Aug 26 13:23:41.584429: FIPS Product: YES Aug 26 13:23:41.584508: FIPS Kernel: NO Aug 26 13:23:41.584510: FIPS Mode: NO Aug 26 13:23:41.584512: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:23:41.584658: Initializing NSS Aug 26 13:23:41.584663: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:23:41.613213: NSS initialized Aug 26 13:23:41.613229: NSS crypto library initialized Aug 26 13:23:41.613231: FIPS HMAC integrity support [enabled] Aug 26 13:23:41.613233: FIPS mode disabled for pluto daemon Aug 26 13:23:41.640063: FIPS HMAC integrity verification self-test FAILED Aug 26 13:23:41.640402: libcap-ng support [enabled] Aug 26 13:23:41.640411: Linux audit support [enabled] Aug 26 13:23:41.640643: Linux audit activated Aug 26 13:23:41.640652: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:16754 Aug 26 13:23:41.640654: core dump dir: /tmp Aug 26 13:23:41.640656: secrets file: /etc/ipsec.secrets Aug 26 13:23:41.640658: leak-detective enabled Aug 26 13:23:41.640659: NSS crypto [enabled] Aug 26 13:23:41.640661: XAUTH PAM support [enabled] Aug 26 13:23:41.640718: | libevent is using pluto's memory allocator Aug 26 13:23:41.640723: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:23:41.640738: | libevent_malloc: new ptr-libevent@0x5637616c7158 size 40 Aug 26 13:23:41.640741: | libevent_malloc: new ptr-libevent@0x5637616c1cd8 size 40 Aug 26 13:23:41.640743: | libevent_malloc: new ptr-libevent@0x5637616c1dd8 size 40 Aug 26 13:23:41.640745: | creating event base Aug 26 13:23:41.640747: | libevent_malloc: new ptr-libevent@0x563761746558 size 56 Aug 26 13:23:41.640750: | libevent_malloc: new ptr-libevent@0x5637616ea628 size 664 Aug 26 13:23:41.640758: | libevent_malloc: new ptr-libevent@0x5637617465c8 size 24 Aug 26 13:23:41.640760: | libevent_malloc: new ptr-libevent@0x563761746618 size 384 Aug 26 13:23:41.640768: | libevent_malloc: new ptr-libevent@0x563761746518 size 16 Aug 26 13:23:41.640770: | libevent_malloc: new ptr-libevent@0x5637616c1908 size 40 Aug 26 13:23:41.640772: | libevent_malloc: new ptr-libevent@0x5637616c1d38 size 48 Aug 26 13:23:41.640776: | libevent_realloc: new ptr-libevent@0x5637616ecee8 size 256 Aug 26 13:23:41.640778: | libevent_malloc: new ptr-libevent@0x5637617467c8 size 16 Aug 26 13:23:41.640782: | libevent_free: release ptr-libevent@0x563761746558 Aug 26 13:23:41.640785: | libevent initialized Aug 26 13:23:41.640788: | libevent_realloc: new ptr-libevent@0x563761746558 size 64 Aug 26 13:23:41.640792: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:23:41.640803: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:23:41.640805: NAT-Traversal support [enabled] Aug 26 13:23:41.640807: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:23:41.640812: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:23:41.640814: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:23:41.640841: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:23:41.640843: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:23:41.640846: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:23:41.640884: Encryption algorithms: Aug 26 13:23:41.640894: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:23:41.640899: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:23:41.640903: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:23:41.640908: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:23:41.640911: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:23:41.640921: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:23:41.640926: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:23:41.640930: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:23:41.640934: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:23:41.640938: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:23:41.640942: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:23:41.640946: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:23:41.640950: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:23:41.640954: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:23:41.640958: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:23:41.640961: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:23:41.640965: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:23:41.640972: Hash algorithms: Aug 26 13:23:41.640975: MD5 IKEv1: IKE IKEv2: Aug 26 13:23:41.640979: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:23:41.640982: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:23:41.640986: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:23:41.640989: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:23:41.641002: PRF algorithms: Aug 26 13:23:41.641006: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:23:41.641008: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:23:41.641010: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:23:41.641012: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:23:41.641014: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:23:41.641016: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:23:41.641033: Integrity algorithms: Aug 26 13:23:41.641036: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:23:41.641038: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:23:41.641041: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:23:41.641043: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:23:41.641046: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:23:41.641048: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:23:41.641050: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:23:41.641052: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:23:41.641054: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:23:41.641062: DH algorithms: Aug 26 13:23:41.641064: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:23:41.641066: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:23:41.641068: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:23:41.641072: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:23:41.641075: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:23:41.641077: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:23:41.641079: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:23:41.641081: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:23:41.641083: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:23:41.641085: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:23:41.641087: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:23:41.641089: testing CAMELLIA_CBC: Aug 26 13:23:41.641091: Camellia: 16 bytes with 128-bit key Aug 26 13:23:41.641185: Camellia: 16 bytes with 128-bit key Aug 26 13:23:41.641204: Camellia: 16 bytes with 256-bit key Aug 26 13:23:41.641223: Camellia: 16 bytes with 256-bit key Aug 26 13:23:41.641242: testing AES_GCM_16: Aug 26 13:23:41.641244: empty string Aug 26 13:23:41.641265: one block Aug 26 13:23:41.641282: two blocks Aug 26 13:23:41.641304: two blocks with associated data Aug 26 13:23:41.641324: testing AES_CTR: Aug 26 13:23:41.641326: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:23:41.641343: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:23:41.641360: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:23:41.641378: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:23:41.641395: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:23:41.641412: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:23:41.641429: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:23:41.641445: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:23:41.641464: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:23:41.641481: testing AES_CBC: Aug 26 13:23:41.641483: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:23:41.641500: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:23:41.641518: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:23:41.641535: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:23:41.641556: testing AES_XCBC: Aug 26 13:23:41.641558: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:23:41.641632: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:23:41.641714: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:23:41.641789: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:23:41.641865: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:23:41.641942: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:23:41.642020: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:23:41.642192: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:23:41.642270: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:23:41.642411: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:23:41.642674: testing HMAC_MD5: Aug 26 13:23:41.642680: RFC 2104: MD5_HMAC test 1 Aug 26 13:23:41.642862: RFC 2104: MD5_HMAC test 2 Aug 26 13:23:41.643024: RFC 2104: MD5_HMAC test 3 Aug 26 13:23:41.643277: 8 CPU cores online Aug 26 13:23:41.643283: starting up 7 crypto helpers Aug 26 13:23:41.643318: started thread for crypto helper 0 Aug 26 13:23:41.643335: | starting up helper thread 0 Aug 26 13:23:41.643348: | starting up helper thread 1 Aug 26 13:23:41.643341: started thread for crypto helper 1 Aug 26 13:23:41.643388: started thread for crypto helper 2 Aug 26 13:23:41.643407: started thread for crypto helper 3 Aug 26 13:23:41.643358: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:23:41.643422: | crypto helper 0 waiting (nothing to do) Aug 26 13:23:41.643427: started thread for crypto helper 4 Aug 26 13:23:41.643430: | starting up helper thread 3 Aug 26 13:23:41.643430: | starting up helper thread 2 Aug 26 13:23:41.643449: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:23:41.643363: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:23:41.643441: started thread for crypto helper 5 Aug 26 13:23:41.643452: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:23:41.643491: started thread for crypto helper 6 Aug 26 13:23:41.643500: | checking IKEv1 state table Aug 26 13:23:41.643435: | starting up helper thread 4 Aug 26 13:23:41.643508: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:23:41.643511: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:23:41.643513: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:23:41.643515: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:23:41.643524: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:23:41.643527: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:23:41.643530: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:23:41.643533: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:41.643535: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:41.643455: | starting up helper thread 5 Aug 26 13:23:41.643453: | crypto helper 3 waiting (nothing to do) Aug 26 13:23:41.643540: | starting up helper thread 6 Aug 26 13:23:41.643548: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:23:41.643563: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:23:41.643563: | crypto helper 1 waiting (nothing to do) Aug 26 13:23:41.643541: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:23:41.643607: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:23:41.643609: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:41.643611: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:41.643613: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:23:41.643615: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:23:41.643617: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:23:41.643618: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:23:41.643620: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:23:41.643622: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:23:41.643624: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:23:41.643624: | crypto helper 2 waiting (nothing to do) Aug 26 13:23:41.643625: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:23:41.643633: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:23:41.643634: | -> UNDEFINED EVENT_NULL Aug 26 13:23:41.643636: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:23:41.643638: | -> UNDEFINED EVENT_NULL Aug 26 13:23:41.643640: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:23:41.643641: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:23:41.643643: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:23:41.643645: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:23:41.643647: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:23:41.643648: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:23:41.643650: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:23:41.643652: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:23:41.643653: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:23:41.643655: | -> UNDEFINED EVENT_NULL Aug 26 13:23:41.643657: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:23:41.643658: | -> UNDEFINED EVENT_NULL Aug 26 13:23:41.643660: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:23:41.643662: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:23:41.643664: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:23:41.643665: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:23:41.643667: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:23:41.643675: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:23:41.643678: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:23:41.643666: | crypto helper 4 waiting (nothing to do) Aug 26 13:23:41.643691: | crypto helper 5 waiting (nothing to do) Aug 26 13:23:41.643703: | crypto helper 6 waiting (nothing to do) Aug 26 13:23:41.643679: | -> UNDEFINED EVENT_NULL Aug 26 13:23:41.643734: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:23:41.643738: | -> UNDEFINED EVENT_NULL Aug 26 13:23:41.643740: | INFO: category: informational flags: 0: Aug 26 13:23:41.643742: | -> UNDEFINED EVENT_NULL Aug 26 13:23:41.643744: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:23:41.643746: | -> UNDEFINED EVENT_NULL Aug 26 13:23:41.643748: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:23:41.643749: | -> XAUTH_R1 EVENT_NULL Aug 26 13:23:41.643751: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:23:41.643753: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:23:41.643755: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:23:41.643756: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:23:41.643758: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:23:41.643760: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:23:41.643762: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:23:41.643764: | -> UNDEFINED EVENT_NULL Aug 26 13:23:41.643765: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:23:41.643767: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:23:41.643769: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:23:41.643771: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:23:41.643773: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:23:41.643774: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:23:41.643780: | checking IKEv2 state table Aug 26 13:23:41.643784: | PARENT_I0: category: ignore flags: 0: Aug 26 13:23:41.643786: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:23:41.643789: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:23:41.643791: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:23:41.643793: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:23:41.643795: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:23:41.643797: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:23:41.643799: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:23:41.643801: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:23:41.643803: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:23:41.643805: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:23:41.643807: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:23:41.643808: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:23:41.643810: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:23:41.643812: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:23:41.643814: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:23:41.643816: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:23:41.643817: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:23:41.643819: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:23:41.643821: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:23:41.643823: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:23:41.643825: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:23:41.643827: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:23:41.643832: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:23:41.643834: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:23:41.643835: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:23:41.643837: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:23:41.643839: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:23:41.643841: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:23:41.643843: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:23:41.643845: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:23:41.643847: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:23:41.643849: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:23:41.643851: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:23:41.643853: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:23:41.643855: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:23:41.643857: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:23:41.643859: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:23:41.643861: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:23:41.643863: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:23:41.643865: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:23:41.643867: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:23:41.643869: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:23:41.643871: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:23:41.643873: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:23:41.643875: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:23:41.643876: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:23:41.643887: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:23:41.644401: | Hard-wiring algorithms Aug 26 13:23:41.644409: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:23:41.644414: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:23:41.644417: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:23:41.644420: | adding 3DES_CBC to kernel algorithm db Aug 26 13:23:41.644422: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:23:41.644425: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:23:41.644428: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:23:41.644430: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:23:41.644433: | adding AES_CTR to kernel algorithm db Aug 26 13:23:41.644435: | adding AES_CBC to kernel algorithm db Aug 26 13:23:41.644438: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:23:41.644440: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:23:41.644443: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:23:41.644445: | adding NULL to kernel algorithm db Aug 26 13:23:41.644448: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:23:41.644451: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:23:41.644453: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:23:41.644456: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:23:41.644459: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:23:41.644461: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:23:41.644464: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:23:41.644467: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:23:41.644469: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:23:41.644472: | adding NONE to kernel algorithm db Aug 26 13:23:41.644498: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:23:41.644505: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:23:41.644508: | setup kernel fd callback Aug 26 13:23:41.644511: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x56376174b228 Aug 26 13:23:41.644515: | libevent_malloc: new ptr-libevent@0x56376172f688 size 128 Aug 26 13:23:41.644519: | libevent_malloc: new ptr-libevent@0x56376174b338 size 16 Aug 26 13:23:41.644525: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x56376174bd68 Aug 26 13:23:41.644529: | libevent_malloc: new ptr-libevent@0x5637616ed578 size 128 Aug 26 13:23:41.644532: | libevent_malloc: new ptr-libevent@0x56376174bd28 size 16 Aug 26 13:23:41.644752: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:23:41.644761: selinux support is enabled. Aug 26 13:23:41.645489: | unbound context created - setting debug level to 5 Aug 26 13:23:41.645521: | /etc/hosts lookups activated Aug 26 13:23:41.645538: | /etc/resolv.conf usage activated Aug 26 13:23:41.645577: | outgoing-port-avoid set 0-65535 Aug 26 13:23:41.645595: | outgoing-port-permit set 32768-60999 Aug 26 13:23:41.645597: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:23:41.645600: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:23:41.645602: | Setting up events, loop start Aug 26 13:23:41.645605: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x56376174bdd8 Aug 26 13:23:41.645607: | libevent_malloc: new ptr-libevent@0x563761757f68 size 128 Aug 26 13:23:41.645610: | libevent_malloc: new ptr-libevent@0x5637617631b8 size 16 Aug 26 13:23:41.645616: | libevent_realloc: new ptr-libevent@0x5637616ea2b8 size 256 Aug 26 13:23:41.645618: | libevent_malloc: new ptr-libevent@0x5637617631f8 size 8 Aug 26 13:23:41.645620: | libevent_realloc: new ptr-libevent@0x5637616bd918 size 144 Aug 26 13:23:41.645622: | libevent_malloc: new ptr-libevent@0x5637616eb188 size 152 Aug 26 13:23:41.645625: | libevent_malloc: new ptr-libevent@0x563761763238 size 16 Aug 26 13:23:41.645627: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:23:41.645629: | libevent_malloc: new ptr-libevent@0x563761763278 size 8 Aug 26 13:23:41.645633: | libevent_malloc: new ptr-libevent@0x5637616eef38 size 152 Aug 26 13:23:41.645635: | signal event handler PLUTO_SIGTERM installed Aug 26 13:23:41.645637: | libevent_malloc: new ptr-libevent@0x5637617632b8 size 8 Aug 26 13:23:41.645639: | libevent_malloc: new ptr-libevent@0x5637617632f8 size 152 Aug 26 13:23:41.645641: | signal event handler PLUTO_SIGHUP installed Aug 26 13:23:41.645643: | libevent_malloc: new ptr-libevent@0x5637617633c8 size 8 Aug 26 13:23:41.645645: | libevent_realloc: release ptr-libevent@0x5637616bd918 Aug 26 13:23:41.645647: | libevent_realloc: new ptr-libevent@0x563761763408 size 256 Aug 26 13:23:41.645648: | libevent_malloc: new ptr-libevent@0x563761763538 size 152 Aug 26 13:23:41.645651: | signal event handler PLUTO_SIGSYS installed Aug 26 13:23:41.645903: | created addconn helper (pid:16885) using fork+execve Aug 26 13:23:41.645919: | forked child 16885 Aug 26 13:23:41.645965: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:41.646321: listening for IKE messages Aug 26 13:23:41.646727: | Inspecting interface lo Aug 26 13:23:41.646737: | found lo with address 127.0.0.1 Aug 26 13:23:41.646743: | Inspecting interface eth0 Aug 26 13:23:41.646749: | found eth0 with address 192.0.2.254 Aug 26 13:23:41.646753: | Inspecting interface eth1 Aug 26 13:23:41.646757: | found eth1 with address 192.1.2.23 Aug 26 13:23:41.646831: Kernel supports NIC esp-hw-offload Aug 26 13:23:41.646844: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:23:41.646892: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:23:41.646898: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:23:41.646902: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:23:41.646934: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:23:41.646955: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:23:41.646960: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:23:41.646963: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:23:41.646988: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:23:41.647010: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:23:41.647015: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:23:41.647019: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:23:41.647098: | no interfaces to sort Aug 26 13:23:41.647103: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:23:41.647112: | add_fd_read_event_handler: new ethX-pe@0x563761763a98 Aug 26 13:23:41.647115: | libevent_malloc: new ptr-libevent@0x563761757eb8 size 128 Aug 26 13:23:41.647119: | libevent_malloc: new ptr-libevent@0x563761763b08 size 16 Aug 26 13:23:41.647127: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:23:41.647130: | add_fd_read_event_handler: new ethX-pe@0x563761763b48 Aug 26 13:23:41.647133: | libevent_malloc: new ptr-libevent@0x5637616ece08 size 128 Aug 26 13:23:41.647136: | libevent_malloc: new ptr-libevent@0x563761763bb8 size 16 Aug 26 13:23:41.647141: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:23:41.647144: | add_fd_read_event_handler: new ethX-pe@0x563761763bf8 Aug 26 13:23:41.647147: | libevent_malloc: new ptr-libevent@0x5637616edea8 size 128 Aug 26 13:23:41.647150: | libevent_malloc: new ptr-libevent@0x563761763c68 size 16 Aug 26 13:23:41.647155: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:23:41.647158: | add_fd_read_event_handler: new ethX-pe@0x563761763ca8 Aug 26 13:23:41.647162: | libevent_malloc: new ptr-libevent@0x5637616eeaa8 size 128 Aug 26 13:23:41.647165: | libevent_malloc: new ptr-libevent@0x563761763d18 size 16 Aug 26 13:23:41.647170: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:23:41.647174: | add_fd_read_event_handler: new ethX-pe@0x563761763d58 Aug 26 13:23:41.647178: | libevent_malloc: new ptr-libevent@0x5637616c7b78 size 128 Aug 26 13:23:41.647181: | libevent_malloc: new ptr-libevent@0x563761763dc8 size 16 Aug 26 13:23:41.647186: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:23:41.647190: | add_fd_read_event_handler: new ethX-pe@0x563761763e08 Aug 26 13:23:41.647194: | libevent_malloc: new ptr-libevent@0x5637616c21d8 size 128 Aug 26 13:23:41.647197: | libevent_malloc: new ptr-libevent@0x563761763e78 size 16 Aug 26 