17.328661: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:17.329016: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:17.329033: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:17.329197: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:10:17.329216: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:17.329228: | spent 0.577 milliseconds in whack Aug 26 13:10:17.387118: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:17.387154: | old debugging base+cpu-usage + none Aug 26 13:10:17.387160: | base debugging = base+cpu-usage Aug 26 13:10:17.387165: | old impairing none + suppress-retransmits Aug 26 13:10:17.387168: | base impairing = suppress-retransmits Aug 26 13:10:17.387178: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:17.387188: | spent 0.0817 milliseconds in whack Aug 26 13:10:18.737966: | spent 0.00284 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:18.737992: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 13:10:18.737998: | 5f 02 0c cf 0e 18 8a 0e 00 00 00 00 00 00 00 00 Aug 26 13:10:18.738001: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:10:18.738004: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:10:18.738007: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:10:18.738009: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:10:18.738012: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:10:18.738014: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:10:18.738016: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:10:18.738017: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:10:18.738019: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:10:18.738020: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:10:18.738022: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:10:18.738023: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:10:18.738025: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:10:18.738026: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:10:18.738028: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:10:18.738030: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:10:18.738031: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:10:18.738033: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:10:18.738034: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:10:18.738036: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:10:18.738037: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:10:18.738039: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:10:18.738040: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:10:18.738042: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:10:18.738043: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:10:18.738045: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:10:18.738046: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:10:18.738048: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:10:18.738049: | 28 00 01 08 00 0e 00 00 62 1f 6a 65 db 8e 0b 3f Aug 26 13:10:18.738051: | dc 5c be 29 a4 75 00 3c 47 6e 0d 73 70 6a 7d 91 Aug 26 13:10:18.738052: | 29 2b 7b df 55 16 a1 2f b3 e0 a0 15 8a 59 55 8a Aug 26 13:10:18.738054: | 2d 5f 05 db c3 83 4e 23 5b 4d ea 9d 1b 8c eb c9 Aug 26 13:10:18.738055: | a3 6a d8 c8 4e 78 5e b8 90 b1 19 2c 0d 54 60 6b Aug 26 13:10:18.738057: | bb 06 8f 2a 26 64 61 96 34 ea d5 c5 a1 c3 44 84 Aug 26 13:10:18.738058: | fa 3b af e5 af 69 34 d2 5c 0c 93 ca 61 21 5d be Aug 26 13:10:18.738060: | 7e 17 a5 6b 5a 96 cc 5a 60 18 fc 8f bc fd af 68 Aug 26 13:10:18.738062: | 76 67 72 98 b3 c2 0c 68 97 58 0b 09 2f eb 0b 93 Aug 26 13:10:18.738063: | 46 e9 45 f9 a0 67 9c 8e 9e 41 5c bb d6 1c 2f a6 Aug 26 13:10:18.738067: | bb f0 52 3c ec 4b 56 ee 8d 79 ea 81 50 64 6c 63 Aug 26 13:10:18.738069: | 74 a7 bc de e9 cd 96 3e ae fa 1c 9e de 87 c9 5b Aug 26 13:10:18.738071: | 05 0f c6 8f cb 3a db 3f ed 91 c2 00 0c 69 d4 ba Aug 26 13:10:18.738072: | 0e 27 1d 5e fb ff 99 94 6d f0 28 ec 2d 0e 46 8a Aug 26 13:10:18.738074: | 7b 31 48 1c 69 e0 6f 91 dc d4 61 df 05 93 6a 6e Aug 26 13:10:18.738075: | e9 51 75 21 75 d0 ed 52 29 ec 08 39 60 46 f8 cc Aug 26 13:10:18.738077: | bb e6 23 1b ee 4d e2 7d 29 00 00 24 52 97 e7 dd Aug 26 13:10:18.738078: | 1f 61 d3 a3 5f a3 b0 9d 2b c2 02 d2 ca 3c d5 9f Aug 26 13:10:18.738080: | 02 2f 87 a9 84 1c f3 b8 fa 84 31 18 29 00 00 08 Aug 26 13:10:18.738081: | 00 00 40 2e 29 00 00 1c 00 00 40 04 6e 06 7b 1a Aug 26 13:10:18.738083: | fd ce a4 43 db 6c 0b f1 90 20 8d 9c 4c 92 2a 16 Aug 26 13:10:18.738084: | 00 00 00 1c 00 00 40 05 c4 4a 09 21 74 d8 d6 7b Aug 26 13:10:18.738086: | 2c c1 62 78 ca d0 17 a2 11 bd 0e 44 Aug 26 13:10:18.738092: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 13:10:18.738094: | **parse ISAKMP Message: Aug 26 13:10:18.738096: | initiator cookie: Aug 26 13:10:18.738098: | 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.738100: | responder cookie: Aug 26 13:10:18.738101: | 00 00 00 00 00 00 00 00 Aug 26 13:10:18.738103: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:18.738105: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:18.738107: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:10:18.738108: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:18.738110: | Message ID: 0 (0x0) Aug 26 13:10:18.738112: | length: 828 (0x33c) Aug 26 13:10:18.738114: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:10:18.738116: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:10:18.738119: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:10:18.738121: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:10:18.738123: | ***parse IKEv2 Security Association Payload: Aug 26 13:10:18.738125: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:10:18.738127: | flags: none (0x0) Aug 26 13:10:18.738128: | length: 436 (0x1b4) Aug 26 13:10:18.738130: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:10:18.738132: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:10:18.738134: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:10:18.738135: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:10:18.738137: | flags: none (0x0) Aug 26 13:10:18.738138: | length: 264 (0x108) Aug 26 13:10:18.738140: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.738142: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:10:18.738143: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:10:18.738145: | ***parse IKEv2 Nonce Payload: Aug 26 13:10:18.738147: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:18.738148: | flags: none (0x0) Aug 26 13:10:18.738150: | length: 36 (0x24) Aug 26 13:10:18.738152: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:10:18.738153: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:18.738155: | ***parse IKEv2 Notify Payload: Aug 26 13:10:18.738157: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:18.738158: | flags: none (0x0) Aug 26 13:10:18.738160: | length: 8 (0x8) Aug 26 13:10:18.738162: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:18.738163: | SPI size: 0 (0x0) Aug 26 13:10:18.738165: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:10:18.738167: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:10:18.738168: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:18.738170: | ***parse IKEv2 Notify Payload: Aug 26 13:10:18.738172: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:18.738173: | flags: none (0x0) Aug 26 13:10:18.738177: | length: 28 (0x1c) Aug 26 13:10:18.738178: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:18.738180: | SPI size: 0 (0x0) Aug 26 13:10:18.738182: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:10:18.738183: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:10:18.738185: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:10:18.738187: | ***parse IKEv2 Notify Payload: Aug 26 13:10:18.738188: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.738190: | flags: none (0x0) Aug 26 13:10:18.738191: | length: 28 (0x1c) Aug 26 13:10:18.738193: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:18.738195: | SPI size: 0 (0x0) Aug 26 13:10:18.738196: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:10:18.738198: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:10:18.738200: | DDOS disabled and no cookie sent, continuing Aug 26 13:10:18.738203: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:10:18.738207: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 13:10:18.738209: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:10:18.738212: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x2) Aug 26 13:10:18.738214: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x1) Aug 26 13:10:18.738216: | find_next_host_connection returns empty Aug 26 13:10:18.738218: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:10:18.738220: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:10:18.738222: | find_next_host_connection returns empty Aug 26 13:10:18.738224: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:10:18.738227: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:10:18.738230: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 13:10:18.738232: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:10:18.738234: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x2) Aug 26 13:10:18.738236: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x1) Aug 26 13:10:18.738237: | find_next_host_connection returns empty Aug 26 13:10:18.738240: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:10:18.738242: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:10:18.738243: | find_next_host_connection returns empty Aug 26 13:10:18.738245: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:10:18.738248: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:10:18.738251: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 13:10:18.738253: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:10:18.738255: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x2) Aug 26 13:10:18.738256: | find_next_host_connection returns northnet-eastnet/0x2 Aug 26 13:10:18.738258: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:10:18.738260: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x1) Aug 26 13:10:18.738262: | find_next_host_connection returns northnet-eastnet/0x1 Aug 26 13:10:18.738263: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:10:18.738265: | find_next_host_connection returns empty Aug 26 13:10:18.738268: | found connection: northnet-eastnet/0x2 with policy PSK+IKEV2_ALLOW Aug 26 13:10:18.738287: | creating state object #1 at 0x55abb312a408 Aug 26 13:10:18.738297: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:10:18.738305: | pstats #1 ikev2.ike started Aug 26 13:10:18.738308: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:10:18.738310: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:10:18.738314: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:18.738320: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:18.738322: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:18.738325: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:18.738327: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:10:18.738330: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:10:18.738333: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:10:18.738335: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:10:18.738337: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:10:18.738339: | Now let's proceed with state specific processing Aug 26 13:10:18.738340: | calling processor Respond to IKE_SA_INIT Aug 26 13:10:18.738348: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:10:18.738350: | constructing local IKE proposals for northnet-eastnet/0x2 (IKE SA responder matching remote proposals) Aug 26 13:10:18.738360: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:18.738366: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:18.738368: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:18.738372: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:18.738374: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:18.738378: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:18.738380: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:10:18.738383: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:18.738389: "northnet-eastnet/0x2": constructed local IKE proposals for northnet-eastnet/0x2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:10:18.738394: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:10:18.738398: | local proposal 1 type ENCR has 1 transforms Aug 26 13:10:18.738400: | local proposal 1 type PRF has 2 transforms Aug 26 13:10:18.738402: | local proposal 1 type INTEG has 1 transforms Aug 26 13:10:18.738403: | local proposal 1 type DH has 8 transforms Aug 26 13:10:18.738405: | local proposal 1 type ESN has 0 transforms Aug 26 13:10:18.738407: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:10:18.738409: | local proposal 2 type ENCR has 1 transforms Aug 26 13:10:18.738411: | local proposal 2 type PRF has 2 transforms Aug 26 13:10:18.738412: | local proposal 2 type INTEG has 1 transforms Aug 26 13:10:18.738414: | local proposal 2 type DH has 8 transforms Aug 26 13:10:18.738415: | local proposal 2 type ESN has 0 transforms Aug 26 13:10:18.738417: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:10:18.738419: | local proposal 3 type ENCR has 1 transforms Aug 26 13:10:18.738421: | local proposal 3 type PRF has 2 transforms Aug 26 13:10:18.738422: | local proposal 3 type INTEG has 2 transforms Aug 26 13:10:18.738424: | local proposal 3 type DH has 8 transforms Aug 26 13:10:18.738425: | local proposal 3 type ESN has 0 transforms Aug 26 13:10:18.738427: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:10:18.738429: | local proposal 4 type ENCR has 1 transforms Aug 26 13:10:18.738431: | local proposal 4 type PRF has 2 transforms Aug 26 13:10:18.738432: | local proposal 4 type INTEG has 2 transforms Aug 26 13:10:18.738434: | local proposal 4 type DH has 8 transforms Aug 26 13:10:18.738436: | local proposal 4 type ESN has 0 transforms Aug 26 13:10:18.738437: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:10:18.738440: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.738441: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:18.738443: | length: 100 (0x64) Aug 26 13:10:18.738445: | prop #: 1 (0x1) Aug 26 13:10:18.738447: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:18.738448: | spi size: 0 (0x0) Aug 26 13:10:18.738450: | # transforms: 11 (0xb) Aug 26 13:10:18.738452: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:10:18.738455: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738456: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738458: | length: 12 (0xc) Aug 26 13:10:18.738460: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.738461: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:18.738463: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.738465: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.738467: | length/value: 256 (0x100) Aug 26 13:10:18.738469: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:10:18.738471: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738473: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738475: | length: 8 (0x8) Aug 26 13:10:18.738476: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:18.738478: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:18.738480: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:10:18.738482: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:10:18.738484: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:10:18.738486: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:10:18.738489: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738491: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738493: | length: 8 (0x8) Aug 26 13:10:18.738494: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:18.738496: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:18.738498: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738499: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738501: | length: 8 (0x8) Aug 26 13:10:18.738503: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738504: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.738507: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:10:18.738509: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:10:18.738511: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:10:18.738513: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:10:18.738514: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738516: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738517: | length: 8 (0x8) Aug 26 13:10:18.738519: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738521: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:18.738522: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738524: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738526: | length: 8 (0x8) Aug 26 13:10:18.738527: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738529: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:18.738531: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738532: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738534: | length: 8 (0x8) Aug 26 13:10:18.738535: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738537: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:18.738539: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738540: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738542: | length: 8 (0x8) Aug 26 13:10:18.738543: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738545: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:18.738547: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738548: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738550: | length: 8 (0x8) Aug 26 13:10:18.738552: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738553: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:18.738555: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738557: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738558: | length: 8 (0x8) Aug 26 13:10:18.738560: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738561: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:18.738563: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738565: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.738566: | length: 8 (0x8) Aug 26 13:10:18.738568: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738570: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:18.738572: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:10:18.738575: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:10:18.738577: | remote proposal 1 matches local proposal 1 Aug 26 13:10:18.738579: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.738580: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:18.738582: | length: 100 (0x64) Aug 26 13:10:18.738583: | prop #: 2 (0x2) Aug 26 13:10:18.738589: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:18.738591: | spi size: 0 (0x0) Aug 26 13:10:18.738592: | # transforms: 11 (0xb) Aug 26 13:10:18.738594: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:18.738596: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738598: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738599: | length: 12 (0xc) Aug 26 13:10:18.738601: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.738603: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:18.738604: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.738606: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.738608: | length/value: 128 (0x80) Aug 26 13:10:18.738609: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738611: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738613: | length: 8 (0x8) Aug 26 13:10:18.738614: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:18.738616: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:18.738618: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738619: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738621: | length: 8 (0x8) Aug 26 13:10:18.738622: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:18.738624: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:18.738626: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738627: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738629: | length: 8 (0x8) Aug 26 13:10:18.738631: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738632: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.738634: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738636: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738637: | length: 8 (0x8) Aug 26 13:10:18.738639: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738640: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:18.738642: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738644: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738645: | length: 8 (0x8) Aug 26 13:10:18.738647: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738648: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:18.738650: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738652: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738653: | length: 8 (0x8) Aug 26 13:10:18.738655: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738656: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:18.738658: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738660: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738661: | length: 8 (0x8) Aug 26 13:10:18.738663: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738665: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:18.738666: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738668: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738669: | length: 8 (0x8) Aug 26 13:10:18.738671: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738673: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:18.738674: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738676: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738678: | length: 8 (0x8) Aug 26 13:10:18.738679: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738681: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:18.738682: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738684: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.738686: | length: 8 (0x8) Aug 26 13:10:18.738688: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738690: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:18.738692: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:10:18.738694: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:10:18.738696: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.738697: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:18.738699: | length: 116 (0x74) Aug 26 13:10:18.738701: | prop #: 3 (0x3) Aug 26 13:10:18.738702: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:18.738704: | spi size: 0 (0x0) Aug 26 13:10:18.738705: | # transforms: 13 (0xd) Aug 26 13:10:18.738707: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:18.738709: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738711: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738712: | length: 12 (0xc) Aug 26 13:10:18.738714: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.738715: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:18.738717: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.738719: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.738720: | length/value: 256 (0x100) Aug 26 13:10:18.738722: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738724: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738725: | length: 8 (0x8) Aug 26 13:10:18.738727: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:18.738728: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:18.738730: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738732: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738733: | length: 8 (0x8) Aug 26 13:10:18.738735: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:18.738737: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:18.738738: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738740: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738741: | length: 8 (0x8) Aug 26 13:10:18.738743: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.738745: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:18.738746: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738748: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738750: | length: 8 (0x8) Aug 26 13:10:18.738751: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.738753: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:18.738755: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738756: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738758: | length: 8 (0x8) Aug 26 13:10:18.738759: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738761: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.738763: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738764: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738766: | length: 8 (0x8) Aug 26 13:10:18.738767: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738769: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:18.738771: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738772: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738774: | length: 8 (0x8) Aug 26 13:10:18.738775: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738777: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:18.738779: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738780: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738782: | length: 8 (0x8) Aug 26 13:10:18.738783: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738786: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:18.738788: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738789: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738791: | length: 8 (0x8) Aug 26 13:10:18.738792: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738794: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:18.738796: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738797: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738799: | length: 8 (0x8) Aug 26 13:10:18.738801: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738802: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:18.738804: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738806: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738807: | length: 8 (0x8) Aug 26 13:10:18.738809: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738810: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:18.738812: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738814: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.738815: | length: 8 (0x8) Aug 26 13:10:18.738817: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738818: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:18.738821: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:10:18.738823: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:10:18.738824: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.738826: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:18.738828: | length: 116 (0x74) Aug 26 13:10:18.738829: | prop #: 4 (0x4) Aug 26 13:10:18.738831: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:18.738832: | spi size: 0 (0x0) Aug 26 13:10:18.738834: | # transforms: 13 (0xd) Aug 26 13:10:18.738836: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:18.738838: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738839: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738841: | length: 12 (0xc) Aug 26 13:10:18.738842: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.738844: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:18.738845: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.738847: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.738849: | length/value: 128 (0x80) Aug 26 13:10:18.738851: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738852: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738854: | length: 8 (0x8) Aug 26 13:10:18.738855: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:18.738857: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:18.738859: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738860: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738862: | length: 8 (0x8) Aug 26 13:10:18.738863: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:18.738865: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:10:18.738867: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738868: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738870: | length: 8 (0x8) Aug 26 13:10:18.738871: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.738873: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:18.738875: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738876: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738878: | length: 8 (0x8) Aug 26 13:10:18.738880: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.738881: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:18.738884: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738885: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738887: | length: 8 (0x8) Aug 26 13:10:18.738889: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738890: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.738892: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738894: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738895: | length: 8 (0x8) Aug 26 13:10:18.738897: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738898: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:10:18.738900: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738902: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738903: | length: 8 (0x8) Aug 26 13:10:18.738905: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738906: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:10:18.738908: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738910: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738911: | length: 8 (0x8) Aug 26 13:10:18.738913: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738914: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:10:18.738916: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738918: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738919: | length: 8 (0x8) Aug 26 13:10:18.738921: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738923: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:10:18.738924: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738926: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738927: | length: 8 (0x8) Aug 26 13:10:18.738929: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738931: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:10:18.738932: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738934: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.738935: | length: 8 (0x8) Aug 26 13:10:18.738937: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738939: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:10:18.738940: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.738942: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.738944: | length: 8 (0x8) Aug 26 13:10:18.738945: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.738947: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:10:18.738949: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:10:18.738951: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:10:18.738954: "northnet-eastnet/0x2" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:10:18.738957: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:10:18.738959: | converting proposal to internal trans attrs Aug 26 13:10:18.738961: | natd_hash: rcookie is zero Aug 26 13:10:18.738971: | natd_hash: hasher=0x55abb2198800(20) Aug 26 13:10:18.738974: | natd_hash: icookie= 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.738976: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:10:18.738977: | natd_hash: ip= c0 01 02 17 Aug 26 13:10:18.738979: | natd_hash: port=500 Aug 26 13:10:18.738981: | natd_hash: hash= c4 4a 09 21 74 d8 d6 7b 2c c1 62 78 ca d0 17 a2 Aug 26 13:10:18.738982: | natd_hash: hash= 11 bd 0e 44 Aug 26 13:10:18.738984: | natd_hash: rcookie is zero Aug 26 13:10:18.738988: | natd_hash: hasher=0x55abb2198800(20) Aug 26 13:10:18.738990: | natd_hash: icookie= 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.738992: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:10:18.738993: | natd_hash: ip= c0 01 03 21 Aug 26 13:10:18.738995: | natd_hash: port=500 Aug 26 13:10:18.738996: | natd_hash: hash= 6e 06 7b 1a fd ce a4 43 db 6c 0b f1 90 20 8d 9c Aug 26 13:10:18.738998: | natd_hash: hash= 4c 92 2a 16 Aug 26 13:10:18.739000: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:10:18.739001: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:10:18.739003: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:10:18.739005: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Aug 26 13:10:18.739008: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:10:18.739010: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55abb3129fe8 Aug 26 13:10:18.739013: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:10:18.739015: | libevent_malloc: new ptr-libevent@0x55abb312c768 size 128 Aug 26 13:10:18.739024: | #1 spent 0.68 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:10:18.739029: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:18.739031: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:10:18.739033: | suspending state #1 and saving MD Aug 26 13:10:18.739035: | #1 is busy; has a suspended MD Aug 26 13:10:18.739038: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:10:18.739040: | "northnet-eastnet/0x2" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:10:18.739043: | stop processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:18.739046: | #1 spent 1.06 milliseconds in ikev2_process_packet() Aug 26 13:10:18.739049: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 13:10:18.739051: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:18.739053: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:18.739055: | spent 1.07 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:18.739057: | crypto helper 1 resuming Aug 26 13:10:18.739068: | crypto helper 1 starting work-order 1 for state #1 Aug 26 13:10:18.739072: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:10:18.739662: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.00059 seconds Aug 26 13:10:18.739672: | (#1) spent 0.596 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:10:18.739674: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Aug 26 13:10:18.739676: | scheduling resume sending helper answer for #1 Aug 26 13:10:18.739679: | libevent_malloc: new ptr-libevent@0x7fd260002888 size 128 Aug 26 13:10:18.739685: | crypto helper 1 waiting (nothing to do) Aug 26 13:10:18.739722: | processing resume sending helper answer for #1 Aug 26 13:10:18.739732: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:10:18.739735: | crypto helper 1 replies to request ID 1 Aug 26 13:10:18.739737: | calling continuation function 0x55abb20c3b50 Aug 26 13:10:18.739741: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:10:18.739767: | **emit ISAKMP Message: Aug 26 13:10:18.739770: | initiator cookie: Aug 26 13:10:18.739771: | 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.739773: | responder cookie: Aug 26 13:10:18.739774: | bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.739776: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:18.739778: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:18.739780: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:10:18.739782: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:18.739784: | Message ID: 0 (0x0) Aug 26 13:10:18.739786: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:18.739788: | Emitting ikev2_proposal ... Aug 26 13:10:18.739790: | ***emit IKEv2 Security Association Payload: Aug 26 13:10:18.739792: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.739793: | flags: none (0x0) Aug 26 13:10:18.739795: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:10:18.739797: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.739799: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.739801: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:18.739803: | prop #: 1 (0x1) Aug 26 13:10:18.739805: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:10:18.739807: | spi size: 0 (0x0) Aug 26 13:10:18.739808: | # transforms: 3 (0x3) Aug 26 13:10:18.739810: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:18.739812: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:18.739814: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.739816: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.739817: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:18.739819: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:18.739821: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.739823: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.739825: | length/value: 256 (0x100) Aug 26 13:10:18.739827: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:18.739829: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:18.739830: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.739832: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:10:18.739834: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:10:18.739836: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.739838: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:18.739840: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:18.739842: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:10:18.739843: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.739845: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.739847: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.739849: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.739850: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:18.739852: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:18.739854: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:10:18.739857: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:18.739859: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:10:18.739861: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:10:18.739863: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:10:18.739865: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.739866: | flags: none (0x0) Aug 26 13:10:18.739868: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.739870: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:10:18.739872: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.739875: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:10:18.739876: | ikev2 g^x 47 e4 84 9d fe 8b 9d b4 bb c6 1a c8 9e 38 c3 7b Aug 26 13:10:18.739878: | ikev2 g^x fb 8e e7 8a 68 81 9e 07 cc 90 7c 3d f0 07 87 e4 Aug 26 13:10:18.739880: | ikev2 g^x da eb a4 18 53 42 99 a2 e2 dc 6b b4 29 70 18 91 Aug 26 13:10:18.739881: | ikev2 g^x d4 e6 4f a5 e5 68 6a 0e 82 7f 61 01 b5 fa 57 5a Aug 26 13:10:18.739883: | ikev2 g^x 35 3b e9 05 1e f1 2c c7 c8 0f 2b 0c bd 20 18 ff Aug 26 13:10:18.739884: | ikev2 g^x d8 23 d8 99 e8 be 28 eb a3 8a 1b 20 dd 1b 29 04 Aug 26 13:10:18.739886: | ikev2 g^x 03 64 25 c1 cd 77 5b f0 d4 91 a3 f6 9b bd b7 a0 Aug 26 13:10:18.739888: | ikev2 g^x 4a d0 69 6d 4f 99 dc 87 10 5a 33 1d fb 56 75 a0 Aug 26 13:10:18.739889: | ikev2 g^x 37 2c a7 bd 16 f8 79 29 0f 21 4a 81 e3 35 0d 1d Aug 26 13:10:18.739891: | ikev2 g^x 51 4a b7 72 3a 91 f2 3c 7b 96 36 95 05 8b 07 c2 Aug 26 13:10:18.739892: | ikev2 g^x 06 b1 6d 29 37 c6 80 81 31 1a b4 84 f6 c7 b4 12 Aug 26 13:10:18.739894: | ikev2 g^x 4b d0 ed e1 a4 32 14 8b dd 16 72 75 3e ac 2f 42 Aug 26 13:10:18.739895: | ikev2 g^x ec ad 49 73 5b 6b f7 d0 19 5f d5 c9 bf de 8f 44 Aug 26 13:10:18.739897: | ikev2 g^x 2b 3b 52 8f ca de ce 1e 74 a0 ee de 35 be 6f 4c Aug 26 13:10:18.739899: | ikev2 g^x ef 5f b9 8c c1 d0 1c dc 14 5d b8 22 0f bd 46 ff Aug 26 13:10:18.739900: | ikev2 g^x a8 d8 b6 f5 d8 a2 25 d5 bc 44 27 da 04 df 28 96 Aug 26 13:10:18.739902: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:10:18.739904: | ***emit IKEv2 Nonce Payload: Aug 26 13:10:18.739905: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:10:18.739907: | flags: none (0x0) Aug 26 13:10:18.739909: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:10:18.739911: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:10:18.739913: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.739915: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:10:18.739917: | IKEv2 nonce 8f 55 bc 44 39 f4 57 af e9 b1 53 dd cb 25 a2 63 Aug 26 13:10:18.739918: | IKEv2 nonce bc d9 5a d5 46 90 6d ab f3 ca 31 54 ee a4 cc 14 Aug 26 13:10:18.739920: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:10:18.739922: | Adding a v2N Payload Aug 26 13:10:18.739923: | ***emit IKEv2 Notify Payload: Aug 26 13:10:18.739925: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.739927: | flags: none (0x0) Aug 26 13:10:18.739928: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:18.739930: | SPI size: 0 (0x0) Aug 26 13:10:18.739932: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:10:18.739934: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:18.739936: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.739939: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:10:18.739941: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:10:18.739948: | natd_hash: hasher=0x55abb2198800(20) Aug 26 13:10:18.739950: | natd_hash: icookie= 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.739952: | natd_hash: rcookie= bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.739954: | natd_hash: ip= c0 01 02 17 Aug 26 13:10:18.739955: | natd_hash: port=500 Aug 26 13:10:18.739957: | natd_hash: hash= a6 28 89 1c 57 be d1 9f 3d d1 03 b6 c7 ee 83 d4 Aug 26 13:10:18.739959: | natd_hash: hash= 14 f5 3e 1b Aug 26 13:10:18.739960: | Adding a v2N Payload Aug 26 13:10:18.739962: | ***emit IKEv2 Notify Payload: Aug 26 13:10:18.739963: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.739965: | flags: none (0x0) Aug 26 13:10:18.739967: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:18.739968: | SPI size: 0 (0x0) Aug 26 13:10:18.739970: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:10:18.739972: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:18.739974: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.739976: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:10:18.739978: | Notify data a6 28 89 1c 57 be d1 9f 3d d1 03 b6 c7 ee 83 d4 Aug 26 13:10:18.739979: | Notify data 14 f5 3e 1b Aug 26 13:10:18.739981: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:10:18.739985: | natd_hash: hasher=0x55abb2198800(20) Aug 26 13:10:18.739987: | natd_hash: icookie= 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.739988: | natd_hash: rcookie= bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.739990: | natd_hash: ip= c0 01 03 21 Aug 26 13:10:18.739991: | natd_hash: port=500 Aug 26 13:10:18.739993: | natd_hash: hash= 70 16 3c 43 7b 92 c1 cd 2b 22 11 3b 8d 38 ca 72 Aug 26 13:10:18.739995: | natd_hash: hash= ca 04 cf 0f Aug 26 13:10:18.739996: | Adding a v2N Payload Aug 26 13:10:18.739998: | ***emit IKEv2 Notify Payload: Aug 26 13:10:18.739999: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.740001: | flags: none (0x0) Aug 26 13:10:18.740003: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:10:18.740004: | SPI size: 0 (0x0) Aug 26 13:10:18.740006: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:10:18.740008: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:10:18.740010: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.740012: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:10:18.740013: | Notify data 70 16 3c 43 7b 92 c1 cd 2b 22 11 3b 8d 38 ca 72 Aug 26 13:10:18.740015: | Notify data ca 04 cf 0f Aug 26 13:10:18.740017: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:10:18.740018: | emitting length of ISAKMP Message: 432 Aug 26 13:10:18.740023: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:18.740026: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:10:18.740027: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:10:18.740030: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:10:18.740032: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:10:18.740035: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:10:18.740038: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:10:18.740042: "northnet-eastnet/0x2" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:10:18.740046: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 13:10:18.740049: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:10:18.740051: | 5f 02 0c cf 0e 18 8a 0e bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.740053: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:10:18.740054: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:10:18.740056: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:10:18.740057: | 04 00 00 0e 28 00 01 08 00 0e 00 00 47 e4 84 9d Aug 26 13:10:18.740059: | fe 8b 9d b4 bb c6 1a c8 9e 38 c3 7b fb 8e e7 8a Aug 26 13:10:18.740060: | 68 81 9e 07 cc 90 7c 3d f0 07 87 e4 da eb a4 18 Aug 26 13:10:18.740062: | 53 42 99 a2 e2 dc 6b b4 29 70 18 91 d4 e6 4f a5 Aug 26 13:10:18.740063: | e5 68 6a 0e 82 7f 61 01 b5 fa 57 5a 35 3b e9 05 Aug 26 13:10:18.740065: | 1e f1 2c c7 c8 0f 2b 0c bd 20 18 ff d8 23 d8 99 Aug 26 13:10:18.740066: | e8 be 28 eb a3 8a 1b 20 dd 1b 29 04 03 64 25 c1 Aug 26 13:10:18.740068: | cd 77 5b f0 d4 91 a3 f6 9b bd b7 a0 4a d0 69 6d Aug 26 13:10:18.740069: | 4f 99 dc 87 10 5a 33 1d fb 56 75 a0 37 2c a7 bd Aug 26 13:10:18.740071: | 16 f8 79 29 0f 21 4a 81 e3 35 0d 1d 51 4a b7 72 Aug 26 13:10:18.740072: | 3a 91 f2 3c 7b 96 36 95 05 8b 07 c2 06 b1 6d 29 Aug 26 13:10:18.740074: | 37 c6 80 81 31 1a b4 84 f6 c7 b4 12 4b d0 ed e1 Aug 26 13:10:18.740076: | a4 32 14 8b dd 16 72 75 3e ac 2f 42 ec ad 49 73 Aug 26 13:10:18.740077: | 5b 6b f7 d0 19 5f d5 c9 bf de 8f 44 2b 3b 52 8f Aug 26 13:10:18.740079: | ca de ce 1e 74 a0 ee de 35 be 6f 4c ef 5f b9 8c Aug 26 13:10:18.740080: | c1 d0 1c dc 14 5d b8 22 0f bd 46 ff a8 d8 b6 f5 Aug 26 13:10:18.740082: | d8 a2 25 d5 bc 44 27 da 04 df 28 96 29 00 00 24 Aug 26 13:10:18.740083: | 8f 55 bc 44 39 f4 57 af e9 b1 53 dd cb 25 a2 63 Aug 26 13:10:18.740085: | bc d9 5a d5 46 90 6d ab f3 ca 31 54 ee a4 cc 14 Aug 26 13:10:18.740086: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:10:18.740088: | a6 28 89 1c 57 be d1 9f 3d d1 03 b6 c7 ee 83 d4 Aug 26 13:10:18.740089: | 14 f5 3e 1b 00 00 00 1c 00 00 40 05 70 16 3c 43 Aug 26 13:10:18.740091: | 7b 92 c1 cd 2b 22 11 3b 8d 38 ca 72 ca 04 cf 0f Aug 26 13:10:18.740120: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:18.740125: | libevent_free: release ptr-libevent@0x55abb312c768 Aug 26 13:10:18.740129: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55abb3129fe8 Aug 26 13:10:18.740132: | event_schedule: new EVENT_SO_DISCARD-pe@0x55abb3129fe8 Aug 26 13:10:18.740136: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:10:18.740139: | libevent_malloc: new ptr-libevent@0x55abb312d878 size 128 Aug 26 13:10:18.740144: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:10:18.740150: | #1 spent 0.398 milliseconds in resume sending helper answer Aug 26 13:10:18.740155: | stop processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:10:18.740159: | libevent_free: release ptr-libevent@0x7fd260002888 Aug 26 13:10:18.742568: | spent 0.00236 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:18.742585: | *received 366 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 13:10:18.742588: | 5f 02 0c cf 0e 18 8a 0e bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.742591: | 2e 20 23 08 00 00 00 01 00 00 01 6e 23 00 01 52 Aug 26 13:10:18.742594: | 62 77 7f ed 8f 46 64 74 db 91 09 1e a5 90 84 bf Aug 26 13:10:18.742597: | 01 d8 26 37 90 b2 77 de 4e f3 0b 51 67 f2 08 c5 Aug 26 13:10:18.742599: | f0 95 20 d0 ab 70 bf 22 74 6a 1a 9b 05 41 dc a2 Aug 26 13:10:18.742604: | a3 81 1b 73 d4 6e 63 29 34 5f 86 d4 12 7a 32 db Aug 26 13:10:18.742607: | 35 50 46 1e 68 09 9e b5 5e e7 e3 2e ec ba 17 cb Aug 26 13:10:18.742610: | 54 25 09 9f 70 a6 9f 2d 22 2a a2 4b d7 49 ed cc Aug 26 13:10:18.742611: | b2 e4 5e 28 f5 2d 41 41 4f 3e 8c 1a e5 cf 3b b2 Aug 26 13:10:18.742613: | 1e 4d ce 5c 6f 7c c8 e7 cf 03 7f a4 a1 11 67 b7 Aug 26 13:10:18.742614: | 1b bd 1f 14 b5 c6 9a 51 5c a4 73 88 6b 84 e4 a1 Aug 26 13:10:18.742616: | 3d 7e 14 fb 41 ea 87 6c 31 98 4f cd 9a 6e 2e 81 Aug 26 13:10:18.742617: | cd cd ef 49 57 6f 6d cb bc 0d ea ae 91 cd de 52 Aug 26 13:10:18.742619: | b8 36 55 fe bb a2 78 a3 bb 3c 9b f2 4e 59 d9 c2 Aug 26 13:10:18.742621: | fc 68 9e 5e 95 53 06 ab 0a d6 1c 4e 89 07 c5 5a Aug 26 13:10:18.742622: | 7b 54 d1 5f 75 e8 bd 27 18 5a f4 27 ca 17 cd 69 Aug 26 13:10:18.742624: | 70 8f 05 b7 44 14 e5 55 31 5a 47 0a 47 95 31 fe Aug 26 13:10:18.742625: | 98 8c 4f d4 ba 8c 27 ed 08 50 96 34 7d 8f 3e e1 Aug 26 13:10:18.742627: | 92 bf c4 c2 80 9f ff 54 e0 4f 26 6e 27 0e 77 84 Aug 26 13:10:18.742628: | 15 62 52 a6 a9 d9 8b 14 49 b6 9b 6b 1f 0e b7 8b Aug 26 13:10:18.742630: | ac 2f 9b c1 dd 9d ee fc 38 2d cd 13 4a fd e1 97 Aug 26 13:10:18.742631: | 30 fe 76 4d b7 5f a6 a3 b9 77 39 23 19 fe 33 5d Aug 26 13:10:18.742633: | 55 a6 02 69 a3 90 ad 2d a9 d0 f0 25 5e 18 Aug 26 13:10:18.742636: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 13:10:18.742639: | **parse ISAKMP Message: Aug 26 13:10:18.742640: | initiator cookie: Aug 26 13:10:18.742642: | 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.742644: | responder cookie: Aug 26 13:10:18.742645: | bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.742647: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:18.742649: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:18.742651: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:18.742652: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:18.742654: | Message ID: 1 (0x1) Aug 26 13:10:18.742656: | length: 366 (0x16e) Aug 26 13:10:18.742658: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:10:18.742660: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:10:18.742663: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:10:18.742667: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:18.742669: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:18.742672: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:18.742674: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:10:18.742677: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:10:18.742679: | unpacking clear payload Aug 26 13:10:18.742680: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:18.742682: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:18.742684: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:10:18.742686: | flags: none (0x0) Aug 26 13:10:18.742687: | length: 338 (0x152) Aug 26 13:10:18.742689: | processing payload: ISAKMP_NEXT_v2SK (len=334) Aug 26 13:10:18.742692: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:10:18.742694: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:10:18.742696: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:10:18.742698: | Now let's proceed with state specific processing Aug 26 13:10:18.742699: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:10:18.742702: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:10:18.742707: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:10:18.742709: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:10:18.742711: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:10:18.742714: | libevent_free: release ptr-libevent@0x55abb312d878 Aug 26 13:10:18.742716: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55abb3129fe8 Aug 26 13:10:18.742718: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55abb3129fe8 Aug 26 13:10:18.742720: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:10:18.742722: | libevent_malloc: new ptr-libevent@0x7fd260002888 size 128 Aug 26 13:10:18.742730: | #1 spent 0.0269 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:10:18.742735: | crypto helper 0 resuming Aug 26 13:10:18.742736: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:18.742744: | crypto helper 0 starting work-order 2 for state #1 Aug 26 13:10:18.742749: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:10:18.742753: | crypto helper 0 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:10:18.742755: | suspending state #1 and saving MD Aug 26 13:10:18.742758: | #1 is busy; has a suspended MD Aug 26 13:10:18.742762: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:10:18.742766: | "northnet-eastnet/0x2" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:10:18.742771: | stop processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:18.742775: | #1 spent 0.195 milliseconds in ikev2_process_packet() Aug 26 13:10:18.742780: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 13:10:18.742783: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:18.742786: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:18.742790: | spent 0.21 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:18.743308: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:10:18.743578: | crypto helper 0 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000825 seconds Aug 26 13:10:18.743584: | (#1) spent 0.823 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:10:18.743586: | crypto helper 0 sending results from work-order 2 for state #1 to event queue Aug 26 13:10:18.743588: | scheduling resume sending helper answer for #1 Aug 26 13:10:18.743590: | libevent_malloc: new ptr-libevent@0x7fd258000f48 size 128 Aug 26 13:10:18.743597: | crypto helper 0 waiting (nothing to do) Aug 26 13:10:18.743602: | processing resume sending helper answer for #1 Aug 26 13:10:18.743608: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:10:18.743611: | crypto helper 0 replies to request ID 2 Aug 26 13:10:18.743613: | calling continuation function 0x55abb20c3b50 Aug 26 13:10:18.743615: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:10:18.743617: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:10:18.743626: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:10:18.743628: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:10:18.743631: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:10:18.743633: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:10:18.743635: | flags: none (0x0) Aug 26 13:10:18.743636: | length: 13 (0xd) Aug 26 13:10:18.743638: | ID type: ID_FQDN (0x2) Aug 26 13:10:18.743640: | processing payload: ISAKMP_NEXT_v2IDi (len=5) Aug 26 13:10:18.743643: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:10:18.743645: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:10:18.743647: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:10:18.743649: | flags: none (0x0) Aug 26 13:10:18.743650: | length: 12 (0xc) Aug 26 13:10:18.743652: | ID type: ID_FQDN (0x2) Aug 26 13:10:18.743653: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 13:10:18.743655: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:10:18.743657: | **parse IKEv2 Authentication Payload: Aug 26 13:10:18.743658: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:18.743660: | flags: none (0x0) Aug 26 13:10:18.743662: | length: 72 (0x48) Aug 26 13:10:18.743663: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:10:18.743665: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:10:18.743667: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:10:18.743668: | **parse IKEv2 Security Association Payload: Aug 26 13:10:18.743670: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:10:18.743671: | flags: none (0x0) Aug 26 13:10:18.743673: | length: 164 (0xa4) Aug 26 13:10:18.743675: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 13:10:18.743676: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:10:18.743678: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:18.743680: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:10:18.743681: | flags: none (0x0) Aug 26 13:10:18.743683: | length: 24 (0x18) Aug 26 13:10:18.743684: | number of TS: 1 (0x1) Aug 26 13:10:18.743686: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:10:18.743688: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:10:18.743689: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:18.743691: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.743692: | flags: none (0x0) Aug 26 13:10:18.743694: | length: 24 (0x18) Aug 26 13:10:18.743695: | number of TS: 1 (0x1) Aug 26 13:10:18.743697: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:10:18.743699: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:10:18.743701: | Now let's proceed with state specific processing Aug 26 13:10:18.743702: | calling processor Responder: process IKE_AUTH request Aug 26 13:10:18.743706: "northnet-eastnet/0x2" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 13:10:18.743710: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:10:18.743712: | received IDr payload - extracting our alleged ID Aug 26 13:10:18.743715: | refine_host_connection for IKEv2: starting with "northnet-eastnet/0x2" Aug 26 13:10:18.743718: | match_id a=@north Aug 26 13:10:18.743720: | b=@north Aug 26 13:10:18.743721: | results matched Aug 26 13:10:18.743724: | refine_host_connection: checking "northnet-eastnet/0x2" against "northnet-eastnet/0x2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:10:18.743726: | Warning: not switching back to template of current instance Aug 26 13:10:18.743728: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 13:10:18.743729: | This connection's local id is @east (ID_FQDN) Aug 26 13:10:18.743732: | refine_host_connection: checked northnet-eastnet/0x2 against northnet-eastnet/0x2, now for see if best Aug 26 13:10:18.743734: | started looking for secret for @east->@north of kind PKK_PSK Aug 26 13:10:18.743736: | actually looking for secret for @east->@north of kind PKK_PSK Aug 26 13:10:18.743738: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:18.743741: | 1: compared key @north to @east / @north -> 004 Aug 26 13:10:18.743743: | 2: compared key @east to @east / @north -> 014 Aug 26 13:10:18.743744: | line 1: match=014 Aug 26 13:10:18.743747: | match 014 beats previous best_match 000 match=0x55abb307fc48 (line=1) Aug 26 13:10:18.743749: | concluding with best_match=014 best=0x55abb307fc48 (lineno=1) Aug 26 13:10:18.743751: | returning because exact peer id match Aug 26 13:10:18.743753: | offered CA: '%none' Aug 26 13:10:18.743755: "northnet-eastnet/0x2" #1: IKEv2 mode peer ID is ID_FQDN: '@north' Aug 26 13:10:18.743769: | verifying AUTH payload Aug 26 13:10:18.743773: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:10:18.743775: | started looking for secret for @east->@north of kind PKK_PSK Aug 26 13:10:18.743776: | actually looking for secret for @east->@north of kind PKK_PSK Aug 26 13:10:18.743778: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:18.743780: | 1: compared key @north to @east / @north -> 004 Aug 26 13:10:18.743782: | 2: compared key @east to @east / @north -> 014 Aug 26 13:10:18.743784: | line 1: match=014 Aug 26 13:10:18.743786: | match 014 beats previous best_match 000 match=0x55abb307fc48 (line=1) Aug 26 13:10:18.743788: | concluding with best_match=014 best=0x55abb307fc48 (lineno=1) Aug 26 13:10:18.743823: "northnet-eastnet/0x2" #1: Authenticated using authby=secret Aug 26 13:10:18.743827: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:10:18.743830: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:10:18.743832: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:18.743834: | libevent_free: release ptr-libevent@0x7fd260002888 Aug 26 13:10:18.743836: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55abb3129fe8 Aug 26 13:10:18.743838: | event_schedule: new EVENT_SA_REKEY-pe@0x55abb3129fe8 Aug 26 13:10:18.743840: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 13:10:18.743842: | libevent_malloc: new ptr-libevent@0x55abb312d878 size 128 Aug 26 13:10:18.743922: | pstats #1 ikev2.ike established Aug 26 13:10:18.743927: | **emit ISAKMP Message: Aug 26 13:10:18.743929: | initiator cookie: Aug 26 13:10:18.743931: | 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.743933: | responder cookie: Aug 26 13:10:18.743934: | bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.743936: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:18.743938: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:18.743939: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:10:18.743941: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:18.743943: | Message ID: 1 (0x1) Aug 26 13:10:18.743945: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:18.743947: | IKEv2 CERT: send a certificate? Aug 26 13:10:18.743949: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:10:18.743951: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:18.743953: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.743954: | flags: none (0x0) Aug 26 13:10:18.743958: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:18.743965: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.743969: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:18.743976: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:10:18.743989: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:10:18.743994: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.743997: | flags: none (0x0) Aug 26 13:10:18.744000: | ID type: ID_FQDN (0x2) Aug 26 13:10:18.744005: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:10:18.744009: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.744014: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:10:18.744019: | my identity 65 61 73 74 Aug 26 13:10:18.744023: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:10:18.744029: | assembled IDr payload Aug 26 13:10:18.744031: | CHILD SA proposals received Aug 26 13:10:18.744032: | going to assemble AUTH payload Aug 26 13:10:18.744034: | ****emit IKEv2 Authentication Payload: Aug 26 13:10:18.744036: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:18.744038: | flags: none (0x0) Aug 26 13:10:18.744039: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:10:18.744041: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:10:18.744044: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:10:18.744046: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.744048: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:10:18.744050: | started looking for secret for @east->@north of kind PKK_PSK Aug 26 13:10:18.744052: | actually looking for secret for @east->@north of kind PKK_PSK Aug 26 13:10:18.744054: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:10:18.744057: | 1: compared key @north to @east / @north -> 004 Aug 26 13:10:18.744059: | 2: compared key @east to @east / @north -> 014 Aug 26 13:10:18.744060: | line 1: match=014 Aug 26 13:10:18.744062: | match 014 beats previous best_match 000 match=0x55abb307fc48 (line=1) Aug 26 13:10:18.744064: | concluding with best_match=014 best=0x55abb307fc48 (lineno=1) Aug 26 13:10:18.744098: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:10:18.744101: | PSK auth ed 01 00 d7 76 31 37 66 bf e8 d8 c5 41 26 a5 ba Aug 26 13:10:18.744103: | PSK auth ff ad 83 3b ff 09 d6 b7 b2 3a 76 ca 94 e5 11 33 Aug 26 13:10:18.744104: | PSK auth 0b 5b 3b b9 d8 cc e3 2f 58 63 61 8a 8b e2 75 a7 Aug 26 13:10:18.744106: | PSK auth 8b 1f 7f 9f 81 48 04 95 6f 10 ca 00 35 61 b6 af Aug 26 13:10:18.744108: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:10:18.744111: | creating state object #2 at 0x55abb312e3d8 Aug 26 13:10:18.744113: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:10:18.744115: | pstats #2 ikev2.child started Aug 26 13:10:18.744117: | duplicating state object #1 "northnet-eastnet/0x2" as #2 for IPSEC SA Aug 26 13:10:18.744121: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:10:18.744125: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:18.744128: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:10:18.744131: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:10:18.744133: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:10:18.744134: | TSi: parsing 1 traffic selectors Aug 26 13:10:18.744137: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:18.744138: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:18.744140: | IP Protocol ID: 0 (0x0) Aug 26 13:10:18.744142: | length: 16 (0x10) Aug 26 13:10:18.744143: | start port: 0 (0x0) Aug 26 13:10:18.744145: | end port: 65535 (0xffff) Aug 26 13:10:18.744147: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:18.744149: | TS low c0 00 03 00 Aug 26 13:10:18.744150: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:18.744152: | TS high c0 00 03 ff Aug 26 