13:23:41.647203: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:23:41.647208: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:23:41.647211: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:23:41.647233: loading secrets from "/etc/ipsec.secrets" Aug 26 13:23:41.647245: | id type added to secret(0x5637616bdb58) PKK_PSK: @west Aug 26 13:23:41.647249: | id type added to secret(0x5637616bdb58) PKK_PSK: @east Aug 26 13:23:41.647254: | Processing PSK at line 1: passed Aug 26 13:23:41.647257: | certs and keys locked by 'process_secret' Aug 26 13:23:41.647262: | certs and keys unlocked by 'process_secret' Aug 26 13:23:41.647273: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:41.647281: | spent 1.31 milliseconds in whack Aug 26 13:23:41.664767: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:41.664790: listening for IKE messages Aug 26 13:23:41.664818: | Inspecting interface lo Aug 26 13:23:41.664824: | found lo with address 127.0.0.1 Aug 26 13:23:41.664826: | Inspecting interface eth0 Aug 26 13:23:41.664829: | found eth0 with address 192.0.2.254 Aug 26 13:23:41.664831: | Inspecting interface eth1 Aug 26 13:23:41.664833: | found eth1 with address 192.1.2.23 Aug 26 13:23:41.664882: | no interfaces to sort Aug 26 13:23:41.664895: | libevent_free: release ptr-libevent@0x563761757eb8 Aug 26 13:23:41.664900: | free_event_entry: release EVENT_NULL-pe@0x563761763a98 Aug 26 13:23:41.664904: | add_fd_read_event_handler: new ethX-pe@0x563761763a98 Aug 26 13:23:41.664907: | libevent_malloc: new ptr-libevent@0x563761757eb8 size 128 Aug 26 13:23:41.664915: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:23:41.664919: | libevent_free: release ptr-libevent@0x5637616ece08 Aug 26 13:23:41.664922: | free_event_entry: release EVENT_NULL-pe@0x563761763b48 Aug 26 13:23:41.664925: | add_fd_read_event_handler: new ethX-pe@0x563761763b48 Aug 26 13:23:41.664929: | libevent_malloc: new ptr-libevent@0x5637616ece08 size 128 Aug 26 13:23:41.664934: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:23:41.664938: | libevent_free: release ptr-libevent@0x5637616edea8 Aug 26 13:23:41.664941: | free_event_entry: release EVENT_NULL-pe@0x563761763bf8 Aug 26 13:23:41.664944: | add_fd_read_event_handler: new ethX-pe@0x563761763bf8 Aug 26 13:23:41.664947: | libevent_malloc: new ptr-libevent@0x5637616edea8 size 128 Aug 26 13:23:41.664952: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:23:41.664956: | libevent_free: release ptr-libevent@0x5637616eeaa8 Aug 26 13:23:41.664959: | free_event_entry: release EVENT_NULL-pe@0x563761763ca8 Aug 26 13:23:41.664962: | add_fd_read_event_handler: new ethX-pe@0x563761763ca8 Aug 26 13:23:41.664965: | libevent_malloc: new ptr-libevent@0x5637616eeaa8 size 128 Aug 26 13:23:41.664970: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:23:41.664974: | libevent_free: release ptr-libevent@0x5637616c7b78 Aug 26 13:23:41.664977: | free_event_entry: release EVENT_NULL-pe@0x563761763d58 Aug 26 13:23:41.664980: | add_fd_read_event_handler: new ethX-pe@0x563761763d58 Aug 26 13:23:41.664983: | libevent_malloc: new ptr-libevent@0x5637616c7b78 size 128 Aug 26 13:23:41.664988: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:23:41.664993: | libevent_free: release ptr-libevent@0x5637616c21d8 Aug 26 13:23:41.664996: | free_event_entry: release EVENT_NULL-pe@0x563761763e08 Aug 26 13:23:41.664999: | add_fd_read_event_handler: new ethX-pe@0x563761763e08 Aug 26 13:23:41.665002: | libevent_malloc: new ptr-libevent@0x5637616c21d8 size 128 Aug 26 13:23:41.665008: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:23:41.665012: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:23:41.665015: forgetting secrets Aug 26 13:23:41.665023: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:23:41.665037: loading secrets from "/etc/ipsec.secrets" Aug 26 13:23:41.665045: | id type added to secret(0x5637616bdb58) PKK_PSK: @west Aug 26 13:23:41.665048: | id type added to secret(0x5637616bdb58) PKK_PSK: @east Aug 26 13:23:41.665053: | Processing PSK at line 1: passed Aug 26 13:23:41.665056: | certs and keys locked by 'process_secret' Aug 26 13:23:41.665059: | certs and keys unlocked by 'process_secret' Aug 26 13:23:41.665068: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:41.665076: | spent 0.315 milliseconds in whack Aug 26 13:23:41.665479: | processing signal PLUTO_SIGCHLD Aug 26 13:23:41.665493: | waitpid returned pid 16885 (exited with status 0) Aug 26 13:23:41.665498: | reaped addconn helper child (status 0) Aug 26 13:23:41.665503: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:41.665508: | spent 0.0172 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:41.723090: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:41.723108: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:23:41.723124: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:23:41.723126: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:23:41.723128: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:23:41.723131: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:23:41.723137: | Added new connection east with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:23:41.723177: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:23:41.723180: | from whack: got --esp= Aug 26 13:23:41.723202: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 13:23:41.723209: | counting wild cards for @west is 0 Aug 26 13:23:41.723211: | counting wild cards for @east is 0 Aug 26 13:23:41.723219: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Aug 26 13:23:41.723221: | new hp@0x563761766188 Aug 26 13:23:41.723224: added connection description "east" Aug 26 13:23:41.723231: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:23:41.723240: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 Aug 26 13:23:41.723250: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:41.723256: | spent 0.187 milliseconds in whack Aug 26 13:23:41.723303: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:41.723312: add keyid @west Aug 26 13:23:41.723315: | add pubkey 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 Aug 26 13:23:41.723317: | add pubkey 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e Aug 26 13:23:41.723319: | add pubkey b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 Aug 26 13:23:41.723321: | add pubkey 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 Aug 26 13:23:41.723322: | add pubkey 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 Aug 26 13:23:41.723324: | add pubkey f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c Aug 26 13:23:41.723325: | add pubkey ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a Aug 26 13:23:41.723327: | add pubkey 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 Aug 26 13:23:41.723329: | add pubkey b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 Aug 26 13:23:41.723330: | add pubkey 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a Aug 26 13:23:41.723332: | add pubkey 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 Aug 26 13:23:41.723334: | add pubkey ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc Aug 26 13:23:41.723335: | add pubkey 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e Aug 26 13:23:41.723337: | add pubkey d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 Aug 26 13:23:41.723339: | add pubkey 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d Aug 26 13:23:41.723340: | add pubkey 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f Aug 26 13:23:41.723342: | add pubkey c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 Aug 26 13:23:41.723343: | add pubkey 15 04 37 f9 Aug 26 13:23:41.723374: | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 Aug 26 13:23:41.723376: | computed rsa CKAID 7f 0f 03 50 Aug 26 13:23:41.723385: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:41.723389: | spent 0.0883 milliseconds in whack Aug 26 13:23:41.723465: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:41.723477: add keyid @east Aug 26 13:23:41.723481: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 13:23:41.723483: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 13:23:41.723485: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 13:23:41.723486: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 13:23:41.723491: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 13:23:41.723492: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 13:23:41.723494: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 13:23:41.723496: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 13:23:41.723497: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 13:23:41.723499: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 13:23:41.723501: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 13:23:41.723502: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 13:23:41.723504: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 13:23:41.723506: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 13:23:41.723507: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 13:23:41.723509: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 13:23:41.723511: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 13:23:41.723512: | add pubkey 51 51 48 ef Aug 26 13:23:41.723522: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 13:23:41.723524: | computed rsa CKAID 8a 82 25 f1 Aug 26 13:23:41.723532: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:41.723536: | spent 0.0762 milliseconds in whack Aug 26 13:23:42.964848: | spent 0.00261 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:23:42.964873: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:23:42.964876: | be 09 7a a2 43 c3 23 61 00 00 00 00 00 00 00 00 Aug 26 13:23:42.964878: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:23:42.964879: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:23:42.964881: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:23:42.964882: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:23:42.964884: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:23:42.964886: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:23:42.964887: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:23:42.964889: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:23:42.964890: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:23:42.964892: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:23:42.964894: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:23:42.964895: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:23:42.964897: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:23:42.964898: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:23:42.964900: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:23:42.964902: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:23:42.964903: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:23:42.964905: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:23:42.964906: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:23:42.964908: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:23:42.964910: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:23:42.964911: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:23:42.964913: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:23:42.964914: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:23:42.964916: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:23:42.964918: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:23:42.964919: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:23:42.964921: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:23:42.964922: | 28 00 01 08 00 0e 00 00 0c 9a 65 bb 50 20 44 2c Aug 26 13:23:42.964926: | 2d 16 7c ec 40 f6 80 30 33 f6 10 66 21 7b 25 d0 Aug 26 13:23:42.964928: | c8 27 44 d3 da 9e 0a 39 b8 10 4d cb 4d 84 2e d9 Aug 26 13:23:42.964930: | 22 1d 69 90 37 2b e2 26 df 90 d4 ee 66 13 79 d6 Aug 26 13:23:42.964931: | 8a 27 f4 3b fd c5 1c 68 44 e4 d7 5b 70 9b a4 7b Aug 26 13:23:42.964933: | c8 ec a5 9f 40 38 97 6c 58 29 98 bd 0a cd 02 3b Aug 26 13:23:42.964934: | 26 ef 29 2b e8 05 00 05 fa 4e 6e d1 db 82 85 7d Aug 26 13:23:42.964936: | d4 c2 51 dc 7c 92 ac 90 3f f2 f0 20 84 7a 8b b9 Aug 26 13:23:42.964938: | f0 04 13 cd 11 d0 7e c5 fe 8e 05 78 fa 70 69 7a Aug 26 13:23:42.964939: | db 00 bb 5c fb d4 80 de b9 46 a4 28 2e 5d f0 ec Aug 26 13:23:42.964941: | 80 de 4d a4 80 aa ea 95 cf df ff 46 10 5e 93 03 Aug 26 13:23:42.964942: | ec 6a 67 36 2e 0a f7 9f 0d 1a 14 16 69 c8 88 41 Aug 26 13:23:42.964944: | ae dc bf 06 ea 05 4a ec e0 1d 8f 68 df ef ee 53 Aug 26 13:23:42.964945: | e4 28 99 7b 5b 60 a4 37 00 61 50 e3 f2 40 f1 cf Aug 26 13:23:42.964947: | 84 c3 ac 1f 9b f8 da 3e ee 14 4c f6 69 31 a6 26 Aug 26 13:23:42.964949: | 32 93 d7 9b 67 a5 48 5b 52 55 b2 ef 74 cf 39 a8 Aug 26 13:23:42.964950: | d1 84 b6 f9 42 4f 36 9e 29 00 00 24 0b 5c 44 49 Aug 26 13:23:42.964952: | 9b 8c 73 94 2c 00 80 d0 49 ec 0b f2 6c 16 46 99 Aug 26 13:23:42.964953: | 85 9f 91 64 ee e9 68 09 7c 50 06 7e 29 00 00 08 Aug 26 13:23:42.964955: | 00 00 40 2e 29 00 00 1c 00 00 40 04 33 76 f9 fa Aug 26 13:23:42.964957: | df fd 10 a9 81 a5 b4 09 dc 28 c3 b4 2c a5 a9 07 Aug 26 13:23:42.964958: | 00 00 00 1c 00 00 40 05 26 57 18 19 a7 f0 36 af Aug 26 13:23:42.964960: | 17 d7 a3 a7 aa a7 90 fd a9 6a 2e 98 Aug 26 13:23:42.964965: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:23:42.964968: | **parse ISAKMP Message: Aug 26 13:23:42.964970: | initiator cookie: Aug 26 13:23:42.964971: | be 09 7a a2 43 c3 23 61 Aug 26 13:23:42.964973: | responder cookie: Aug 26 13:23:42.964975: | 00 00 00 00 00 00 00 00 Aug 26 13:23:42.964977: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:23:42.964979: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:42.964980: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:23:42.964982: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:23:42.964984: | Message ID: 0 (0x0) Aug 26 13:23:42.964986: | length: 828 (0x33c) Aug 26 13:23:42.964988: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:23:42.964990: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:23:42.964993: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:23:42.964995: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:23:42.964997: | ***parse IKEv2 Security Association Payload: Aug 26 13:23:42.964999: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:23:42.965001: | flags: none (0x0) Aug 26 13:23:42.965003: | length: 436 (0x1b4) Aug 26 13:23:42.965004: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:23:42.965006: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:23:42.965008: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:23:42.965010: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:23:42.965012: | flags: none (0x0) Aug 26 13:23:42.965013: | length: 264 (0x108) Aug 26 13:23:42.965015: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:42.965017: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:23:42.965018: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:23:42.965020: | ***parse IKEv2 Nonce Payload: Aug 26 13:23:42.965022: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:42.965023: | flags: none (0x0) Aug 26 13:23:42.965025: | length: 36 (0x24) Aug 26 13:23:42.965027: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:23:42.965028: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:23:42.965030: | ***parse IKEv2 Notify Payload: Aug 26 13:23:42.965033: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:42.965035: | flags: none (0x0) Aug 26 13:23:42.965037: | length: 8 (0x8) Aug 26 13:23:42.965038: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:42.965040: | SPI size: 0 (0x0) Aug 26 13:23:42.965042: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:23:42.965044: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:23:42.965045: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:23:42.965047: | ***parse IKEv2 Notify Payload: Aug 26 13:23:42.965049: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:42.965050: | flags: none (0x0) Aug 26 13:23:42.965052: | length: 28 (0x1c) Aug 26 13:23:42.965053: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:42.965055: | SPI size: 0 (0x0) Aug 26 13:23:42.965057: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:23:42.965058: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:23:42.965060: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:23:42.965062: | ***parse IKEv2 Notify Payload: Aug 26 13:23:42.965063: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.965065: | flags: none (0x0) Aug 26 13:23:42.965066: | length: 28 (0x1c) Aug 26 13:23:42.965068: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:42.965070: | SPI size: 0 (0x0) Aug 26 13:23:42.965071: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:23:42.965073: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:23:42.965075: | DDOS disabled and no cookie sent, continuing Aug 26 13:23:42.965079: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:23:42.965082: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:42.965084: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:23:42.965087: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 13:23:42.965089: | find_next_host_connection returns empty Aug 26 13:23:42.965092: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:23:42.965094: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:23:42.965095: | find_next_host_connection returns empty Aug 26 13:23:42.965098: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:23:42.965101: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:23:42.965104: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:42.965105: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:23:42.965107: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 13:23:42.965109: | find_next_host_connection returns empty Aug 26 13:23:42.965112: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:23:42.965113: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:23:42.965115: | find_next_host_connection returns empty Aug 26 13:23:42.965117: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:23:42.965120: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:23:42.965123: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:42.965125: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:23:42.965127: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 13:23:42.965128: | find_next_host_connection returns east Aug 26 13:23:42.965130: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:23:42.965133: | find_next_host_connection returns empty Aug 26 13:23:42.965135: | found connection: east with policy PSK+IKEV2_ALLOW Aug 26 13:23:42.965150: | creating state object #1 at 0x5637617683c8 Aug 26 13:23:42.965152: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:23:42.965158: | pstats #1 ikev2.ike started Aug 26 13:23:42.965160: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:23:42.965162: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:23:42.965166: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:23:42.965172: | start processing: state #1 connection "east" from 192.1.2.45 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:23:42.965174: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:23:42.965177: | [RE]START processing: state #1 connection "east" from 192.1.2.45 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:23:42.965179: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:23:42.965182: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:23:42.965185: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:23:42.965187: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:23:42.965190: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:23:42.965192: | Now let's proceed with state specific processing Aug 26 13:23:42.965193: | calling processor Respond to IKE_SA_INIT Aug 26 13:23:42.965197: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:23:42.965199: | constructing local IKE proposals for east (IKE SA responder matching remote proposals) Aug 26 13:23:42.965205: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:42.965210: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:42.965213: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:42.965216: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:42.965219: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:42.965222: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:42.965225: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:42.965228: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:42.965234: "east": constructed local IKE proposals for east (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:42.965238: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:23:42.965241: | local proposal 1 type ENCR has 1 transforms Aug 26 13:23:42.965243: | local proposal 1 type PRF has 2 transforms Aug 26 13:23:42.965245: | local proposal 1 type INTEG has 1 transforms Aug 26 13:23:42.965247: | local proposal 1 type DH has 8 transforms Aug 26 13:23:42.965248: | local proposal 1 type ESN has 0 transforms Aug 26 13:23:42.965251: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:23:42.965252: | local proposal 2 type ENCR has 1 transforms Aug 26 13:23:42.965254: | local proposal 2 type PRF has 2 transforms Aug 26 13:23:42.965256: | local proposal 2 type INTEG has 1 transforms Aug 26 13:23:42.965257: | local proposal 2 type DH has 8 transforms Aug 26 13:23:42.965259: | local proposal 2 type ESN has 0 transforms Aug 26 13:23:42.965261: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:23:42.965263: | local proposal 3 type ENCR has 1 transforms Aug 26 13:23:42.965264: | local proposal 3 type PRF has 2 transforms Aug 26 13:23:42.965266: | local proposal 3 type INTEG has 2 transforms Aug 26 13:23:42.965267: | local proposal 3 type DH has 8 transforms Aug 26 13:23:42.965269: | local proposal 3 type ESN has 0 transforms Aug 26 13:23:42.965271: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:23:42.965273: | local proposal 4 type ENCR has 1 transforms Aug 26 13:23:42.965274: | local proposal 4 type PRF has 2 transforms Aug 26 13:23:42.965276: | local proposal 4 type INTEG has 2 transforms Aug 26 13:23:42.965278: | local proposal 4 type DH has 8 transforms Aug 26 13:23:42.965279: | local proposal 4 type ESN has 0 transforms Aug 26 13:23:42.965281: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:23:42.965283: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.965285: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:42.965287: | length: 100 (0x64) Aug 26 13:23:42.965295: | prop #: 1 (0x1) Aug 26 13:23:42.965297: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:42.965299: | spi size: 0 (0x0) Aug 26 13:23:42.965300: | # transforms: 11 (0xb) Aug 26 13:23:42.965303: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:23:42.965305: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965307: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965329: | length: 12 (0xc) Aug 26 13:23:42.965330: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.965332: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:42.965334: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.965336: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.965338: | length/value: 256 (0x100) Aug 26 13:23:42.965341: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:23:42.965343: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965344: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965346: | length: 8 (0x8) Aug 26 13:23:42.965348: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:42.965364: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:42.965367: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:23:42.965369: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:23:42.965371: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:23:42.965397: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:23:42.965399: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965403: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965406: | length: 8 (0x8) Aug 26 13:23:42.965422: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:42.965424: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:42.965426: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965427: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965429: | length: 8 (0x8) Aug 26 13:23:42.965445: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965447: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:42.965451: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:23:42.965467: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:23:42.965469: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:23:42.965471: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:23:42.965473: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965474: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965491: | length: 8 (0x8) Aug 26 13:23:42.965492: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965497: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:42.965512: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965514: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965515: | length: 8 (0x8) Aug 26 13:23:42.965517: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965519: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:42.965535: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965537: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965540: | length: 8 (0x8) Aug 26 13:23:42.965543: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965557: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:42.965559: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965561: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965562: | length: 8 (0x8) Aug 26 13:23:42.965564: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965581: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:42.965582: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965586: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965588: | length: 8 (0x8) Aug 26 13:23:42.965603: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965604: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:42.965606: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965608: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965609: | length: 8 (0x8) Aug 26 13:23:42.965626: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965627: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:42.965631: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965634: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.965636: | length: 8 (0x8) Aug 26 13:23:42.965641: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965646: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:42.965653: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:23:42.965661: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:23:42.965663: | remote proposal 1 matches local proposal 1 Aug 26 13:23:42.965666: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.965668: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:42.965670: | length: 100 (0x64) Aug 26 13:23:42.965672: | prop #: 2 (0x2) Aug 26 13:23:42.965675: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:42.965679: | spi size: 0 (0x0) Aug 26 13:23:42.965681: | # transforms: 11 (0xb) Aug 26 13:23:42.965684: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:42.965686: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965689: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965691: | length: 12 (0xc) Aug 26 13:23:42.965693: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.965695: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:42.965697: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.965700: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.965702: | length/value: 128 (0x80) Aug 26 13:23:42.965704: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965707: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965709: | length: 8 (0x8) Aug 26 13:23:42.965711: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:42.965713: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:42.965715: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965718: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965720: | length: 8 (0x8) Aug 26 13:23:42.965722: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:42.965724: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:42.965726: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965728: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965731: | length: 8 (0x8) Aug 26 13:23:42.965732: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965734: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:42.965749: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965751: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965752: | length: 8 (0x8) Aug 26 13:23:42.965754: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965755: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:42.965757: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965759: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965760: | length: 8 (0x8) Aug 26 13:23:42.965762: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965764: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:42.965765: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965767: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965769: | length: 8 (0x8) Aug 26 13:23:42.965770: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965772: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:42.965774: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965775: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965777: | length: 8 (0x8) Aug 26 13:23:42.965778: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965780: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:42.965782: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965783: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965785: | length: 8 (0x8) Aug 26 13:23:42.965787: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965788: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:42.965790: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965792: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965793: | length: 8 (0x8) Aug 26 13:23:42.965795: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965796: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:42.965798: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965800: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.965801: | length: 8 (0x8) Aug 26 13:23:42.965803: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965806: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:42.965808: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:23:42.965810: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:23:42.965812: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.965813: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:42.965815: | length: 116 (0x74) Aug 26 13:23:42.965817: | prop #: 3 (0x3) Aug 26 13:23:42.965818: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:42.965820: | spi size: 0 (0x0) Aug 26 13:23:42.965821: | # transforms: 13 (0xd) Aug 26 13:23:42.965823: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:42.965825: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965827: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965828: | length: 12 (0xc) Aug 26 13:23:42.965830: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.965832: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:42.965833: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.965835: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.965837: | length/value: 256 (0x100) Aug 26 13:23:42.965839: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965840: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965842: | length: 8 (0x8) Aug 26 13:23:42.965843: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:42.965845: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:42.965847: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965848: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965850: | length: 8 (0x8) Aug 26 13:23:42.965852: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:42.965853: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:42.965855: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965857: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965858: | length: 8 (0x8) Aug 26 13:23:42.965860: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:42.965861: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:42.965863: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965865: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965866: | length: 8 (0x8) Aug 26 13:23:42.965868: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:42.965870: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:42.965871: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965873: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965875: | length: 8 (0x8) Aug 26 13:23:42.965876: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965878: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:42.965880: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965881: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965883: | length: 8 (0x8) Aug 26 13:23:42.965884: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965886: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:42.965888: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965889: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965891: | length: 8 (0x8) Aug 26 13:23:42.965893: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965894: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:42.965896: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965898: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965899: | length: 8 (0x8) Aug 26 13:23:42.965901: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965902: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:42.965905: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965907: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965908: | length: 8 (0x8) Aug 26 13:23:42.965910: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965911: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:42.965913: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965915: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965916: | length: 8 (0x8) Aug 26 13:23:42.965918: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965920: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:42.965921: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965923: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965925: | length: 8 (0x8) Aug 26 13:23:42.965926: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965928: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:42.965930: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965931: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.965933: | length: 8 (0x8) Aug 26 13:23:42.965934: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.965936: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:42.965939: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:23:42.965941: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:23:42.965942: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.965944: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:42.965946: | length: 116 (0x74) Aug 26 13:23:42.965947: | prop #: 4 (0x4) Aug 26 13:23:42.965949: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:42.965950: | spi size: 0 (0x0) Aug 26 13:23:42.965952: | # transforms: 13 (0xd) Aug 26 13:23:42.965954: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:42.965956: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965957: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965959: | length: 12 (0xc) Aug 26 13:23:42.965960: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.965962: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:42.965964: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.965965: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.965967: | length/value: 128 (0x80) Aug 26 13:23:42.965969: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965970: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965972: | length: 8 (0x8) Aug 26 13:23:42.965974: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:42.965975: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:42.965977: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965979: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965980: | length: 8 (0x8) Aug 26 13:23:42.965982: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:42.965984: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:42.965985: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965987: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965988: | length: 8 (0x8) Aug 26 13:23:42.965990: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:42.965992: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:42.965994: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.965995: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.965997: | length: 8 (0x8) Aug 26 13:23:42.965998: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:42.966000: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:42.966002: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.966005: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.966007: | length: 8 (0x8) Aug 26 13:23:42.966009: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.966010: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:42.966012: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.966014: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.966015: | length: 8 (0x8) Aug 26 13:23:42.966017: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.966018: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:42.966020: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.966022: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.966023: | length: 8 (0x8) Aug 26 13:23:42.966025: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.966027: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:42.966028: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.966030: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.966032: | length: 8 (0x8) Aug 26 13:23:42.966033: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.966035: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:42.966037: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.966038: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.966040: | length: 8 (0x8) Aug 26 13:23:42.966041: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.966043: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:42.966045: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.966046: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.966048: | length: 8 (0x8) Aug 26 13:23:42.966050: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.966051: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:42.966053: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.966055: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.966057: | length: 8 (0x8) Aug 26 