13:10:18.744154: | TSi: parsed 1 traffic selectors Aug 26 13:10:18.744155: | TSr: parsing 1 traffic selectors Aug 26 13:10:18.744158: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:18.744160: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:18.744162: | IP Protocol ID: 0 (0x0) Aug 26 13:10:18.744163: | length: 16 (0x10) Aug 26 13:10:18.744165: | start port: 0 (0x0) Aug 26 13:10:18.744166: | end port: 65535 (0xffff) Aug 26 13:10:18.744168: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:18.744170: | TS low c0 00 02 00 Aug 26 13:10:18.744171: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:18.744173: | TS high c0 00 02 ff Aug 26 13:10:18.744174: | TSr: parsed 1 traffic selectors Aug 26 13:10:18.744176: | looking for best SPD in current connection Aug 26 13:10:18.744180: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:18.744183: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.744187: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:10:18.744189: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:18.744191: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:18.744193: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:18.744195: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.744198: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.744201: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:18.744203: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:18.744204: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:18.744206: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:18.744208: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.744210: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:18.744212: | found better spd route for TSi[0],TSr[0] Aug 26 13:10:18.744213: | looking for better host pair Aug 26 13:10:18.744216: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 13:10:18.744219: | checking hostpair 192.0.2.0/24 -> 192.0.3.0/24 is found Aug 26 13:10:18.744221: | investigating connection "northnet-eastnet/0x2" as a better match Aug 26 13:10:18.744223: | match_id a=@north Aug 26 13:10:18.744224: | b=@north Aug 26 13:10:18.744226: | results matched Aug 26 13:10:18.744229: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:18.744232: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.744235: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:10:18.744237: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:18.744238: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:18.744240: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:18.744242: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.744245: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.744248: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:18.744250: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:18.744251: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:18.744253: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:18.744255: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.744256: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:18.744258: | investigating connection "northnet-eastnet/0x1" as a better match Aug 26 13:10:18.744260: | match_id a=@north Aug 26 13:10:18.744262: | b=@north Aug 26 13:10:18.744263: | results matched Aug 26 13:10:18.744266: | evaluating our conn="northnet-eastnet/0x1" I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:18.744270: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.744273: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:10:18.744275: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:18.744277: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:18.744278: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:18.744280: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.744283: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.744286: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:18.744292: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:18.744297: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:18.744300: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:18.744302: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.744304: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:18.744306: | did not find a better connection using host pair Aug 26 13:10:18.744307: | printing contents struct traffic_selector Aug 26 13:10:18.744309: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:10:18.744310: | ipprotoid: 0 Aug 26 13:10:18.744312: | port range: 0-65535 Aug 26 13:10:18.744314: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:10:18.744316: | printing contents struct traffic_selector Aug 26 13:10:18.744318: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:10:18.744319: | ipprotoid: 0 Aug 26 13:10:18.744321: | port range: 0-65535 Aug 26 13:10:18.744323: | ip range: 192.0.3.0-192.0.3.255 Aug 26 13:10:18.744326: | constructing ESP/AH proposals with all DH removed for northnet-eastnet/0x2 (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:10:18.744330: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:10:18.744334: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:10:18.744336: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:10:18.744339: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:10:18.744341: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:18.744344: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:18.744346: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:18.744348: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:18.744353: "northnet-eastnet/0x2": constructed local ESP/AH proposals for northnet-eastnet/0x2 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:10:18.744355: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:10:18.744359: | local proposal 1 type ENCR has 1 transforms Aug 26 13:10:18.744361: | local proposal 1 type PRF has 0 transforms Aug 26 13:10:18.744362: | local proposal 1 type INTEG has 1 transforms Aug 26 13:10:18.744364: | local proposal 1 type DH has 1 transforms Aug 26 13:10:18.744365: | local proposal 1 type ESN has 1 transforms Aug 26 13:10:18.744368: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:10:18.744369: | local proposal 2 type ENCR has 1 transforms Aug 26 13:10:18.744371: | local proposal 2 type PRF has 0 transforms Aug 26 13:10:18.744373: | local proposal 2 type INTEG has 1 transforms Aug 26 13:10:18.744376: | local proposal 2 type DH has 1 transforms Aug 26 13:10:18.744377: | local proposal 2 type ESN has 1 transforms Aug 26 13:10:18.744379: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:10:18.744381: | local proposal 3 type ENCR has 1 transforms Aug 26 13:10:18.744382: | local proposal 3 type PRF has 0 transforms Aug 26 13:10:18.744384: | local proposal 3 type INTEG has 2 transforms Aug 26 13:10:18.744386: | local proposal 3 type DH has 1 transforms Aug 26 13:10:18.744387: | local proposal 3 type ESN has 1 transforms Aug 26 13:10:18.744389: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:10:18.744391: | local proposal 4 type ENCR has 1 transforms Aug 26 13:10:18.744393: | local proposal 4 type PRF has 0 transforms Aug 26 13:10:18.744394: | local proposal 4 type INTEG has 2 transforms Aug 26 13:10:18.744396: | local proposal 4 type DH has 1 transforms Aug 26 13:10:18.744397: | local proposal 4 type ESN has 1 transforms Aug 26 13:10:18.744399: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:10:18.744401: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.744403: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:18.744405: | length: 32 (0x20) Aug 26 13:10:18.744406: | prop #: 1 (0x1) Aug 26 13:10:18.744408: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.744410: | spi size: 4 (0x4) Aug 26 13:10:18.744411: | # transforms: 2 (0x2) Aug 26 13:10:18.744413: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:18.744415: | remote SPI 7b a4 53 88 Aug 26 13:10:18.744417: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:10:18.744419: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744421: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744422: | length: 12 (0xc) Aug 26 13:10:18.744424: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.744426: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:18.744428: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.744429: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.744431: | length/value: 256 (0x100) Aug 26 13:10:18.744434: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:10:18.744436: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744437: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.744439: | length: 8 (0x8) Aug 26 13:10:18.744441: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.744442: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.744445: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:10:18.744447: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:10:18.744449: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:10:18.744451: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:10:18.744453: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 13:10:18.744456: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 13:10:18.744457: | remote proposal 1 matches local proposal 1 Aug 26 13:10:18.744459: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.744461: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:18.744463: | length: 32 (0x20) Aug 26 13:10:18.744464: | prop #: 2 (0x2) Aug 26 13:10:18.744466: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.744467: | spi size: 4 (0x4) Aug 26 13:10:18.744469: | # transforms: 2 (0x2) Aug 26 13:10:18.744471: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:18.744473: | remote SPI 7b a4 53 88 Aug 26 13:10:18.744475: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:18.744477: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744479: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744480: | length: 12 (0xc) Aug 26 13:10:18.744482: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.744484: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:18.744485: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.744487: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.744489: | length/value: 128 (0x80) Aug 26 13:10:18.744490: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744492: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.744494: | length: 8 (0x8) Aug 26 13:10:18.744495: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.744497: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.744499: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 13:10:18.744501: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 13:10:18.744503: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.744504: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:18.744506: | length: 48 (0x30) Aug 26 13:10:18.744507: | prop #: 3 (0x3) Aug 26 13:10:18.744509: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.744510: | spi size: 4 (0x4) Aug 26 13:10:18.744512: | # transforms: 4 (0x4) Aug 26 13:10:18.744514: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:18.744515: | remote SPI 7b a4 53 88 Aug 26 13:10:18.744517: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:18.744519: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744521: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744522: | length: 12 (0xc) Aug 26 13:10:18.744524: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.744525: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:18.744527: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.744529: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.744530: | length/value: 256 (0x100) Aug 26 13:10:18.744532: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744534: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744535: | length: 8 (0x8) Aug 26 13:10:18.744537: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.744539: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:18.744540: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744542: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744544: | length: 8 (0x8) Aug 26 13:10:18.744545: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.744547: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:18.744549: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744550: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.744552: | length: 8 (0x8) Aug 26 13:10:18.744553: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.744555: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.744557: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:10:18.744559: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:10:18.744561: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.744563: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:18.744564: | length: 48 (0x30) Aug 26 13:10:18.744566: | prop #: 4 (0x4) Aug 26 13:10:18.744567: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.744569: | spi size: 4 (0x4) Aug 26 13:10:18.744570: | # transforms: 4 (0x4) Aug 26 13:10:18.744574: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:18.744576: | remote SPI 7b a4 53 88 Aug 26 13:10:18.744578: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:18.744579: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744581: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744582: | length: 12 (0xc) Aug 26 13:10:18.744584: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.744586: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:18.744587: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.744589: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.744590: | length/value: 128 (0x80) Aug 26 13:10:18.744592: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744594: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744595: | length: 8 (0x8) Aug 26 13:10:18.744597: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.744599: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:18.744600: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744602: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744604: | length: 8 (0x8) Aug 26 13:10:18.744605: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.744607: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:18.744609: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744610: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.744612: | length: 8 (0x8) Aug 26 13:10:18.744613: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.744615: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.744617: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:10:18.744619: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:10:18.744622: "northnet-eastnet/0x2" #1: proposal 1:ESP:SPI=7ba45388;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 13:10:18.744625: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=7ba45388;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 13:10:18.744627: | converting proposal to internal trans attrs Aug 26 13:10:18.744641: | netlink_get_spi: allocated 0xd62559e for esp.0@192.1.2.23 Aug 26 13:10:18.744643: | Emitting ikev2_proposal ... Aug 26 13:10:18.744645: | ****emit IKEv2 Security Association Payload: Aug 26 13:10:18.744646: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.744648: | flags: none (0x0) Aug 26 13:10:18.744650: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:10:18.744652: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.744654: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.744656: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:18.744658: | prop #: 1 (0x1) Aug 26 13:10:18.744659: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.744661: | spi size: 4 (0x4) Aug 26 13:10:18.744662: | # transforms: 2 (0x2) Aug 26 13:10:18.744664: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:18.744667: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:10:18.744668: | our spi 0d 62 55 9e Aug 26 13:10:18.744670: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744672: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744675: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.744676: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:18.744678: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:18.744680: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.744682: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.744684: | length/value: 256 (0x100) Aug 26 13:10:18.744686: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:18.744687: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:18.744689: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.744690: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.744692: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.744694: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.744696: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:18.744698: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:18.744700: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:10:18.744702: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:18.744703: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 13:10:18.744705: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:10:18.744707: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:18.744709: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.744710: | flags: none (0x0) Aug 26 13:10:18.744712: | number of TS: 1 (0x1) Aug 26 13:10:18.744714: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:10:18.744716: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.744718: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:18.744719: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:18.744721: | IP Protocol ID: 0 (0x0) Aug 26 13:10:18.744723: | start port: 0 (0x0) Aug 26 13:10:18.744724: | end port: 65535 (0xffff) Aug 26 13:10:18.744726: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:18.744728: | ipv4 start c0 00 03 00 Aug 26 13:10:18.744730: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:18.744731: | ipv4 end c0 00 03 ff Aug 26 13:10:18.744733: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:18.744735: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:10:18.744736: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:18.744738: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.744740: | flags: none (0x0) Aug 26 13:10:18.744741: | number of TS: 1 (0x1) Aug 26 13:10:18.744743: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:10:18.744745: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.744747: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:18.744748: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:18.744750: | IP Protocol ID: 0 (0x0) Aug 26 13:10:18.744752: | start port: 0 (0x0) Aug 26 13:10:18.744753: | end port: 65535 (0xffff) Aug 26 13:10:18.744755: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:18.744757: | ipv4 start c0 00 02 00 Aug 26 13:10:18.744759: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:18.744761: | ipv4 end c0 00 02 ff Aug 26 13:10:18.744762: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:18.744764: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:10:18.744766: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:10:18.744768: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:10:18.744863: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:10:18.744869: | #1 spent 1.16 milliseconds Aug 26 13:10:18.744871: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:10:18.744873: | could_route called for northnet-eastnet/0x2 (kind=CK_PERMANENT) Aug 26 13:10:18.744875: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:18.744877: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.744879: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Aug 26 13:10:18.744881: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.744883: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Aug 26 13:10:18.744885: | route owner of "northnet-eastnet/0x2" unrouted: NULL; eroute owner: NULL Aug 26 13:10:18.744888: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:18.744890: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:18.744892: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:18.744894: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:18.744897: | setting IPsec SA replay-window to 32 Aug 26 13:10:18.744899: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Aug 26 13:10:18.744901: | netlink: enabling tunnel mode Aug 26 13:10:18.744903: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:18.744905: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:18.744962: | netlink response for Add SA esp.7ba45388@192.1.3.33 included non-error error Aug 26 13:10:18.744965: | set up outgoing SA, ref=0/0 Aug 26 13:10:18.744967: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:18.744969: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:18.744971: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:18.744973: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:18.744975: | setting IPsec SA replay-window to 32 Aug 26 13:10:18.744977: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Aug 26 13:10:18.744979: | netlink: enabling tunnel mode Aug 26 13:10:18.744980: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:18.744982: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:18.745011: | netlink response for Add SA esp.d62559e@192.1.2.23 included non-error error Aug 26 13:10:18.745017: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Aug 26 13:10:18.745025: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:10:18.745029: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:18.745046: | raw_eroute result=success Aug 26 13:10:18.745049: | set up incoming SA, ref=0/0 Aug 26 13:10:18.745050: | sr for #2: unrouted Aug 26 13:10:18.745053: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:10:18.745056: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:18.745060: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.745063: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Aug 26 13:10:18.745067: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.745071: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Aug 26 13:10:18.745075: | route owner of "northnet-eastnet/0x2" unrouted: NULL; eroute owner: NULL Aug 26 13:10:18.745083: | route_and_eroute with c: northnet-eastnet/0x2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:10:18.745087: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Aug 26 13:10:18.745096: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Aug 26 13:10:18.745100: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:18.745115: | raw_eroute result=success Aug 26 13:10:18.745119: | running updown command "ipsec _updown" for verb up Aug 26 13:10:18.745121: | command executing up-client Aug 26 13:10:18.745146: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Aug 26 13:10:18.745149: | popen cmd is 1046 chars long Aug 26 13:10:18.745151: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x: Aug 26 13:10:18.745153: | cmd( 80):2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUT: Aug 26 13:10:18.745155: | cmd( 160):O_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' P: Aug 26 13:10:18.745157: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUT: Aug 26 13:10:18.745159: | cmd( 320):O_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@n: Aug 26 13:10:18.745160: | cmd( 400):orth' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_P: Aug 26 13:10:18.745162: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Aug 26 13:10:18.745164: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRY: Aug 26 13:10:18.745166: | cmd( 640):PT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: Aug 26 13:10:18.745167: | cmd( 720):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Aug 26 13:10:18.745169: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Aug 26 13:10:18.745171: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Aug 26 13:10:18.745172: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7ba45388 SPI_OUT=0xd62559e ipsec _updow: Aug 26 13:10:18.745174: | cmd(1040):n 2>&1: Aug 26 13:10:18.754057: | route_and_eroute: firewall_notified: true Aug 26 13:10:18.754074: | running updown command "ipsec _updown" for verb prepare Aug 26 13:10:18.754078: | command executing prepare-client Aug 26 13:10:18.754108: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED Aug 26 13:10:18.754118: | popen cmd is 1051 chars long Aug 26 13:10:18.754122: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastn: Aug 26 13:10:18.754124: | cmd( 80):et/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23': Aug 26 13:10:18.754127: | cmd( 160): PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2: Aug 26 13:10:18.754129: | cmd( 240):.