13:23:42.966058: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.966060: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:42.966062: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.966063: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.966065: | length: 8 (0x8) Aug 26 13:23:42.966067: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.966068: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:42.966071: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:23:42.966072: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:23:42.966076: "east" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:23:42.966079: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:23:42.966080: | converting proposal to internal trans attrs Aug 26 13:23:42.966084: | natd_hash: rcookie is zero Aug 26 13:23:42.966091: | natd_hash: hasher=0x56375fba7800(20) Aug 26 13:23:42.966093: | natd_hash: icookie= be 09 7a a2 43 c3 23 61 Aug 26 13:23:42.966095: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:23:42.966097: | natd_hash: ip= c0 01 02 17 Aug 26 13:23:42.966099: | natd_hash: port=500 Aug 26 13:23:42.966100: | natd_hash: hash= 26 57 18 19 a7 f0 36 af 17 d7 a3 a7 aa a7 90 fd Aug 26 13:23:42.966102: | natd_hash: hash= a9 6a 2e 98 Aug 26 13:23:42.966104: | natd_hash: rcookie is zero Aug 26 13:23:42.966107: | natd_hash: hasher=0x56375fba7800(20) Aug 26 13:23:42.966109: | natd_hash: icookie= be 09 7a a2 43 c3 23 61 Aug 26 13:23:42.966111: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:23:42.966112: | natd_hash: ip= c0 01 02 2d Aug 26 13:23:42.966114: | natd_hash: port=500 Aug 26 13:23:42.966115: | natd_hash: hash= 33 76 f9 fa df fd 10 a9 81 a5 b4 09 dc 28 c3 b4 Aug 26 13:23:42.966117: | natd_hash: hash= 2c a5 a9 07 Aug 26 13:23:42.966119: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:23:42.966120: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:23:42.966122: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:23:42.966124: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Aug 26 13:23:42.966128: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:23:42.966130: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563761766268 Aug 26 13:23:42.966133: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:23:42.966135: | libevent_malloc: new ptr-libevent@0x56376176a4c8 size 128 Aug 26 13:23:42.966144: | #1 spent 0.925 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:23:42.966148: | crypto helper 0 resuming Aug 26 13:23:42.966149: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:42.966162: | crypto helper 0 starting work-order 1 for state #1 Aug 26 13:23:42.966163: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:23:42.966167: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:23:42.966168: | suspending state #1 and saving MD Aug 26 13:23:42.966171: | #1 is busy; has a suspended MD Aug 26 13:23:42.966174: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:23:42.966177: | "east" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:23:42.966180: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:23:42.966183: | #1 spent 1.3 milliseconds in ikev2_process_packet() Aug 26 13:23:42.966186: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:23:42.966188: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:23:42.966190: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:23:42.966192: | spent 1.31 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:23:42.967039: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.00087 seconds Aug 26 13:23:42.967056: | (#1) spent 0.883 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:23:42.967061: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 13:23:42.967065: | scheduling resume sending helper answer for #1 Aug 26 13:23:42.967068: | libevent_malloc: new ptr-libevent@0x7f6a18002888 size 128 Aug 26 13:23:42.967078: | crypto helper 0 waiting (nothing to do) Aug 26 13:23:42.967088: | processing resume sending helper answer for #1 Aug 26 13:23:42.967102: | start processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:23:42.967109: | crypto helper 0 replies to request ID 1 Aug 26 13:23:42.967113: | calling continuation function 0x56375fad2b50 Aug 26 13:23:42.967117: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:23:42.967151: | **emit ISAKMP Message: Aug 26 13:23:42.967156: | initiator cookie: Aug 26 13:23:42.967159: | be 09 7a a2 43 c3 23 61 Aug 26 13:23:42.967162: | responder cookie: Aug 26 13:23:42.967165: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:23:42.967170: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:23:42.967174: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:42.967178: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:23:42.967182: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:23:42.967185: | Message ID: 0 (0x0) Aug 26 13:23:42.967190: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:23:42.967194: | Emitting ikev2_proposal ... Aug 26 13:23:42.967197: | ***emit IKEv2 Security Association Payload: Aug 26 13:23:42.967201: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.967205: | flags: none (0x0) Aug 26 13:23:42.967210: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:23:42.967215: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.967219: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.967223: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:42.967226: | prop #: 1 (0x1) Aug 26 13:23:42.967230: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:42.967233: | spi size: 0 (0x0) Aug 26 13:23:42.967237: | # transforms: 3 (0x3) Aug 26 13:23:42.967242: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:23:42.967246: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:23:42.967249: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.967253: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.967256: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:42.967260: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:42.967264: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.967267: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.967270: | length/value: 256 (0x100) Aug 26 13:23:42.967274: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:23:42.967277: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:23:42.967280: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.967283: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:42.967287: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:42.967300: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.967304: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:42.967308: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:23:42.967311: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:23:42.967315: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.967318: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:42.967321: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:42.967325: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.967329: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:42.967333: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:23:42.967336: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:23:42.967340: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:23:42.967346: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:23:42.967350: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:23:42.967357: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:23:42.967363: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.967366: | flags: none (0x0) Aug 26 13:23:42.967370: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:42.967376: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:23:42.967381: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.967386: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:23:42.967390: | ikev2 g^x 24 4b 72 d7 5b 13 47 59 4f 6e 1c c1 29 3c 6d 13 Aug 26 13:23:42.967394: | ikev2 g^x 39 3e b1 a5 46 be ba 61 22 0c d4 cc 7d fc 00 7d Aug 26 13:23:42.967397: | ikev2 g^x 5c d9 a9 68 df 22 e3 0a c5 31 97 df 31 43 22 5c Aug 26 13:23:42.967401: | ikev2 g^x 9d 22 7c 82 3e 18 04 f0 b5 cb 2a 63 d5 cc 58 5b Aug 26 13:23:42.967404: | ikev2 g^x a7 23 b3 b8 db c4 52 5f 21 0b 7f 52 b1 9f 40 63 Aug 26 13:23:42.967408: | ikev2 g^x 60 56 cb ae 5d c4 ff 8b 8e ab a0 b7 05 8a d8 92 Aug 26 13:23:42.967411: | ikev2 g^x 59 66 61 64 84 a8 f4 3b 11 41 80 6b 48 59 f9 a9 Aug 26 13:23:42.967415: | ikev2 g^x 85 a3 60 ad 3f 32 e7 52 4f e5 2e ba b0 e5 db bc Aug 26 13:23:42.967418: | ikev2 g^x b4 c6 88 14 c4 99 b0 35 2b 49 41 e6 1a 48 d3 94 Aug 26 13:23:42.967423: | ikev2 g^x 27 20 20 c9 a0 c5 d3 0a 14 7a 98 73 98 b4 18 6f Aug 26 13:23:42.967429: | ikev2 g^x 62 52 bd af a8 a4 1c ca e8 2a 2f 27 38 65 c3 4d Aug 26 13:23:42.967433: | ikev2 g^x c3 91 c2 a9 f7 0a 4f 3a b9 0e c2 d1 12 a6 72 93 Aug 26 13:23:42.967437: | ikev2 g^x 5b ac 06 f0 ca b1 a6 3d d2 fe 19 e2 c7 7c 93 2d Aug 26 13:23:42.967440: | ikev2 g^x 4f eb 6b 34 a1 71 f5 96 eb 13 c7 b7 00 3c 84 9d Aug 26 13:23:42.967444: | ikev2 g^x 2e ff de 7c 06 82 e1 79 7e 48 e5 f3 3c f7 e3 bd Aug 26 13:23:42.967447: | ikev2 g^x d0 0c ec 54 af ce b1 39 17 bc 49 47 7b 29 0f ab Aug 26 13:23:42.967451: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:23:42.967455: | ***emit IKEv2 Nonce Payload: Aug 26 13:23:42.967459: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:42.967462: | flags: none (0x0) Aug 26 13:23:42.967467: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:23:42.967472: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:23:42.967477: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.967481: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:23:42.967485: | IKEv2 nonce e9 a9 b4 cb 52 81 02 db 94 14 72 ed 46 75 88 7d Aug 26 13:23:42.967488: | IKEv2 nonce e5 d9 a2 d9 e9 7c 8d d7 92 a0 6e 4d 41 c0 09 c2 Aug 26 13:23:42.967492: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:23:42.967495: | Adding a v2N Payload Aug 26 13:23:42.967499: | ***emit IKEv2 Notify Payload: Aug 26 13:23:42.967502: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.967506: | flags: none (0x0) Aug 26 13:23:42.967509: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:42.967512: | SPI size: 0 (0x0) Aug 26 13:23:42.967516: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:23:42.967520: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:23:42.967524: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.967527: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:23:42.967533: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:23:42.967545: | natd_hash: hasher=0x56375fba7800(20) Aug 26 13:23:42.967549: | natd_hash: icookie= be 09 7a a2 43 c3 23 61 Aug 26 13:23:42.967552: | natd_hash: rcookie= 1a 03 8f 34 26 a1 74 69 Aug 26 13:23:42.967555: | natd_hash: ip= c0 01 02 17 Aug 26 13:23:42.967558: | natd_hash: port=500 Aug 26 13:23:42.967561: | natd_hash: hash= 96 d5 d3 0c fc 3b 1f 76 7b a5 cc a2 04 19 09 07 Aug 26 13:23:42.967564: | natd_hash: hash= 84 86 36 c0 Aug 26 13:23:42.967567: | Adding a v2N Payload Aug 26 13:23:42.967569: | ***emit IKEv2 Notify Payload: Aug 26 13:23:42.967573: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.967576: | flags: none (0x0) Aug 26 13:23:42.967579: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:42.967582: | SPI size: 0 (0x0) Aug 26 13:23:42.967585: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:23:42.967590: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:23:42.967594: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.967598: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:23:42.967601: | Notify data 96 d5 d3 0c fc 3b 1f 76 7b a5 cc a2 04 19 09 07 Aug 26 13:23:42.967604: | Notify data 84 86 36 c0 Aug 26 13:23:42.967607: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:23:42.967615: | natd_hash: hasher=0x56375fba7800(20) Aug 26 13:23:42.967618: | natd_hash: icookie= be 09 7a a2 43 c3 23 61 Aug 26 13:23:42.967621: | natd_hash: rcookie= 1a 03 8f 34 26 a1 74 69 Aug 26 13:23:42.967624: | natd_hash: ip= c0 01 02 2d Aug 26 13:23:42.967626: | natd_hash: port=500 Aug 26 13:23:42.967630: | natd_hash: hash= b8 74 c9 f7 02 35 91 00 1e 42 27 ea f5 ab 9f 1f Aug 26 13:23:42.967632: | natd_hash: hash= 30 a4 34 94 Aug 26 13:23:42.967635: | Adding a v2N Payload Aug 26 13:23:42.967638: | ***emit IKEv2 Notify Payload: Aug 26 13:23:42.967642: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.967644: | flags: none (0x0) Aug 26 13:23:42.967648: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:42.967651: | SPI size: 0 (0x0) Aug 26 13:23:42.967654: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:23:42.967659: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:23:42.967663: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.967667: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:23:42.967670: | Notify data b8 74 c9 f7 02 35 91 00 1e 42 27 ea f5 ab 9f 1f Aug 26 13:23:42.967674: | Notify data 30 a4 34 94 Aug 26 13:23:42.967677: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:23:42.967680: | emitting length of ISAKMP Message: 432 Aug 26 