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0': Aug 26 13:10:18.754132: | cmd( 320): PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_I: Aug 26 13:10:18.754134: | cmd( 400):D='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Aug 26 13:10:18.754136: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Aug 26 13:10:18.754139: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Aug 26 13:10:18.754141: | cmd( 640):ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: Aug 26 13:10:18.754144: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: Aug 26 13:10:18.754147: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: Aug 26 13:10:18.754149: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: Aug 26 13:10:18.754152: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7ba45388 SPI_OUT=0xd62559e ipsec _: Aug 26 13:10:18.754155: | cmd(1040):updown 2>&1: Aug 26 13:10:18.762386: | running updown command "ipsec _updown" for verb route Aug 26 13:10:18.762405: | command executing route-client Aug 26 13:10:18.762427: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no Aug 26 13:10:18.762431: | popen cmd is 1049 chars long Aug 26 13:10:18.762433: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet: Aug 26 13:10:18.762435: | cmd( 80):/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' P: Aug 26 13:10:18.762437: | cmd( 160):LUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Aug 26 13:10:18.762439: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Aug 26 13:10:18.762440: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID=: Aug 26 13:10:18.762442: | cmd( 400):'@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUT: Aug 26 13:10:18.762444: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Aug 26 13:10:18.762448: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+EN: Aug 26 13:10:18.762450: | cmd( 640):CRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_: Aug 26 13:10:18.762452: | cmd( 720):CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PE: Aug 26 13:10:18.762453: | cmd( 800):ER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=: Aug 26 13:10:18.762455: | cmd( 880):'' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=': Aug 26 13:10:18.762457: | cmd( 960):' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7ba45388 SPI_OUT=0xd62559e ipsec _up: Aug 26 13:10:18.762458: | cmd(1040):down 2>&1: Aug 26 13:10:18.775843: | route_and_eroute: instance "northnet-eastnet/0x2", setting eroute_owner {spd=0x55abb3126ad8,sr=0x55abb3126ad8} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:10:18.776156: | #1 spent 2.22 milliseconds in install_ipsec_sa() Aug 26 13:10:18.776163: | ISAKMP_v2_IKE_AUTH: instance northnet-eastnet/0x2[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:10:18.776166: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:18.776168: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:18.776172: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:18.776174: | emitting length of IKEv2 Encryption Payload: 197 Aug 26 13:10:18.776176: | emitting length of ISAKMP Message: 225 Aug 26 13:10:18.776206: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:10:18.776211: | #1 spent 3.43 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:10:18.776217: | suspend processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:18.776221: | start processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:18.776224: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:10:18.776227: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:10:18.776229: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:10:18.776232: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:10:18.776236: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:10:18.776239: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:10:18.776241: | pstats #2 ikev2.child established Aug 26 13:10:18.776247: "northnet-eastnet/0x2" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 13:10:18.776250: | NAT-T: encaps is 'auto' Aug 26 13:10:18.776253: "northnet-eastnet/0x2" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x7ba45388 <0x0d62559e xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 13:10:18.776257: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 13:10:18.776262: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:10:18.776266: | 5f 02 0c cf 0e 18 8a 0e bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.776267: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Aug 26 13:10:18.776269: | b8 05 39 5f aa d3 9a 18 f6 6d 15 14 48 25 80 b5 Aug 26 13:10:18.776270: | 12 55 d3 9d 87 f0 1a ae a5 26 9e 20 e0 10 be 31 Aug 26 13:10:18.776272: | 44 4e 5d c6 b6 0d 44 ce eb 3e b2 25 37 c8 81 92 Aug 26 13:10:18.776273: | b0 b5 b7 e7 df aa c1 9d a9 0d 80 43 68 22 a3 af Aug 26 13:10:18.776277: | 0e 47 70 33 97 e6 e4 53 7a 2d 54 7e 16 ff b1 50 Aug 26 13:10:18.776279: | e0 ec ff ed ae 78 4a cf 63 73 58 07 f9 d5 a0 e9 Aug 26 13:10:18.776280: | 73 f0 73 c7 da ca f6 0a 4a 83 bd ff c2 4e 74 89 Aug 26 13:10:18.776282: | 7e 69 f6 63 ed e8 e2 90 dd 19 85 af 56 25 ac 21 Aug 26 13:10:18.776284: | 78 73 3b a7 c2 9f 49 7a cd fb e5 8f ff 3d 94 db Aug 26 13:10:18.776285: | b2 0d f0 5e e7 cc 5a 70 a5 15 1a 0e 4f 75 e6 b1 Aug 26 13:10:18.776287: | 17 44 6d e3 10 ba 16 dc d9 e2 8e a1 9a c1 ae 00 Aug 26 13:10:18.776310: | 50 64 78 07 c3 45 b7 43 41 6c 8c d0 f2 00 e8 5d Aug 26 13:10:18.776312: | d1 Aug 26 13:10:18.776355: | releasing whack for #2 (sock=fd@-1) Aug 26 13:10:18.776360: | releasing whack and unpending for parent #1 Aug 26 13:10:18.776362: | unpending state #1 connection "northnet-eastnet/0x2" Aug 26 13:10:18.776367: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:10:18.776371: | event_schedule: new EVENT_SA_REKEY-pe@0x7fd260002b78 Aug 26 13:10:18.776374: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 13:10:18.776378: | libevent_malloc: new ptr-libevent@0x55abb312e328 size 128 Aug 26 13:10:18.776394: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:10:18.776400: | #1 spent 3.67 milliseconds in resume sending helper answer Aug 26 13:10:18.776406: | stop processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:10:18.776412: | libevent_free: release ptr-libevent@0x7fd258000f48 Aug 26 13:10:18.776428: | processing signal PLUTO_SIGCHLD Aug 26 13:10:18.776433: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:18.776438: | spent 0.00552 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:18.776441: | processing signal PLUTO_SIGCHLD Aug 26 13:10:18.776445: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:18.776449: | spent 0.00377 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:18.776452: | processing signal PLUTO_SIGCHLD Aug 26 13:10:18.776456: | waitpid returned ECHILD (no child processes left) Aug 26 13:10:18.776460: | spent 0.00387 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:10:18.810640: | spent 0.0027 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:10:18.810665: | *received 601 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 13:10:18.810669: | 5f 02 0c cf 0e 18 8a 0e bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.810672: | 2e 20 24 08 00 00 00 02 00 00 02 59 21 00 02 3d Aug 26 13:10:18.810675: | 52 34 b4 c5 87 d8 2e 6d 4f cf e1 95 1c 2e d2 49 Aug 26 13:10:18.810677: | bc 52 ee 11 72 c0 f8 d0 46 7c a9 2c d0 b5 71 55 Aug 26 13:10:18.810680: | 34 ae d4 aa 06 32 ce 74 a5 b3 fc 50 34 77 3d aa Aug 26 13:10:18.810683: | 30 63 27 d2 05 9f fc 7d 28 6f 89 46 83 72 09 39 Aug 26 13:10:18.810685: | 47 d9 28 3e 33 50 30 61 11 2a 5c 76 92 61 00 e3 Aug 26 13:10:18.810688: | 87 84 7a c8 40 2a 7f c2 d9 b6 60 7e cd a9 4c 05 Aug 26 13:10:18.810691: | b2 a2 cd 66 53 a1 a7 48 cf a5 c8 90 f6 c8 67 82 Aug 26 13:10:18.810693: | 50 2a 02 9b 0f 8e 0f a7 be b0 b4 79 ca 33 00 47 Aug 26 13:10:18.810696: | 4e 39 7c 14 82 e0 12 6e 84 af c4 d8 f9 c9 55 8d Aug 26 13:10:18.810698: | 9f 49 97 a6 f5 7a 57 0b cb 77 b7 69 a5 5f 3b af Aug 26 13:10:18.810699: | 6f 73 50 e7 1f 48 15 bb d0 25 83 f6 5c 30 77 e7 Aug 26 13:10:18.810701: | 08 58 d6 03 bc 3e 91 cf 5c be 26 31 38 bf c7 f0 Aug 26 13:10:18.810702: | 3f b8 8a 9a 4d 8f 0c 20 5a c8 cd 09 53 60 cc 2f Aug 26 13:10:18.810704: | 8e 34 dd 51 9d d8 ed a7 24 89 eb 27 7e 50 e1 e4 Aug 26 13:10:18.810705: | f4 bb 5a 8b 37 fe 94 a2 e5 9f 46 b5 fb 99 af 27 Aug 26 13:10:18.810707: | b6 51 f3 eb 53 89 c3 d6 d8 fa e9 80 f0 c4 3b ee Aug 26 13:10:18.810708: | ed 3b 37 85 9c a3 ce 79 c2 80 11 72 97 30 8c d5 Aug 26 13:10:18.810710: | b5 4f 83 79 21 8e f8 ac 43 2a 5d f0 7f 31 44 44 Aug 26 13:10:18.810713: | 98 01 7e 0e 20 3d 14 3f a6 de c1 3b 99 4a ba 98 Aug 26 13:10:18.810715: | 83 72 bf 9f c7 f8 ca 64 43 0b 6b 96 ac 2f ab 53 Aug 26 13:10:18.810716: | ec 47 97 c1 9f 87 c4 6e 60 ab 5f 40 a7 19 62 96 Aug 26 13:10:18.810718: | 37 ad 19 7f 4e 67 bd 85 84 0d 78 fb 69 bf 24 d1 Aug 26 13:10:18.810719: | e1 5e ec 83 3e 2b ce 9d 60 5a 33 bd 1a 48 78 14 Aug 26 13:10:18.810721: | 45 90 8c d1 67 c2 4f 83 38 fb 20 75 46 ef 30 fe Aug 26 13:10:18.810722: | 44 39 d4 80 b2 41 3c ea 5b af 3a 8c 02 0b 2d f1 Aug 26 13:10:18.810724: | ba 3b 54 2f f0 09 54 1f 21 25 2b 95 05 17 a7 7a Aug 26 13:10:18.810726: | 3d a6 e9 35 f0 18 d5 63 14 30 31 ec b8 2b 2f 9a Aug 26 13:10:18.810727: | b8 a9 fd 70 73 e0 89 f2 f8 ea 18 5c 44 bd 7d 46 Aug 26 13:10:18.810729: | 1f f8 b7 c3 6e 7c c7 f2 ef 18 e9 46 e5 ed 1b a7 Aug 26 13:10:18.810730: | 98 3c 31 a2 08 d7 29 8d d7 b7 b2 22 96 28 57 02 Aug 26 13:10:18.810732: | 9a 07 2b 73 7a c1 cd a8 ad 64 d4 ce d3 80 63 07 Aug 26 13:10:18.810733: | ca f9 7f bb 23 6a e1 5a 37 d4 a5 1a 7e f1 88 2c Aug 26 13:10:18.810735: | ee 1f 08 1b f6 40 a8 0f 6c c2 73 dd 35 a7 27 7e Aug 26 13:10:18.810736: | d0 d5 7b 05 87 43 ce fa 08 09 4e 42 3a 51 31 a1 Aug 26 13:10:18.810738: | 6c 3c 54 50 c9 1e 36 39 5e df e5 de 02 23 32 86 Aug 26 13:10:18.810739: | 6c b8 18 84 bc c8 c3 27 a5 Aug 26 13:10:18.810743: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 13:10:18.810745: | **parse ISAKMP Message: Aug 26 13:10:18.810747: | initiator cookie: Aug 26 13:10:18.810749: | 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.810750: | responder cookie: Aug 26 13:10:18.810752: | bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.810754: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:10:18.810756: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:18.810757: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:10:18.810761: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:10:18.810763: | Message ID: 2 (0x2) Aug 26 13:10:18.810764: | length: 601 (0x259) Aug 26 13:10:18.810766: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:10:18.810769: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:10:18.810772: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:10:18.810776: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:10:18.810778: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:10:18.810781: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:10:18.810783: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:10:18.810786: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 13:10:18.810788: | unpacking clear payload Aug 26 13:10:18.810790: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:10:18.810792: | ***parse IKEv2 Encryption Payload: Aug 26 13:10:18.810793: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:10:18.810795: | flags: none (0x0) Aug 26 13:10:18.810797: | length: 573 (0x23d) Aug 26 13:10:18.810799: | processing payload: ISAKMP_NEXT_v2SK (len=569) Aug 26 13:10:18.810802: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 13:10:18.810804: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:10:18.810818: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Aug 26 13:10:18.810820: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:10:18.810822: | **parse IKEv2 Security Association Payload: Aug 26 13:10:18.810824: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:10:18.810827: | flags: none (0x0) Aug 26 13:10:18.810829: | length: 196 (0xc4) Aug 26 13:10:18.810830: | processing payload: ISAKMP_NEXT_v2SA (len=192) Aug 26 13:10:18.810832: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:10:18.810834: | **parse IKEv2 Nonce Payload: Aug 26 13:10:18.810835: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:10:18.810837: | flags: none (0x0) Aug 26 13:10:18.810838: | length: 36 (0x24) Aug 26 13:10:18.810840: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:10:18.810842: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:10:18.810843: | **parse IKEv2 Key Exchange Payload: Aug 26 13:10:18.810845: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:10:18.810847: | flags: none (0x0) Aug 26 13:10:18.810848: | length: 264 (0x108) Aug 26 13:10:18.810850: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.810852: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:10:18.810853: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:10:18.810855: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:18.810857: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:10:18.810858: | flags: none (0x0) Aug 26 13:10:18.810860: | length: 24 (0x18) Aug 26 13:10:18.810861: | number of TS: 1 (0x1) Aug 26 13:10:18.810863: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:10:18.810865: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:10:18.810866: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:18.810868: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.810869: | flags: none (0x0) Aug 26 13:10:18.810871: | length: 24 (0x18) Aug 26 13:10:18.810873: | number of TS: 1 (0x1) Aug 26 13:10:18.810874: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:10:18.810877: | state #1 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Aug 26 13:10:18.810878: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:10:18.810882: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:10:18.810885: | creating state object #3 at 0x55abb3133928 Aug 26 13:10:18.810887: | State DB: adding IKEv2 state #3 in UNDEFINED Aug 26 13:10:18.810894: | pstats #3 ikev2.child started Aug 26 13:10:18.810896: | duplicating state object #1 "northnet-eastnet/0x2" as #3 for IPSEC SA Aug 26 13:10:18.810900: | #3 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:10:18.810908: | Message ID: init_child #1.#3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:10:18.810911: | child state #3: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Aug 26 13:10:18.810914: | "northnet-eastnet/0x2" #1 received Child SA Request CREATE_CHILD_SA from 192.1.3.33:500 Child "northnet-eastnet/0x2" #3 in STATE_V2_CREATE_R will process it further Aug 26 13:10:18.810917: | Message ID: switch-from #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Aug 26 13:10:18.810920: | Message ID: switch-to #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Aug 26 13:10:18.810922: | forcing ST #1 to CHILD #1.#3 in FSM processor Aug 26 13:10:18.810923: | Now let's proceed with state specific processing Aug 26 13:10:18.810925: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:10:18.810928: | create child proposal's DH changed from no-PFS to MODP2048, flushing Aug 26 13:10:18.810931: | constructing ESP/AH proposals with default DH MODP2048 for northnet-eastnet/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Aug 26 13:10:18.810936: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:10:18.810940: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED Aug 26 13:10:18.810943: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:10:18.810946: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED Aug 26 13:10:18.810948: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:18.810951: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:10:18.810953: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:10:18.810955: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:10:18.810960: "northnet-eastnet/0x2": constructed local ESP/AH proposals for northnet-eastnet/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:10:18.810963: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:10:18.810966: | local proposal 1 type ENCR has 1 transforms Aug 26 13:10:18.810968: | local proposal 1 type PRF has 0 transforms Aug 26 13:10:18.810969: | local proposal 1 type INTEG has 1 transforms Aug 26 13:10:18.810971: | local proposal 1 type DH has 1 transforms Aug 26 13:10:18.810973: | local proposal 1 type ESN has 1 transforms Aug 26 13:10:18.810975: | local proposal 1 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:10:18.810977: | local proposal 2 type ENCR has 1 transforms Aug 26 13:10:18.810978: | local proposal 2 type PRF has 0 transforms Aug 26 13:10:18.810980: | local proposal 2 type INTEG has 1 transforms Aug 26 13:10:18.810981: | local proposal 2 type DH has 1 transforms Aug 26 13:10:18.810983: | local proposal 2 type ESN has 1 transforms Aug 26 13:10:18.810985: | local proposal 2 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:10:18.810987: | local proposal 3 type ENCR has 1 transforms Aug 26 13:10:18.810988: | local proposal 3 type PRF has 0 transforms Aug 26 13:10:18.810990: | local proposal 3 type INTEG has 2 transforms Aug 26 13:10:18.810992: | local proposal 3 type DH has 1 transforms Aug 26 13:10:18.810993: | local proposal 3 type ESN has 1 transforms Aug 26 13:10:18.810995: | local proposal 3 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:10:18.810997: | local proposal 4 type ENCR has 1 transforms Aug 26 13:10:18.810998: | local proposal 4 type PRF has 0 transforms Aug 26 13:10:18.811000: | local proposal 4 type INTEG has 2 transforms Aug 26 13:10:18.811002: | local proposal 4 type DH has 1 transforms Aug 26 13:10:18.811003: | local proposal 4 type ESN has 1 transforms Aug 26 13:10:18.811005: | local proposal 4 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:10:18.811007: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.811009: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:18.811011: | length: 40 (0x28) Aug 26 13:10:18.811012: | prop #: 1 (0x1) Aug 26 13:10:18.811014: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.811015: | spi size: 4 (0x4) Aug 26 13:10:18.811017: | # transforms: 3 (0x3) Aug 26 13:10:18.811019: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:18.811021: | remote SPI a0 5a c6 4b Aug 26 13:10:18.811023: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:10:18.811025: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811027: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811028: | length: 12 (0xc) Aug 26 13:10:18.811030: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.811032: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:18.811034: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.811036: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.811038: | length/value: 256 (0x100) Aug 26 13:10:18.811041: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:10:18.811043: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811044: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811046: | length: 8 (0x8) Aug 26 13:10:18.811048: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.811049: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.811051: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:10:18.811053: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:10:18.811055: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:10:18.811057: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:10:18.811059: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811061: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.811062: | length: 8 (0x8) Aug 26 13:10:18.811064: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.811066: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.811068: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:10:18.811070: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:10:18.811072: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:10:18.811074: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:10:18.811076: | remote proposal 1 proposed transforms: ENCR+DH+ESN; matched: ENCR+DH+ESN; unmatched: none Aug 26 13:10:18.811079: | comparing remote proposal 1 containing ENCR+DH+ESN transforms to local proposal 1; required: ENCR+DH+ESN; optional: INTEG; matched: ENCR+DH+ESN Aug 26 13:10:18.811081: | remote proposal 1 matches local proposal 1 Aug 26 13:10:18.811083: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.811084: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:18.811086: | length: 40 (0x28) Aug 26 13:10:18.811087: | prop #: 2 (0x2) Aug 26 13:10:18.811089: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.811091: | spi size: 4 (0x4) Aug 26 13:10:18.811092: | # transforms: 3 (0x3) Aug 26 13:10:18.811094: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:18.811096: | remote SPI a0 5a c6 4b Aug 26 13:10:18.811098: | Comparing remote proposal 2 containing 3 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:18.811099: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811101: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811102: | length: 12 (0xc) Aug 26 13:10:18.811104: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.811106: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:18.811107: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.811109: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.811111: | length/value: 128 (0x80) Aug 26 13:10:18.811113: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811114: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811116: | length: 8 (0x8) Aug 26 13:10:18.811117: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.811119: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.811121: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811122: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.811124: | length: 8 (0x8) Aug 26 13:10:18.811126: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.811128: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.811130: | remote proposal 2 proposed transforms: ENCR+DH+ESN; matched: none; unmatched: ENCR+DH+ESN Aug 26 13:10:18.811132: | remote proposal 2 does not match; unmatched remote transforms: ENCR+DH+ESN Aug 26 13:10:18.811134: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.811136: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:10:18.811137: | length: 56 (0x38) Aug 26 13:10:18.811139: | prop #: 3 (0x3) Aug 26 13:10:18.811140: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.811142: | spi size: 4 (0x4) Aug 26 13:10:18.811143: | # transforms: 5 (0x5) Aug 26 13:10:18.811145: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:18.811147: | remote SPI a0 5a c6 4b Aug 26 13:10:18.811149: | Comparing remote proposal 3 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:18.811151: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811152: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811154: | length: 12 (0xc) Aug 26 13:10:18.811155: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.811157: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:18.811159: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.811160: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.811162: | length/value: 256 (0x100) Aug 26 13:10:18.811164: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811165: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811167: | length: 8 (0x8) Aug 26 13:10:18.811168: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.811170: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:18.811172: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811173: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811175: | length: 8 (0x8) Aug 26 13:10:18.811177: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.811178: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:18.811180: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811182: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811183: | length: 8 (0x8) Aug 26 13:10:18.811185: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.811186: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.811188: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811190: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.811191: | length: 8 (0x8) Aug 26 13:10:18.811193: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.811194: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.811197: | remote proposal 3 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:10:18.811199: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:10:18.811200: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.811202: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:18.811204: | length: 56 (0x38) Aug 26 13:10:18.811205: | prop #: 4 (0x4) Aug 26 13:10:18.811207: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.811208: | spi size: 4 (0x4) Aug 26 13:10:18.811210: | # transforms: 5 (0x5) Aug 26 13:10:18.811212: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:10:18.811213: | remote SPI a0 5a c6 4b Aug 26 13:10:18.811215: | Comparing remote proposal 4 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:10:18.811217: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811218: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811220: | length: 12 (0xc) Aug 26 13:10:18.811221: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.811223: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:10:18.811225: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.811227: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.811229: | length/value: 128 (0x80) Aug 26 13:10:18.811231: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811232: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811234: | length: 8 (0x8) Aug 26 13:10:18.811235: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.811237: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:10:18.811239: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811240: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811242: | length: 8 (0x8) Aug 26 13:10:18.811243: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:10:18.811245: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:10:18.811247: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811248: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.811250: | length: 8 (0x8) Aug 26 13:10:18.811252: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.811253: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.811255: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:10:18.811257: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.811258: | length: 8 (0x8) Aug 26 13:10:18.811260: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.811261: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.811264: | remote proposal 4 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:10:18.811266: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:10:18.811269: "northnet-eastnet/0x2" #1: proposal 1:ESP:SPI=a05ac64b;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:10:18.811272: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=a05ac64b;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED Aug 26 13:10:18.811274: | converting proposal to internal trans attrs Aug 26 13:10:18.811277: | updating #3's .st_oakley with preserved PRF, but why update? Aug 26 13:10:18.811279: | Child SA TS Request has child->sa == md->st; so using child connection Aug 26 13:10:18.811281: | TSi: parsing 1 traffic selectors Aug 26 13:10:18.811283: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:18.811284: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:18.811286: | IP Protocol ID: 0 (0x0) Aug 26 13:10:18.811298: | length: 16 (0x10) Aug 26 13:10:18.811302: | start port: 0 (0x0) Aug 26 13:10:18.811303: | end port: 65535 (0xffff) Aug 26 13:10:18.811305: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:18.811307: | TS low c0 00 03 00 Aug 26 13:10:18.811309: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:18.811310: | TS high c0 00 03 ff Aug 26 13:10:18.811312: | TSi: parsed 1 traffic selectors Aug 26 13:10:18.811314: | TSr: parsing 1 traffic selectors Aug 26 13:10:18.811315: | ***parse IKEv2 Traffic Selector: Aug 26 13:10:18.811317: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:18.811319: | IP Protocol ID: 0 (0x0) Aug 26 13:10:18.811320: | length: 16 (0x10) Aug 26 13:10:18.811322: | start port: 0 (0x0) Aug 26 13:10:18.811323: | end port: 65535 (0xffff) Aug 26 13:10:18.811325: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:10:18.811326: | TS low c0 00 02 00 Aug 26 13:10:18.811328: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:10:18.811329: | TS high c0 00 02 ff Aug 26 13:10:18.811331: | TSr: parsed 1 traffic selectors Aug 26 13:10:18.811334: | looking for best SPD in current connection Aug 26 13:10:18.811338: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:18.811341: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.811345: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:10:18.811348: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:18.811349: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:18.811351: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:18.811353: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.811356: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.811359: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:18.811361: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:18.811363: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:18.811365: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:18.811367: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.811368: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:18.811370: | found better spd route for TSi[0],TSr[0] Aug 26 13:10:18.811372: | looking for better host pair Aug 26 13:10:18.811375: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 13:10:18.811378: | checking hostpair 192.0.2.0/24 -> 192.0.3.0/24 is found Aug 26 13:10:18.811380: | investigating connection "northnet-eastnet/0x2" as a better match Aug 26 13:10:18.811383: | match_id a=@north Aug 26 13:10:18.811384: | b=@north Aug 26 13:10:18.811386: | results matched Aug 26 13:10:18.811389: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:18.811391: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.811395: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:10:18.811397: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:18.811398: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:18.811400: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:18.811402: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.811404: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.811408: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:18.811409: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:18.811411: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:18.811413: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:18.811415: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.811416: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:18.811418: | investigating connection "northnet-eastnet/0x1" as a better match Aug 26 13:10:18.811420: | match_id a=@north Aug 26 13:10:18.811421: | b=@north Aug 26 13:10:18.811423: | results matched Aug 26 13:10:18.811426: | evaluating our conn="northnet-eastnet/0x1" I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:10:18.811428: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.811432: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:10:18.811433: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:10:18.811435: | TSi[0] port match: YES fitness 65536 Aug 26 13:10:18.811437: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:10:18.811439: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.811443: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:10:18.811447: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:10:18.811449: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:10:18.811450: | TSr[0] port match: YES fitness 65536 Aug 26 13:10:18.811452: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:10:18.811454: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:10:18.811455: | best fit so far: TSi[0] TSr[0] Aug 26 13:10:18.811457: | did not find a better connection using host pair Aug 26 13:10:18.811459: | printing contents struct traffic_selector Aug 26 13:10:18.811460: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:10:18.811462: | ipprotoid: 0 Aug 26 13:10:18.811463: | port range: 0-65535 Aug 26 13:10:18.811466: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:10:18.811467: | printing contents struct traffic_selector Aug 26 13:10:18.811469: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:10:18.811470: | ipprotoid: 0 Aug 26 13:10:18.811472: | port range: 0-65535 Aug 26 13:10:18.811474: | ip range: 192.0.3.0-192.0.3.255 Aug 26 13:10:18.811477: | adding Child Responder KE and nonce nr work-order 3 for state #3 Aug 26 13:10:18.811479: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55abb3131de8 Aug 26 13:10:18.811481: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Aug 26 13:10:18.811484: | libevent_malloc: new ptr-libevent@0x7fd258000f48 size 128 Aug 26 13:10:18.811492: | #3 spent 0.555 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Aug 26 13:10:18.811496: | suspend processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:18.811498: | crypto helper 2 resuming Aug 26 13:10:18.811499: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:18.811511: | crypto helper 2 starting work-order 3 for state #3 Aug 26 13:10:18.811523: | crypto helper 2 doing build KE and nonce (Child Responder KE and nonce nr); request ID 3 Aug 26 13:10:18.811517: | #3 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:10:18.811530: | suspending state #3 and saving MD Aug 26 13:10:18.811532: | #3 is busy; has a suspended MD Aug 26 13:10:18.811536: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:10:18.811538: | "northnet-eastnet/0x2" #3 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:10:18.811541: | stop processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:10:18.811544: | #1 spent 0.877 milliseconds in ikev2_process_packet() Aug 26 13:10:18.811547: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 13:10:18.811549: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:10:18.811551: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:10:18.811554: | spent 0.887 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:10:18.812126: | crypto helper 2 finished build KE and nonce (Child Responder KE and nonce nr); request ID 3 time elapsed 0.000602 seconds Aug 26 13:10:18.812133: | (#3) spent 0.609 milliseconds in crypto helper computing work-order 3: Child Responder KE and nonce nr (pcr) Aug 26 13:10:18.812136: | crypto helper 2 sending results from work-order 3 for state #3 to event queue Aug 26 13:10:18.812138: | scheduling resume sending helper answer for #3 Aug 26 13:10:18.812140: | libevent_malloc: new ptr-libevent@0x7fd25c002888 size 128 Aug 26 13:10:18.812143: | libevent_realloc: release ptr-libevent@0x55abb31068a8 Aug 26 13:10:18.812145: | libevent_realloc: new ptr-libevent@0x7fd25c0027d8 size 128 Aug 26 13:10:18.812153: | crypto helper 2 waiting (nothing to do) Aug 26 13:10:18.812165: | processing resume sending helper answer for #3 Aug 26 13:10:18.812176: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:10:18.812181: | crypto helper 2 replies to request ID 3 Aug 26 13:10:18.812185: | calling continuation function 0x55abb20c3b50 Aug 26 13:10:18.812189: | ikev2_child_inIoutR_continue for #3 STATE_V2_CREATE_R Aug 26 13:10:18.812197: | adding DHv2 for child sa work-order 4 for state #3 Aug 26 13:10:18.812202: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:18.812206: | libevent_free: release ptr-libevent@0x7fd258000f48 Aug 26 13:10:18.812211: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55abb3131de8 Aug 26 13:10:18.812215: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55abb3131de8 Aug 26 13:10:18.812220: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Aug 26 13:10:18.812224: | libevent_malloc: new ptr-libevent@0x7fd258000f48 size 128 Aug 26 13:10:18.812235: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:18.812236: | crypto helper 3 resuming Aug 26 13:10:18.812244: | #3 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:10:18.812246: | crypto helper 3 starting work-order 4 for state #3 Aug 26 13:10:18.812250: | suspending state #3 and saving MD Aug 26 13:10:18.812252: | crypto helper 3 doing crypto (DHv2 for child sa); request ID 4 Aug 26 13:10:18.812254: | #3 is busy; has a suspended MD Aug 26 13:10:18.812258: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:10:18.812261: | "northnet-eastnet/0x2" #3 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:10:18.812264: | resume sending helper answer for #3 suppresed complete_v2_state_transition() and stole MD Aug 26 13:10:18.812267: | #3 spent 0.0857 milliseconds in resume sending helper answer Aug 26 13:10:18.812270: | stop processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:10:18.812272: | libevent_free: release ptr-libevent@0x7fd25c002888 Aug 26 13:10:18.812810: | crypto helper 3 finished crypto (DHv2 for child sa); request ID 4 time elapsed 0.000557 seconds Aug 26 13:10:18.812819: | (#3) spent 0.563 milliseconds in crypto helper computing work-order 4: DHv2 for child sa (dh) Aug 26 13:10:18.812821: | crypto helper 3 sending results from work-order 4 for state #3 to event queue Aug 26 13:10:18.812823: | scheduling resume sending helper answer for #3 Aug 26 13:10:18.812825: | libevent_malloc: new ptr-libevent@0x7fd250001f78 size 128 Aug 26 13:10:18.812830: | crypto helper 3 waiting (nothing to do) Aug 26 13:10:18.812837: | processing resume sending helper answer for #3 Aug 26 13:10:18.812845: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:10:18.812848: | crypto helper 3 replies to request ID 4 Aug 26 13:10:18.812850: | calling continuation function 0x55abb20c49d0 Aug 26 13:10:18.812852: | ikev2_child_inIoutR_continue_continue for #3 STATE_V2_CREATE_R Aug 26 13:10:18.812872: | **emit ISAKMP Message: Aug 26 13:10:18.812874: | initiator cookie: Aug 26 13:10:18.812876: | 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:18.812877: | responder cookie: Aug 26 13:10:18.812879: | bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.812881: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:18.812883: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:18.812885: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:10:18.812887: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:10:18.812888: | Message ID: 2 (0x2) Aug 26 13:10:18.812892: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:18.812895: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:18.812897: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.812898: | flags: none (0x0) Aug 26 13:10:18.812900: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:18.812902: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.812905: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:18.812921: | netlink_get_spi: allocated 0xd0dec185 for esp.0@192.1.2.23 Aug 26 13:10:18.812924: | Emitting ikev2_proposal ... Aug 26 13:10:18.812926: | ****emit IKEv2 Security Association Payload: Aug 26 13:10:18.812928: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.812929: | flags: none (0x0) Aug 26 13:10:18.812932: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:10:18.812934: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.812936: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:10:18.812937: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:10:18.812939: | prop #: 1 (0x1) Aug 26 13:10:18.812941: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:10:18.812942: | spi size: 4 (0x4) Aug 26 13:10:18.812944: | # transforms: 3 (0x3) Aug 26 13:10:18.812946: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:10:18.812948: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:10:18.812950: | our spi d0 de c1 85 Aug 26 