13:23:42.967689: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:42.967694: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:23:42.967698: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:23:42.967703: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:23:42.967707: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:23:42.967712: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:23:42.967716: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:23:42.967720: "east" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:23:42.967725: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:23:42.967733: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:23:42.967735: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:23:42.967737: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:23:42.967738: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:23:42.967740: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:23:42.967741: | 04 00 00 0e 28 00 01 08 00 0e 00 00 24 4b 72 d7 Aug 26 13:23:42.967743: | 5b 13 47 59 4f 6e 1c c1 29 3c 6d 13 39 3e b1 a5 Aug 26 13:23:42.967745: | 46 be ba 61 22 0c d4 cc 7d fc 00 7d 5c d9 a9 68 Aug 26 13:23:42.967746: | df 22 e3 0a c5 31 97 df 31 43 22 5c 9d 22 7c 82 Aug 26 13:23:42.967748: | 3e 18 04 f0 b5 cb 2a 63 d5 cc 58 5b a7 23 b3 b8 Aug 26 13:23:42.967750: | db c4 52 5f 21 0b 7f 52 b1 9f 40 63 60 56 cb ae Aug 26 13:23:42.967751: | 5d c4 ff 8b 8e ab a0 b7 05 8a d8 92 59 66 61 64 Aug 26 13:23:42.967753: | 84 a8 f4 3b 11 41 80 6b 48 59 f9 a9 85 a3 60 ad Aug 26 13:23:42.967754: | 3f 32 e7 52 4f e5 2e ba b0 e5 db bc b4 c6 88 14 Aug 26 13:23:42.967756: | c4 99 b0 35 2b 49 41 e6 1a 48 d3 94 27 20 20 c9 Aug 26 13:23:42.967758: | a0 c5 d3 0a 14 7a 98 73 98 b4 18 6f 62 52 bd af Aug 26 13:23:42.967759: | a8 a4 1c ca e8 2a 2f 27 38 65 c3 4d c3 91 c2 a9 Aug 26 13:23:42.967761: | f7 0a 4f 3a b9 0e c2 d1 12 a6 72 93 5b ac 06 f0 Aug 26 13:23:42.967763: | ca b1 a6 3d d2 fe 19 e2 c7 7c 93 2d 4f eb 6b 34 Aug 26 13:23:42.967764: | a1 71 f5 96 eb 13 c7 b7 00 3c 84 9d 2e ff de 7c Aug 26 13:23:42.967766: | 06 82 e1 79 7e 48 e5 f3 3c f7 e3 bd d0 0c ec 54 Aug 26 13:23:42.967767: | af ce b1 39 17 bc 49 47 7b 29 0f ab 29 00 00 24 Aug 26 13:23:42.967769: | e9 a9 b4 cb 52 81 02 db 94 14 72 ed 46 75 88 7d Aug 26 13:23:42.967771: | e5 d9 a2 d9 e9 7c 8d d7 92 a0 6e 4d 41 c0 09 c2 Aug 26 13:23:42.967772: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:23:42.967774: | 96 d5 d3 0c fc 3b 1f 76 7b a5 cc a2 04 19 09 07 Aug 26 13:23:42.967775: | 84 86 36 c0 00 00 00 1c 00 00 40 05 b8 74 c9 f7 Aug 26 13:23:42.967777: | 02 35 91 00 1e 42 27 ea f5 ab 9f 1f 30 a4 34 94 Aug 26 13:23:42.967813: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:23:42.967821: | libevent_free: release ptr-libevent@0x56376176a4c8 Aug 26 13:23:42.967825: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563761766268 Aug 26 13:23:42.967829: | event_schedule: new EVENT_SO_DISCARD-pe@0x563761766268 Aug 26 13:23:42.967832: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:23:42.967835: | libevent_malloc: new ptr-libevent@0x56376176b5b8 size 128 Aug 26 13:23:42.967840: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:23:42.967847: | #1 spent 0.718 milliseconds in resume sending helper answer Aug 26 13:23:42.967853: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:23:42.967857: | libevent_free: release ptr-libevent@0x7f6a18002888 Aug 26 13:23:42.970129: | spent 0.00274 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:23:42.970153: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:23:42.970158: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:23:42.970161: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Aug 26 13:23:42.970164: | 32 16 65 cb 9c 98 d1 ab 51 f5 31 e6 41 c5 0a 88 Aug 26 13:23:42.970166: | 22 25 cc 3c 2e e7 59 cc 80 16 9d 82 c6 9a 55 eb Aug 26 13:23:42.970169: | f3 f6 ff ba 29 2b 72 f9 42 75 fa 72 e4 40 51 55 Aug 26 13:23:42.970172: | a7 5b 93 c3 47 1a 06 b7 39 22 c0 ae b3 5a 4a d9 Aug 26 13:23:42.970175: | fb ac 6c ec a8 43 ea 6c 4d 20 47 64 f6 52 8d e8 Aug 26 13:23:42.970177: | c3 2f aa ea f4 58 94 57 dc 1f d5 1b ca 14 e5 1c Aug 26 13:23:42.970184: | df 26 95 ec c2 b1 7d 25 4b e2 a8 67 6f 4a 46 15 Aug 26 13:23:42.970187: | 6c 3b 03 d8 cb 4e 03 7b aa b2 bc 39 45 28 f4 55 Aug 26 13:23:42.970189: | 77 eb c0 c9 87 80 c6 48 38 0d 51 3d 43 26 5a 12 Aug 26 13:23:42.970192: | 2d e4 22 62 5d a2 dd a0 80 78 9d 86 61 d2 9e 59 Aug 26 13:23:42.970195: | 62 0d d7 4a cd 76 b6 42 1b 75 66 99 ee 2a bf c0 Aug 26 13:23:42.970197: | 2b 6b 14 00 84 95 8a 30 e7 17 ba 6b af 57 0e e3 Aug 26 13:23:42.970200: | c3 61 c0 dd e8 27 76 ab 55 cc c9 2f 61 0a 65 62 Aug 26 13:23:42.970203: | ef 8c 49 f9 f5 96 0a f6 47 07 d5 bd 29 00 ab 5e Aug 26 13:23:42.970205: | 8d 27 d5 6f 2b d3 b2 80 a5 11 81 57 ad 3a 91 0f Aug 26 13:23:42.970208: | 1a 1b 12 97 a7 46 a6 d3 c5 f2 af 1e 5d 3b 12 f9 Aug 26 13:23:42.970211: | 4d 82 da 8e 42 dd ce d7 28 84 92 99 0a 89 d6 2c Aug 26 13:23:42.970214: | 5d af d0 c3 db fe 75 ac 8c 69 7a 16 2c 3f 77 83 Aug 26 13:23:42.970216: | cb 88 63 28 4b 42 3b 71 93 d8 78 b9 49 63 15 e2 Aug 26 13:23:42.970219: | f5 6b 10 23 03 b0 9c ea ab 76 7a 63 13 c8 0a 1f Aug 26 13:23:42.970221: | 8b b8 4f 44 2b c2 93 33 4b 5c 20 15 5f Aug 26 13:23:42.970227: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:23:42.970231: | **parse ISAKMP Message: Aug 26 13:23:42.970234: | initiator cookie: Aug 26 13:23:42.970236: | be 09 7a a2 43 c3 23 61 Aug 26 13:23:42.970239: | responder cookie: Aug 26 13:23:42.970242: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:23:42.970245: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:23:42.970248: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:42.970251: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:23:42.970254: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:23:42.970257: | Message ID: 1 (0x1) Aug 26 13:23:42.970260: | length: 365 (0x16d) Aug 26 13:23:42.970263: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:23:42.970266: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:23:42.970269: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:23:42.970274: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:23:42.970276: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:23:42.970279: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:23:42.970281: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:23:42.970284: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:23:42.970286: | unpacking clear payload Aug 26 13:23:42.970295: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:23:42.970300: | ***parse IKEv2 Encryption Payload: Aug 26 13:23:42.970302: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:23:42.970304: | flags: none (0x0) Aug 26 13:23:42.970306: | length: 337 (0x151) Aug 26 13:23:42.970308: | processing payload: ISAKMP_NEXT_v2SK (len=333) Aug 26 13:23:42.970311: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:23:42.970313: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:23:42.970315: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:23:42.970317: | Now let's proceed with state specific processing Aug 26 13:23:42.970319: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:23:42.970321: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:23:42.970324: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:23:42.970327: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:23:42.970329: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:23:42.970333: | libevent_free: release ptr-libevent@0x56376176b5b8 Aug 26 13:23:42.970335: | free_event_entry: release EVENT_SO_DISCARD-pe@0x563761766268 Aug 26 13:23:42.970337: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563761766268 Aug 26 13:23:42.970340: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:23:42.970342: | libevent_malloc: new ptr-libevent@0x7f6a18002888 size 128 Aug 26 13:23:42.970350: | #1 spent 0.0276 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:23:42.970354: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:42.970357: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:23:42.970359: | suspending state #1 and saving MD Aug 26 13:23:42.970360: | #1 is busy; has a suspended MD Aug 26 13:23:42.970363: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:23:42.970366: | "east" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:23:42.970369: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:23:42.970372: | #1 spent 0.222 milliseconds in ikev2_process_packet() Aug 26 13:23:42.970374: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:23:42.970376: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:23:42.970378: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:23:42.970381: | spent 0.232 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:23:42.970387: | crypto helper 3 resuming Aug 26 13:23:42.970397: | crypto helper 3 starting work-order 2 for state #1 Aug 26 13:23:42.970400: | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:23:42.970936: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:23:42.971202: | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000802 seconds Aug 26 13:23:42.971208: | (#1) spent 0.807 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:23:42.971210: | crypto helper 3 sending results from work-order 2 for state #1 to event queue Aug 26 13:23:42.971212: | scheduling resume sending helper answer for #1 Aug 26 13:23:42.971215: | libevent_malloc: new ptr-libevent@0x7f6a10000f48 size 128 Aug 26 13:23:42.971221: | crypto helper 3 waiting (nothing to do) Aug 26 13:23:42.971228: | processing resume sending helper answer for #1 Aug 26 13:23:42.971236: | start processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:23:42.971240: | crypto helper 3 replies to request ID 2 Aug 26 13:23:42.971243: | calling continuation function 0x56375fad2b50 Aug 26 13:23:42.971245: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:23:42.971248: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:23:42.971258: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:23:42.971261: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:23:42.971264: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:23:42.971267: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:23:42.971270: | flags: none (0x0) Aug 26 13:23:42.971273: | length: 12 (0xc) Aug 26 13:23:42.971275: | ID type: ID_FQDN (0x2) Aug 26 13:23:42.971278: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:23:42.971281: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:23:42.971283: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:23:42.971286: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:23:42.971291: | flags: none (0x0) Aug 26 13:23:42.971296: | length: 12 (0xc) Aug 26 13:23:42.971300: | ID type: ID_FQDN (0x2) Aug 26 13:23:42.971303: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 13:23:42.971305: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:23:42.971308: | **parse IKEv2 Authentication Payload: Aug 26 13:23:42.971311: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:23:42.971313: | flags: none (0x0) Aug 26 13:23:42.971316: | length: 72 (0x48) Aug 26 13:23:42.971319: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:23:42.971322: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:23:42.971325: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:23:42.971328: | **parse IKEv2 Security Association Payload: Aug 26 13:23:42.971331: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:23:42.971333: | flags: none (0x0) Aug 26 13:23:42.971336: | length: 164 (0xa4) Aug 26 13:23:42.971339: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 13:23:42.971342: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:23:42.971345: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:23:42.971348: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:23:42.971350: | flags: none (0x0) Aug 26 13:23:42.971353: | length: 24 (0x18) Aug 26 13:23:42.971356: | number of TS: 1 (0x1) Aug 26 13:23:42.971358: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:23:42.971361: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:23:42.971364: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:23:42.971367: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.971370: | flags: none (0x0) Aug 26 13:23:42.971372: | length: 24 (0x18) Aug 26 13:23:42.971375: | number of TS: 1 (0x1) Aug 26 13:23:42.971378: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:23:42.971381: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:23:42.971384: | Now let's proceed with state specific processing Aug 26 13:23:42.971386: | calling processor Responder: process IKE_AUTH request Aug 26 13:23:42.971393: "east" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 13:23:42.971399: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:23:42.971403: | received IDr payload - extracting our alleged ID Aug 26 13:23:42.971407: | refine_host_connection for IKEv2: starting with "east" Aug 26 13:23:42.971411: | match_id a=@west Aug 26 13:23:42.971414: | b=@west Aug 26 13:23:42.971417: | results matched Aug 26 13:23:42.971421: | refine_host_connection: checking "east" against "east", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:23:42.971424: | Warning: not switching