13:10:18.812952: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:18.812953: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.812955: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:10:18.812957: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:10:18.812959: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:18.812961: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:10:18.812963: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:10:18.812965: | length/value: 256 (0x100) Aug 26 13:10:18.812967: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:10:18.812969: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:18.812970: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.812972: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:10:18.812974: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.812976: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.812978: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:18.812980: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:18.812982: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:10:18.812983: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:10:18.812985: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:10:18.812986: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:10:18.812988: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:10:18.812990: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:10:18.812992: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:10:18.812995: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:10:18.812997: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:10:18.812999: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:10:18.813001: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:10:18.813003: | ****emit IKEv2 Nonce Payload: Aug 26 13:10:18.813004: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.813006: | flags: none (0x0) Aug 26 13:10:18.813008: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:10:18.813010: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.813012: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:10:18.813014: | IKEv2 nonce 96 81 8e a6 2b 81 ef 43 06 1d a1 da e1 21 f8 29 Aug 26 13:10:18.813016: | IKEv2 nonce 80 87 b0 ba 37 78 f5 85 e7 1c 51 49 90 12 87 b4 Aug 26 13:10:18.813017: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:10:18.813019: | ****emit IKEv2 Key Exchange Payload: Aug 26 13:10:18.813021: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.813022: | flags: none (0x0) Aug 26 13:10:18.813024: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:10:18.813026: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:10:18.813028: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.813030: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:10:18.813032: | ikev2 g^x 79 da de 31 1c a5 fc 7c 03 35 ba 19 2d 90 fa 7c Aug 26 13:10:18.813034: | ikev2 g^x f0 88 24 10 11 f5 82 ec eb 02 4d 1d b2 a4 cf fa Aug 26 13:10:18.813035: | ikev2 g^x b2 e6 89 c6 15 9d 68 2c fd ca 31 8b 3a 66 c7 eb Aug 26 13:10:18.813037: | ikev2 g^x 3c 7a 5c 21 52 25 80 e6 72 ea ea d3 c6 45 62 dc Aug 26 13:10:18.813038: | ikev2 g^x 8e 30 5b ee 34 74 fd 0b 96 d0 55 cc 52 c0 c9 ee Aug 26 13:10:18.813040: | ikev2 g^x cd 40 33 68 7e ae 43 a7 73 a9 ae 0e e9 aa 9e 87 Aug 26 13:10:18.813041: | ikev2 g^x d8 32 ee d3 d0 2a 58 25 46 23 4a 86 7c a4 31 ac Aug 26 13:10:18.813043: | ikev2 g^x fa a6 7d 86 b9 a1 52 ed aa b5 ee c9 fb 30 22 26 Aug 26 13:10:18.813044: | ikev2 g^x 65 d1 c2 1f ba ed f8 9a cd 87 4a d2 5a 41 da ea Aug 26 13:10:18.813046: | ikev2 g^x 15 30 ee cc 9e a7 d9 76 37 34 45 7f 2d d5 9d 6d Aug 26 13:10:18.813048: | ikev2 g^x 7b 97 82 b1 7f 72 c4 ae 00 26 ae 27 40 0a 63 df Aug 26 13:10:18.813049: | ikev2 g^x 13 7e 23 b4 45 5d 21 c3 6c 91 d5 40 1f 7e 18 c5 Aug 26 13:10:18.813051: | ikev2 g^x 86 d7 4d 51 c0 3b b0 f0 15 12 96 7d df 84 ac 71 Aug 26 13:10:18.813052: | ikev2 g^x df 4a ec e4 0f e4 de 72 5b 1e 32 aa e9 dd 04 08 Aug 26 13:10:18.813054: | ikev2 g^x c4 83 f7 ea 49 37 a4 ac 3d a2 5c 52 b5 4b 6c 15 Aug 26 13:10:18.813055: | ikev2 g^x 91 d2 d9 d7 c6 c5 98 1d b8 33 04 3b ba 04 de ed Aug 26 13:10:18.813057: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:10:18.813059: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:10:18.813061: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.813062: | flags: none (0x0) Aug 26 13:10:18.813064: | number of TS: 1 (0x1) Aug 26 13:10:18.813066: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:10:18.813068: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.813070: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:18.813072: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:18.813075: | IP Protocol ID: 0 (0x0) Aug 26 13:10:18.813076: | start port: 0 (0x0) Aug 26 13:10:18.813078: | end port: 65535 (0xffff) Aug 26 13:10:18.813080: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:18.813082: | ipv4 start c0 00 03 00 Aug 26 13:10:18.813084: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:18.813085: | ipv4 end c0 00 03 ff Aug 26 13:10:18.813087: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:18.813089: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:10:18.813090: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:10:18.813092: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:18.813094: | flags: none (0x0) Aug 26 13:10:18.813095: | number of TS: 1 (0x1) Aug 26 13:10:18.813097: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:10:18.813099: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:10:18.813101: | *****emit IKEv2 Traffic Selector: Aug 26 13:10:18.813103: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:10:18.813104: | IP Protocol ID: 0 (0x0) Aug 26 13:10:18.813106: | start port: 0 (0x0) Aug 26 13:10:18.813107: | end port: 65535 (0xffff) Aug 26 13:10:18.813109: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:10:18.813111: | ipv4 start c0 00 02 00 Aug 26 13:10:18.813113: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:10:18.813114: | ipv4 end c0 00 02 ff Aug 26 13:10:18.813116: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:10:18.813117: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:10:18.813119: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:10:18.813122: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:10:18.813258: | install_ipsec_sa() for #3: inbound and outbound Aug 26 13:10:18.813263: | could_route called for northnet-eastnet/0x2 (kind=CK_PERMANENT) Aug 26 13:10:18.813265: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:18.813267: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.813269: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Aug 26 13:10:18.813271: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.813273: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Aug 26 13:10:18.813276: | route owner of "northnet-eastnet/0x2" erouted: self; eroute owner: self Aug 26 13:10:18.813280: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:18.813283: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:18.813285: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:18.813287: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:18.813305: | setting IPsec SA replay-window to 32 Aug 26 13:10:18.813308: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Aug 26 13:10:18.813310: | netlink: enabling tunnel mode Aug 26 13:10:18.813312: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:18.813314: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:18.813372: | netlink response for Add SA esp.a05ac64b@192.1.3.33 included non-error error Aug 26 13:10:18.813376: | set up outgoing SA, ref=0/0 Aug 26 13:10:18.813379: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:10:18.813381: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:10:18.813383: | AES_GCM_16 requires 4 salt bytes Aug 26 13:10:18.813385: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:10:18.813389: | setting IPsec SA replay-window to 32 Aug 26 13:10:18.813391: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Aug 26 13:10:18.813393: | netlink: enabling tunnel mode Aug 26 13:10:18.813395: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:10:18.813396: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:10:18.813423: | netlink response for Add SA esp.d0dec185@192.1.2.23 included non-error error Aug 26 13:10:18.813427: | set up incoming SA, ref=0/0 Aug 26 13:10:18.813429: | sr for #3: erouted Aug 26 13:10:18.813431: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:10:18.813433: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:18.813435: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.813437: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Aug 26 13:10:18.813439: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:18.813440: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Aug 26 13:10:18.813443: | route owner of "northnet-eastnet/0x2" erouted: self; eroute owner: self Aug 26 13:10:18.813445: | route_and_eroute with c: northnet-eastnet/0x2 (next: none) ero:northnet-eastnet/0x2 esr:{(nil)} ro:northnet-eastnet/0x2 rosr:{(nil)} and state: #3 Aug 26 13:10:18.813447: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Aug 26 13:10:18.813453: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 (raw_eroute) Aug 26 13:10:18.813456: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:18.813469: | raw_eroute result=success Aug 26 13:10:18.813472: | route_and_eroute: firewall_notified: true Aug 26 13:10:18.813475: | route_and_eroute: instance "northnet-eastnet/0x2", setting eroute_owner {spd=0x55abb3126ad8,sr=0x55abb3126ad8} to #3 (was #2) (newest_ipsec_sa=#2) Aug 26 13:10:18.813521: | #1 spent 0.252 milliseconds in install_ipsec_sa() Aug 26 13:10:18.813525: | ISAKMP_v2_CREATE_CHILD_SA: instance northnet-eastnet/0x2[0], setting IKEv2 newest_ipsec_sa to #3 (was #2) (spd.eroute=#3) cloned from #1 Aug 26 13:10:18.813528: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:18.813530: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:18.813532: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:18.813534: | emitting length of IKEv2 Encryption Payload: 421 Aug 26 13:10:18.813536: | emitting length of ISAKMP Message: 449 Aug 26 13:10:18.813547: "northnet-eastnet/0x2" #3: negotiated new IPsec SA [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 13:10:18.813552: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:10:18.813555: | #3 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_OK Aug 26 13:10:18.813557: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Aug 26 13:10:18.813560: | child state #3: V2_CREATE_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Aug 26 13:10:18.813562: | Message ID: updating counters for #3 to 2 after switching state Aug 26 13:10:18.813565: | Message ID: recv #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Aug 26 13:10:18.813568: | Message ID: sent #1.#3 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:10:18.813571: | pstats #3 ikev2.child established Aug 26 13:10:18.813574: "northnet-eastnet/0x2" #3: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 13:10:18.813577: | NAT-T: encaps is 'auto' Aug 26 13:10:18.813580: "northnet-eastnet/0x2" #3: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xa05ac64b <0xd0dec185 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} Aug 26 13:10:18.813585: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 13:10:18.813589: | sending 449 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:10:18.813591: | 5f 02 0c cf 0e 18 8a 0e bb a7 63 3c fd 04 52 89 Aug 26 13:10:18.813592: | 2e 20 24 20 00 00 00 02 00 00 01 c1 21 00 01 a5 Aug 26 13:10:18.813594: | 63 56 47 d8 b3 59 b5 ca 64 54 e9 f0 cd f5 e3 43 Aug 26 13:10:18.813596: | 99 0a 66 6c d6 ff 09 d1 b0 36 e4 cd d9 84 f0 f5 Aug 26 13:10:18.813597: | 56 99 75 02 0c 25 28 94 61 9e 2d 2b 3b 79 95 50 Aug 26 13:10:18.813599: | 35 10 1b 75 05 ea 89 11 d6 5f 76 8a 22 b6 22 ea Aug 26 13:10:18.813600: | 74 7b ef 30 3f 89 2d c7 85 87 cd bd c6 ce ee 95 Aug 26 13:10:18.813602: | 52 c6 95 42 2e 98 0b f4 87 d9 ad 8a 54 f2 bc fc Aug 26 13:10:18.813603: | de ba d5 cf bf 7f 9c 90 aa f7 81 ab 64 e0 9c 5d Aug 26 13:10:18.813605: | 7f 5d f4 ed 50 10 2b 5b 14 8b ac 48 ae 86 18 67 Aug 26 13:10:18.813607: | 30 b5 29 a7 1a 9e 51 98 fd 14 d7 06 7d 85 3f 77 Aug 26 13:10:18.813608: | 63 25 23 d3 d3 85 2f 9a b5 f0 98 43 8d f6 4a 6c Aug 26 13:10:18.813610: | ce da 64 87 0a 47 4e e8 7b b0 59 35 57 6b a5 7e Aug 26 13:10:18.813611: | ba d5 da 20 44 52 c9 d7 bb 45 87 77 81 bf 8b ed Aug 26 13:10:18.813613: | e7 f7 fb 65 d5 20 a9 2d 87 21 00 1b 25 9a 5c 68 Aug 26 13:10:18.813614: | d6 d2 6b 0e b8 5a 61 87 4a 1f ae 4e 77 fd 77 63 Aug 26 13:10:18.813616: | f8 80 04 e0 78 96 b5 a7 ea 64 65 37 32 74 1a b1 Aug 26 13:10:18.813618: | 62 5f 1c d9 b2 91 82 7f ef 84 83 f0 90 f1 94 63 Aug 26 13:10:18.813619: | dd c5 f1 ff 75 c1 75 d4 fb 8b f2 49 3a ff af d2 Aug 26 13:10:18.813621: | b0 50 d0 9f 50 d8 c5 30 70 88 d3 74 1a 86 20 d0 Aug 26 13:10:18.813622: | 25 41 5a 9b f8 59 99 75 8f 0f be f3 b6 9c 4c 74 Aug 26 13:10:18.813624: | a4 0a be 94 c2 4a de cf 46 d8 9d 8d 45 ea 33 64 Aug 26 13:10:18.813625: | 2e 33 85 19 6d 2b 31 9b 12 84 1b fe 01 10 41 3c Aug 26 13:10:18.813627: | 73 c3 29 a8 d6 34 50 09 a9 42 8b 68 5a ba d3 80 Aug 26 13:10:18.813628: | 2d be 7e a5 92 c0 5b ce 31 91 37 f3 41 00 76 e5 Aug 26 13:10:18.813630: | 5c 94 68 0c cf 23 b2 11 5f 67 8c 43 2a 68 be eb Aug 26 13:10:18.813632: | 70 68 4b 0f 5d a9 ea 34 54 90 e1 c5 d7 80 f4 83 Aug 26 13:10:18.813633: | 37 5e 55 59 d9 2b 8e 48 15 1b 8b 89 48 b0 2b 0e Aug 26 13:10:18.813635: | 50 Aug 26 13:10:18.813665: | releasing whack for #3 (sock=fd@-1) Aug 26 13:10:18.813668: | releasing whack and unpending for parent #1 Aug 26 13:10:18.813670: | unpending state #1 connection "northnet-eastnet/0x2" Aug 26 13:10:18.813673: | #3 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:10:18.813675: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:10:18.813678: | libevent_free: release ptr-libevent@0x7fd258000f48 Aug 26 13:10:18.813680: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55abb3131de8 Aug 26 13:10:18.813682: | event_schedule: new EVENT_SA_REKEY-pe@0x55abb3131de8 Aug 26 13:10:18.813684: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #3 Aug 26 13:10:18.813686: | libevent_malloc: new ptr-libevent@0x7fd25c002888 size 128 Aug 26 13:10:18.813691: | #3 spent 0.813 milliseconds in resume sending helper answer Aug 26 13:10:18.813694: | stop processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:10:18.813696: | libevent_free: release ptr-libevent@0x7fd250001f78 Aug 26 13:10:21.171826: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:21.171855: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:10:21.171861: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:21.171870: | get_sa_info esp.d62559e@192.1.2.23 Aug 26 13:10:21.172125: | get_sa_info esp.7ba45388@192.1.3.33 Aug 26 13:10:21.172145: | get_sa_info esp.d0dec185@192.1.2.23 Aug 26 13:10:21.172157: | get_sa_info esp.a05ac64b@192.1.3.33 Aug 26 13:10:21.172172: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:21.172180: | spent 0.362 milliseconds in whack Aug 26 13:10:21.439428: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:21.439747: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:21.439752: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:10:21.439826: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:10:21.439828: | FOR_EACH_STATE_... in sort_states Aug 26 13:10:21.439838: | get_sa_info esp.d62559e@192.1.2.23 Aug 26 13:10:21.439853: | get_sa_info esp.7ba45388@192.1.3.33 Aug 26 13:10:21.439868: | get_sa_info esp.d0dec185@192.1.2.23 Aug 26 13:10:21.439876: | get_sa_info esp.a05ac64b@192.1.3.33 Aug 26 13:10:21.439892: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:10:21.439898: | spent 0.478 milliseconds in whack Aug 26 13:10:22.795066: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:10:22.795086: shutting down Aug 26 13:10:22.795097: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:10:22.795101: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:10:22.795104: forgetting secrets Aug 26 13:10:22.795124: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:10:22.795130: | start processing: connection "northnet-eastnet/0x2" (in delete_connection() at connections.c:189) Aug 26 13:10:22.795134: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:10:22.795136: | pass 0 Aug 26 13:10:22.795140: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:22.795143: | state #3 Aug 26 13:10:22.795148: | suspend processing: connection "northnet-eastnet/0x2" (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:22.795156: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:22.795159: | pstats #3 ikev2.child deleted completed Aug 26 13:10:22.795165: | #3 spent 2.63 milliseconds in total Aug 26 13:10:22.795171: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Aug 26 13:10:22.795176: "northnet-eastnet/0x2" #3: deleting state (STATE_V2_IPSEC_R) aged 3.984s and sending notification Aug 26 13:10:22.795180: | child state #3: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:10:22.795186: | get_sa_info esp.a05ac64b@192.1.3.33 Aug 26 13:10:22.795202: | get_sa_info esp.d0dec185@192.1.2.23 Aug 26 13:10:22.795210: "northnet-eastnet/0x2" #3: ESP traffic information: in=336B out=336B Aug 26 13:10:22.795215: | #3 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:10:22.795219: | Opening output PBS informational exchange delete request Aug 26 13:10:22.795223: | **emit ISAKMP Message: Aug 26 13:10:22.795227: | initiator cookie: Aug 26 13:10:22.795230: | 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:22.795233: | responder cookie: Aug 26 13:10:22.795236: | bb a7 63 3c fd 04 52 89 Aug 26 13:10:22.795239: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:22.795243: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:22.795246: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:22.795250: | flags: none (0x0) Aug 26 13:10:22.795253: | Message ID: 0 (0x0) Aug 26 13:10:22.795257: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:22.795261: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:22.795264: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:22.795267: | flags: none (0x0) Aug 26 13:10:22.795272: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:22.795280: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:22.795285: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:22.795301: | ****emit IKEv2 Delete Payload: Aug 26 13:10:22.795307: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:22.795310: | flags: none (0x0) Aug 26 13:10:22.795314: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:22.795329: | SPI size: 4 (0x4) Aug 26 13:10:22.795332: | number of SPIs: 1 (0x1) Aug 26 13:10:22.795337: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:22.795341: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:22.795345: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:10:22.795348: | local spis d0 de c1 85 Aug 26 13:10:22.795351: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:10:22.795355: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:22.795359: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:22.795363: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:22.795367: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:10:22.795370: | emitting length of ISAKMP Message: 69 Aug 26 13:10:22.795396: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #3) Aug 26 13:10:22.795400: | 5f 02 0c cf 0e 18 8a 0e bb a7 63 3c fd 04 52 89 Aug 26 13:10:22.795403: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:10:22.795406: | 50 85 a3 3b 14 a7 b8 5c bd 52 9c 7c 71 27 27 da Aug 26 13:10:22.795409: | a1 bf 15 2b a7 38 a5 2d d7 16 a0 44 36 3e 16 8f Aug 26 13:10:22.795412: | 14 ef 93 13 b0 Aug 26 13:10:22.795479: | Message ID: IKE #1 sender #3 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 13:10:22.795484: | Message ID: IKE #1 sender #3 in send_delete hacking around record ' send Aug 26 13:10:22.795490: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:10:22.795494: | state #3 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:22.795499: | libevent_free: release ptr-libevent@0x7fd25c002888 Aug 26 13:10:22.795503: | free_event_entry: release EVENT_SA_REKEY-pe@0x55abb3131de8 Aug 26 13:10:22.795925: | running updown command "ipsec _updown" for verb down Aug 26 13:10:22.795931: | command executing down-client Aug 26 13:10:22.795966: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825018' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHA Aug 26 13:10:22.795971: | popen cmd is 1058 chars long Aug 26 13:10:22.795975: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/: Aug 26 13:10:22.795979: | cmd( 80):0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PL: Aug 26 13:10:22.795985: | cmd( 160):UTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0': Aug 26 13:10:22.795989: | cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Aug 26 13:10:22.795993: | cmd( 320):UTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID=': Aug 26 13:10:22.795997: | cmd( 400):@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO: Aug 26 13:10:22.796000: | cmd( 480):_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Aug 26 13:10:22.796004: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825018' PLUTO_CONN_POLICY: Aug 26 13:10:22.796008: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO: Aug 26 13:10:22.796011: | cmd( 720):' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLU: Aug 26 13:10:22.796015: | cmd( 800):TO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER: Aug 26 13:10:22.796019: | cmd( 880):_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI: Aug 26 13:10:22.796022: | cmd( 960):_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xa05ac64b SPI_OUT=0xd0dec185 : Aug 26 13:10:22.796026: | cmd(1040):ipsec _updown 2>&1: Aug 26 13:10:22.808339: | shunt_eroute() called for connection 'northnet-eastnet/0x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:10:22.808355: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:22.808359: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Aug 26 13:10:22.808365: | IPsec Sa SPD priority set to 1042407 Aug 26 13:10:22.808400: | delete esp.a05ac64b@192.1.3.33 Aug 26 13:10:22.808419: | netlink response for Del SA esp.a05ac64b@192.1.3.33 included non-error error Aug 26 13:10:22.808424: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Aug 26 13:10:22.808432: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:10:22.808456: | raw_eroute result=success Aug 26 13:10:22.808461: | delete esp.d0dec185@192.1.2.23 Aug 26 13:10:22.808472: | netlink response for Del SA esp.d0dec185@192.1.2.23 included non-error error Aug 26 13:10:22.808486: | stop processing: connection "northnet-eastnet/0x2" (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:10:22.808491: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:10:22.808494: | in connection_discard for connection northnet-eastnet/0x2 Aug 26 13:10:22.808497: | State DB: deleting IKEv2 state #3 in V2_IPSEC_R Aug 26 13:10:22.808505: | child state #3: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:10:22.808552: | stop processing: state #3 from 192.1.3.33:500 (in delete_state() at state.c:1143) Aug 26 13:10:22.808577: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:10:22.808581: | state #2 Aug 26 13:10:22.808588: | start processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:22.808592: | pstats #2 ikev2.child deleted completed Aug 26 13:10:22.808599: | [RE]START processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Aug 26 13:10:22.808604: "northnet-eastnet/0x2" #2: deleting state (STATE_V2_IPSEC_R) aged 4.064s and sending notification Aug 26 13:10:22.808608: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:10:22.808613: | get_sa_info esp.7ba45388@192.1.3.33 Aug 26 13:10:22.808625: | get_sa_info esp.d62559e@192.1.2.23 Aug 26 13:10:22.808634: "northnet-eastnet/0x2" #2: ESP traffic information: in=0B out=0B Aug 26 13:10:22.808640: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:10:22.808647: | Opening output PBS informational exchange delete request Aug 26 13:10:22.808651: | **emit ISAKMP Message: Aug 26 13:10:22.808655: | initiator cookie: Aug 26 13:10:22.808658: | 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:22.808661: | responder cookie: Aug 26 13:10:22.808664: | bb a7 63 3c fd 04 52 89 Aug 26 13:10:22.808668: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:22.808671: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:22.808675: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:22.808679: | flags: none (0x0) Aug 26 13:10:22.808683: | Message ID: 1 (0x1) Aug 26 13:10:22.808686: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:22.808690: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:22.808694: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:22.808697: | flags: none (0x0) Aug 26 13:10:22.808701: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:22.808705: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:22.808709: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:22.808722: | ****emit IKEv2 Delete Payload: Aug 26 13:10:22.808726: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:22.808729: | flags: none (0x0) Aug 26 13:10:22.808732: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:10:22.808735: | SPI size: 4 (0x4) Aug 26 13:10:22.808738: | number of SPIs: 1 (0x1) Aug 26 13:10:22.808743: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:22.808747: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:22.808750: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:10:22.808754: | local spis 0d 62 55 9e Aug 26 13:10:22.808757: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:10:22.808760: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:22.808764: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:22.808768: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:22.808772: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:10:22.808775: | emitting length of ISAKMP Message: 69 Aug 26 13:10:22.808805: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Aug 26 13:10:22.808810: | 5f 02 0c cf 0e 18 8a 0e bb a7 63 3c fd 04 52 89 Aug 26 13:10:22.808813: | 2e 20 25 00 00 00 00 01 00 00 00 45 2a 00 00 29 Aug 26 13:10:22.808816: | 45 25 4b 58 45 20 84 39 c6 dc 33 12 0b bb ac 6c Aug 26 13:10:22.808819: | 8a 2f b9 0f 68 41 2b 82 3f 0f 1c fd d1 0f 1b d9 Aug 26 13:10:22.808822: | 66 ef 86 38 3f Aug 26 13:10:22.808876: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 13:10:22.808881: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 13:10:22.808887: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Aug 26 13:10:22.808895: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Aug 26 13:10:22.808899: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:22.808906: | libevent_free: release ptr-libevent@0x55abb312e328 Aug 26 13:10:22.808911: | free_event_entry: release EVENT_SA_REKEY-pe@0x7fd260002b78 Aug 26 13:10:22.808984: | delete esp.7ba45388@192.1.3.33 Aug 26 13:10:22.809005: | netlink response for Del SA esp.7ba45388@192.1.3.33 included non-error error Aug 26 13:10:22.809010: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Aug 26 13:10:22.809018: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:10:22.809029: | raw_eroute result=success Aug 26 13:10:22.809034: | delete esp.d62559e@192.1.2.23 Aug 26 13:10:22.809046: | netlink response for Del SA esp.d62559e@192.1.2.23 included non-error error Aug 26 13:10:22.809051: | in connection_discard for connection northnet-eastnet/0x2 Aug 26 13:10:22.809055: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 13:10:22.809059: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:10:22.809067: | stop processing: state #2 from 192.1.3.33:500 (in delete_state() at state.c:1143) Aug 26 13:10:22.809074: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:10:22.809077: | state #1 Aug 26 13:10:22.809080: | pass 1 Aug 26 13:10:22.809084: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:22.809087: | state #1 Aug 26 13:10:22.809092: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:10:22.809096: | pstats #1 ikev2.ike deleted completed Aug 26 13:10:22.809103: | #1 spent 7.88 milliseconds in total Aug 26 13:10:22.809108: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Aug 26 13:10:22.809113: "northnet-eastnet/0x2" #1: deleting state (STATE_PARENT_R2) aged 4.070s and sending notification Aug 26 13:10:22.809117: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 13:10:22.809153: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 13:10:22.809159: | Opening output PBS informational exchange delete request Aug 26 13:10:22.809162: | **emit ISAKMP Message: Aug 26 13:10:22.809165: | initiator cookie: Aug 26 13:10:22.809168: | 5f 02 0c cf 0e 18 8a 0e Aug 26 13:10:22.809171: | responder cookie: Aug 26 13:10:22.809175: | bb a7 63 3c fd 04 52 89 Aug 26 13:10:22.809178: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:10:22.809181: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:10:22.809185: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:10:22.809188: | flags: none (0x0) Aug 26 13:10:22.809191: | Message ID: 2 (0x2) Aug 26 13:10:22.809195: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:10:22.809198: | ***emit IKEv2 Encryption Payload: Aug 26 13:10:22.809201: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:22.809205: | flags: none (0x0) Aug 26 13:10:22.809209: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:10:22.809213: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:22.809216: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:10:22.809222: | ****emit IKEv2 Delete Payload: Aug 26 13:10:22.809225: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:10:22.809228: | flags: none (0x0) Aug 26 13:10:22.809231: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:10:22.809235: | SPI size: 0 (0x0) Aug 26 13:10:22.809238: | number of SPIs: 0 (0x0) Aug 26 13:10:22.809242: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:10:22.809245: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:10:22.809249: | emitting length of IKEv2 Delete Payload: 8 Aug 26 13:10:22.809252: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:10:22.809256: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:10:22.809262: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:10:22.809266: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 13:10:22.809269: | emitting length of ISAKMP Message: 65 Aug 26 13:10:22.809284: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:10:22.809293: | 5f 02 0c cf 0e 18 8a 0e bb a7 63 3c fd 04 52 89 Aug 26 13:10:22.809299: | 2e 20 25 00 00 00 00 02 00 00 00 41 2a 00 00 25 Aug 26 13:10:22.809302: | f7 bd 63 6f 1b 74 98 df 35 f4 ca ae 47 88 1a 59 Aug 26 13:10:22.809305: | a9 41 12 06 83 86 63 92 54 d4 2e 71 65 56 2c a0 Aug 26 13:10:22.809308: | 5f Aug 26 13:10:22.809339: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=2->3 and sender msgid=1->2 Aug 26 13:10:22.809344: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 13:10:22.809350: | Message ID: #1 XXX: expecting sender.wip.initiator 1 == -1 - suspect record'n'send out-of-order?); initiator.sent=2 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=2 wip.responder=-1 Aug 26 13:10:22.809355: | Message ID: sent #1 request 2; ike: initiator.sent=1->2 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1->2 wip.responder=-1 Aug 26 13:10:22.809359: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:10:22.809365: | libevent_free: release ptr-libevent@0x55abb312d878 Aug 26 13:10:22.809371: | free_event_entry: release EVENT_SA_REKEY-pe@0x55abb3129fe8 Aug 26 13:10:22.809377: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:10:22.809380: | in connection_discard for connection northnet-eastnet/0x2 Aug 26 13:10:22.809384: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 13:10:22.809388: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 13:10:22.809411: | stop processing: state #1 from 192.1.3.33:500 (in delete_state() at state.c:1143) Aug 26 13:10:22.809444: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:10:22.809450: | shunt_eroute() called for connection 'northnet-eastnet/0x2' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:10:22.809453: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:10:22.809457: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Aug 26 13:10:22.809477: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Aug 26 13:10:22.809489: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:10:22.809493: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:22.809497: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Aug 26 13:10:22.809501: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Aug 26 13:10:22.809504: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Aug 26 13:10:22.809508: | route owner of "northnet-eastnet/0x2" unrouted: NULL Aug 26 13:10:22.809512: | running updown command "ipsec _updown" for verb unroute Aug 26 13:10:22.809516: | command executing unroute-client Aug 26 13:10:22.809546: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Aug 26 13:10:22.809554: | popen cmd is 1039 chars long Aug 26 13:10:22.809558: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastn: Aug 26 13:10:22.809561: | cmd( 80):et/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23': Aug 26 13:10:22.809565: | cmd( 160): PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2: Aug 26 13:10:22.809568: | cmd( 240):.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0': Aug 26 13:10:22.809572: | cmd( 320): PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Aug 26 13:10:22.809575: | cmd( 400):ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' P: Aug 26 13:10:22.809578: | cmd( 480):LUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0: Aug 26 13:10:22.809581: | cmd( 560):' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK: Aug 26 13:10:22.809585: | cmd( 640):+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLU: Aug 26 13:10:22.809589: | cmd( 720):TO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Aug 26 13:10:22.809591: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Aug 26 13:10:22.809594: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Aug 26 13:10:22.809597: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:10:22.820906: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.820924: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.820926: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.820928: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.820989: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.820992: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.820994: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.820996: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.820999: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821059: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821062: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821063: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821066: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821068: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821077: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821086: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821097: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821106: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821298: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821308: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821317: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821341: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821351: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821360: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821369: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821379: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821389: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821399: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821409: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821418: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821427: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821437: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821446: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821456: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821465: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821474: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821485: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821494: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821504: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821513: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821522: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.821533: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:10:22.826027: | flush revival: connection 'northnet-eastnet/0x2' wasn't on the list Aug 26 13:10:22.826038: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:10:22.826055: | start processing: connection "northnet-eastnet/0x1" (in delete_connection() at connections.c:189) Aug 26 13:10:22.826058: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:10:22.826059: | pass 0 Aug 26 13:10:22.826061: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:22.826063: | pass 1 Aug 26 13:10:22.826064: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:10:22.826071: | free hp@0x55abb31268a8 Aug 26 13:10:22.826073: | flush revival: connection 'northnet-eastnet/0x1' wasn't on the list Aug 26 13:10:22.826075: | stop processing: connection "northnet-eastnet/0x1" (in discard_connection() at connections.c:249) Aug 26 13:10:22.826083: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:10:22.826085: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:10:22.826092: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:10:22.826094: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:10:22.826096: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 13:10:22.826098: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 13:10:22.826100: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 13:10:22.826102: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 13:10:22.826105: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:10:22.826113: | libevent_free: release ptr-libevent@0x55abb31182c8 Aug 26 13:10:22.826116: | free_event_entry: release EVENT_NULL-pe@0x55abb3124158 Aug 26 13:10:22.826125: | libevent_free: release ptr-libevent@0x55abb30b41e8 Aug 26 13:10:22.826127: | free_event_entry: release EVENT_NULL-pe@0x55abb3124208 Aug 26 13:10:22.826156: | libevent_free: release ptr-libevent@0x55abb30b6088 Aug 26 13:10:22.826158: | free_event_entry: release EVENT_NULL-pe@0x55abb31242b8 Aug 26 13:10:22.826163: | libevent_free: release ptr-libevent@0x55abb30b31d8 Aug 26 13:10:22.826165: | free_event_entry: release EVENT_NULL-pe@0x55abb3124368 Aug 26 13:10:22.826170: | libevent_free: release ptr-libevent@0x55abb30844e8 Aug 26 13:10:22.826172: | free_event_entry: release EVENT_NULL-pe@0x55abb3124418 Aug 26 13:10:22.826176: | libevent_free: release ptr-libevent@0x55abb30841d8 Aug 26 13:10:22.826178: | free_event_entry: release EVENT_NULL-pe@0x55abb31244c8 Aug 26 13:10:22.826182: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:10:22.826627: | libevent_free: release ptr-libevent@0x55abb3118378 Aug 26 13:10:22.826652: | free_event_entry: release EVENT_NULL-pe@0x55abb310c0b8 Aug 26 13:10:22.826656: | libevent_free: release ptr-libevent@0x55abb30b5f88 Aug 26 13:10:22.826659: | free_event_entry: release EVENT_NULL-pe@0x55abb310b578 Aug 26 13:10:22.826663: | libevent_free: release ptr-libevent@0x55abb30efb28 Aug 26 13:10:22.826665: | free_event_entry: release EVENT_NULL-pe@0x55abb310c128 Aug 26 13:10:22.826668: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:10:22.826670: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:10:22.826672: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:10:22.826673: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:10:22.826675: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:10:22.826690: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:10:22.826691: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:10:22.826693: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:10:22.826694: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:10:22.826699: | libevent_free: release ptr-libevent@0x55abb30b7408 Aug 26 13:10:22.826700: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:10:22.826703: | libevent_free: release ptr-libevent@0x55abb31238b8 Aug 26 13:10:22.826704: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:10:22.826706: | libevent_free: release ptr-libevent@0x55abb31239c8 Aug 26 13:10:22.826708: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:10:22.826710: | libevent_free: release ptr-libevent@0x55abb3123c08 Aug 26 13:10:22.826712: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:10:22.826713: | releasing event base Aug 26 13:10:22.826723: | libevent_free: release ptr-libevent@0x55abb3123ad8 Aug 26 13:10:22.826725: | libevent_free: release ptr-libevent@0x55abb3106968 Aug 26 13:10:22.826728: | libevent_free: release ptr-libevent@0x55abb3106918 Aug 26 13:10:22.826730: | libevent_free: release ptr-libevent@0x7fd25c0027d8 Aug 26 13:10:22.826733: | libevent_free: release ptr-libevent@0x55abb3106868 Aug 26 13:10:22.826735: | libevent_free: release ptr-libevent@0x55abb3123688 Aug 26 13:10:22.826736: | libevent_free: release ptr-libevent@0x55abb3123838 Aug 26 13:10:22.826738: | libevent_free: release ptr-libevent@0x55abb3106b18 Aug 26 13:10:22.826739: | libevent_free: release ptr-libevent@0x55abb310b688 Aug 26 13:10:22.826741: | libevent_free: release ptr-libevent@0x55abb310c078 Aug 26 13:10:22.826742: | libevent_free: release ptr-libevent@0x55abb3124538 Aug 26 13:10:22.826744: | libevent_free: release ptr-libevent@0x55abb3124488 Aug 26 13:10:22.826746: | libevent_free: release ptr-libevent@0x55abb31243d8 Aug 26 13:10:22.826747: | libevent_free: release ptr-libevent@0x55abb3124328 Aug 26 13:10:22.826749: | libevent_free: release ptr-libevent@0x55abb3124278 Aug 26 13:10:22.826750: | libevent_free: release ptr-libevent@0x55abb31241c8 Aug 26 13:10:22.826752: | libevent_free: release ptr-libevent@0x55abb30b2a28 Aug 26 13:10:22.826753: | libevent_free: release ptr-libevent@0x55abb3123988 Aug 26 13:10:22.826755: | libevent_free: release ptr-libevent@0x55abb3123878 Aug 26 13:10:22.826757: | libevent_free: release ptr-libevent@0x55abb31237f8 Aug 26 13:10:22.826758: | libevent_free: release ptr-libevent@0x55abb3123a98 Aug 26 13:10:22.826760: | libevent_free: release ptr-libevent@0x55abb31236c8 Aug 26 13:10:22.826762: | libevent_free: release ptr-libevent@0x55abb3083908 Aug 26 13:10:22.826763: | libevent_free: release ptr-libevent@0x55abb3083d38 Aug 26 13:10:22.826765: | libevent_free: release ptr-libevent@0x55abb30b2d98 Aug 26 13:10:22.826767: | releasing global libevent data Aug 26 13:10:22.826769: | libevent_free: release ptr-libevent@0x55abb30b45a8 Aug 26 13:10:22.826771: | libevent_free: release ptr-libevent@0x55abb3083cd8 Aug 26 13:10:22.826772: | libevent_free: release ptr-libevent@0x55abb3083dd8 Aug 26 13:10:22.826804: leak detective found no leaks