back to template of current instance Aug 26 13:23:42.971427: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 13:23:42.971430: | This connection's local id is @east (ID_FQDN) Aug 26 13:23:42.971434: | refine_host_connection: checked east against east, now for see if best Aug 26 13:23:42.971438: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:42.971441: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:42.971444: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:23:42.971448: | 1: compared key @east to @east / @west -> 010 Aug 26 13:23:42.971451: | 2: compared key @west to @east / @west -> 014 Aug 26 13:23:42.971454: | line 1: match=014 Aug 26 13:23:42.971458: | match 014 beats previous best_match 000 match=0x5637616bdb58 (line=1) Aug 26 13:23:42.971461: | concluding with best_match=014 best=0x5637616bdb58 (lineno=1) Aug 26 13:23:42.971464: | returning because exact peer id match Aug 26 13:23:42.971467: | offered CA: '%none' Aug 26 13:23:42.971471: "east" #1: IKEv2 mode peer ID is ID_FQDN: '@west' Aug 26 13:23:42.971494: | verifying AUTH payload Aug 26 13:23:42.971499: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:23:42.971505: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:42.971508: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:42.971511: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:23:42.971514: | 1: compared key @east to @east / @west -> 010 Aug 26 13:23:42.971517: | 2: compared key @west to @east / @west -> 014 Aug 26 13:23:42.971520: | line 1: match=014 Aug 26 13:23:42.971523: | match 014 beats previous best_match 000 match=0x5637616bdb58 (line=1) Aug 26 13:23:42.971527: | concluding with best_match=014 best=0x5637616bdb58 (lineno=1) Aug 26 13:23:42.971589: "east" #1: Authenticated using authby=secret Aug 26 13:23:42.971595: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:23:42.971600: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:23:42.971603: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:23:42.971606: | libevent_free: release ptr-libevent@0x7f6a18002888 Aug 26 13:23:42.971608: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563761766268 Aug 26 13:23:42.971611: | event_schedule: new EVENT_SA_REKEY-pe@0x563761766268 Aug 26 13:23:42.971614: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 13:23:42.971617: | libevent_malloc: new ptr-libevent@0x56376176b5b8 size 128 Aug 26 13:23:42.971702: | pstats #1 ikev2.ike established Aug 26 13:23:42.971710: | **emit ISAKMP Message: Aug 26 13:23:42.971712: | initiator cookie: Aug 26 13:23:42.971714: | be 09 7a a2 43 c3 23 61 Aug 26 13:23:42.971716: | responder cookie: Aug 26 13:23:42.971717: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:23:42.971719: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:23:42.971721: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:42.971723: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:23:42.971725: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:23:42.971727: | Message ID: 1 (0x1) Aug 26 13:23:42.971729: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:23:42.971731: | IKEv2 CERT: send a certificate? Aug 26 13:23:42.971733: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:23:42.971735: | ***emit IKEv2 Encryption Payload: Aug 26 13:23:42.971737: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.971738: | flags: none (0x0) Aug 26 13:23:42.971741: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:23:42.971743: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.971745: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:23:42.971750: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:23:42.971759: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:23:42.971762: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.971763: | flags: none (0x0) Aug 26 13:23:42.971765: | ID type: ID_FQDN (0x2) Aug 26 13:23:42.971767: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:23:42.971770: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.971772: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:23:42.971774: | my identity 65 61 73 74 Aug 26 13:23:42.971776: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:23:42.971781: | assembled IDr payload Aug 26 13:23:42.971782: | CHILD SA proposals received Aug 26 13:23:42.971784: | going to assemble AUTH payload Aug 26 13:23:42.971786: | ****emit IKEv2 Authentication Payload: Aug 26 13:23:42.971788: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:23:42.971791: | flags: none (0x0) Aug 26 13:23:42.971793: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:23:42.971795: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:23:42.971797: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:23:42.971799: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.971802: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:23:42.971804: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:42.971806: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:42.971808: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:23:42.971810: | 1: compared key @east to @east / @west -> 010 Aug 26 13:23:42.971812: | 2: compared key @west to @east / @west -> 014 Aug 26 13:23:42.971814: | line 1: match=014 Aug 26 13:23:42.971816: | match 014 beats previous best_match 000 match=0x5637616bdb58 (line=1) Aug 26 13:23:42.971818: | concluding with best_match=014 best=0x5637616bdb58 (lineno=1) Aug 26 13:23:42.971852: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:23:42.971855: | PSK auth 33 79 7f 28 49 92 40 87 64 51 7f 32 7e a2 ed 91 Aug 26 13:23:42.971856: | PSK auth 68 e1 c5 10 24 1a 3a c0 b3 c1 94 e2 f7 bb cd c7 Aug 26 13:23:42.971858: | PSK auth a2 85 12 ff 99 e1 57 52 f6 0a c0 f4 04 7a 75 39 Aug 26 13:23:42.971860: | PSK auth ae 17 2e 36 c9 e7 0d e5 1f 3f e6 8c 4b aa 1b 4c Aug 26 13:23:42.971862: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:23:42.971865: | creating state object #2 at 0x56376176c2d8 Aug 26 13:23:42.971867: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:23:42.971869: | pstats #2 ikev2.child started Aug 26 13:23:42.971871: | duplicating state object #1 "east" as #2 for IPSEC SA Aug 26 13:23:42.971875: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:23:42.971879: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:23:42.971882: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:23:42.971885: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:23:42.971887: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:23:42.971889: | TSi: parsing 1 traffic selectors Aug 26 13:23:42.971891: | ***parse IKEv2 Traffic Selector: Aug 26 13:23:42.971893: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:42.971895: | IP Protocol ID: 0 (0x0) Aug 26 13:23:42.971896: | length: 16 (0x10) Aug 26 13:23:42.971898: | start port: 0 (0x0) Aug 26 13:23:42.971900: | end port: 65535 (0xffff) Aug 26 13:23:42.971902: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:23:42.971904: | TS low c0 00 01 00 Aug 26 13:23:42.971905: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:23:42.971907: | TS high c0 00 01 ff Aug 26 13:23:42.971909: | TSi: parsed 1 traffic selectors Aug 26 13:23:42.971911: | TSr: parsing 1 traffic selectors Aug 26 13:23:42.971912: | ***parse IKEv2 Traffic Selector: Aug 26 13:23:42.971914: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:42.971916: | IP Protocol ID: 0 (0x0) Aug 26 13:23:42.971917: | length: 16 (0x10) Aug 26 13:23:42.971919: | start port: 0 (0x0) Aug 26 13:23:42.971921: | end port: 65535 (0xffff) Aug 26 13:23:42.971922: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:23:42.971924: | TS low c0 00 02 00 Aug 26 13:23:42.971927: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:23:42.971929: | TS high c0 00 02 ff Aug 26 13:23:42.971930: | TSr: parsed 1 traffic selectors Aug 26 13:23:42.971932: | looking for best SPD in current connection Aug 26 13:23:42.971936: | evaluating our conn="east" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:23:42.971939: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:42.971943: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:23:42.971946: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:23:42.971947: | TSi[0] port match: YES fitness 65536 Aug 26 13:23:42.971949: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:23:42.971951: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:42.971954: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:42.971958: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:23:42.971960: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:23:42.971961: | TSr[0] port match: YES fitness 65536 Aug 26 13:23:42.971963: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:23:42.971965: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:42.971967: | best fit so far: TSi[0] TSr[0] Aug 26 13:23:42.971969: | found better spd route for TSi[0],TSr[0] Aug 26 13:23:42.971970: | looking for better host pair Aug 26 13:23:42.971974: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:42.971977: | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found Aug 26 13:23:42.971979: | investigating connection "east" as a better match Aug 26 13:23:42.971981: | match_id a=@west Aug 26 13:23:42.971982: | b=@west Aug 26 13:23:42.971984: | results matched Aug 26 13:23:42.971987: | evaluating our conn="east" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:23:42.971990: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:42.971993: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:23:42.971995: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:23:42.971997: | TSi[0] port match: YES fitness 65536 Aug 26 13:23:42.971999: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:23:42.972001: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:42.972003: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:42.972006: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:23:42.972008: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:23:42.972010: | TSr[0] port match: YES fitness 65536 Aug 26 13:23:42.972012: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:23:42.972014: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:42.972015: | best fit so far: TSi[0] TSr[0] Aug 26 13:23:42.972017: | did not find a better connection using host pair Aug 26 13:23:42.972019: | printing contents struct traffic_selector Aug 26 13:23:42.972021: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:23:42.972022: | ipprotoid: 0 Aug 26 13:23:42.972024: | port range: 0-65535 Aug 26 13:23:42.972027: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:23:42.972028: | printing contents struct traffic_selector Aug 26 13:23:42.972030: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:23:42.972031: | ipprotoid: 0 Aug 26 13:23:42.972033: | port range: 0-65535 Aug 26 13:23:42.972035: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:23:42.972038: | constructing ESP/AH proposals with all DH removed for east (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:23:42.972044: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:23:42.972048: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:23:42.972050: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:23:42.972053: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:23:42.972055: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:23:42.972058: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:23:42.972060: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:23:42.972063: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:23:42.972067: "east": constructed local ESP/AH proposals for east (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:23:42.972070: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:23:42.972074: | local proposal 1 type ENCR has 1 transforms Aug 26 13:23:42.972075: | local proposal 1 type PRF has 0 transforms Aug 26 13:23:42.972077: | local proposal 1 type INTEG has 1 transforms Aug 26 13:23:42.972079: | local proposal 1 type DH has 1 transforms Aug 26 13:23:42.972081: | local proposal 1 type ESN has 1 transforms Aug 26 13:23:42.972083: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:23:42.972085: | local proposal 2 type ENCR has 1 transforms Aug 26 13:23:42.972086: | local proposal 2 type PRF has 0 transforms Aug 26 13:23:42.972088: | local proposal 2 type INTEG has 1 transforms Aug 26 13:23:42.972090: | local proposal 2 type DH has 1 transforms Aug 26 13:23:42.972091: | local proposal 2 type ESN has 1 transforms Aug 26 13:23:42.972093: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:23:42.972095: | local proposal 3 type ENCR has 1 transforms Aug 26 13:23:42.972097: | local proposal 3 type PRF has 0 transforms Aug 26 13:23:42.972098: | local proposal 3 type INTEG has 2 transforms Aug 26 13:23:42.972100: | local proposal 3 type DH has 1 transforms Aug 26 13:23:42.972102: | local proposal 3 type ESN has 1 transforms Aug 26 13:23:42.972104: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:23:42.972105: | local proposal 4 type ENCR has 1 transforms Aug 26 13:23:42.972107: | local proposal 4 type PRF has 0 transforms Aug 26 13:23:42.972109: | local proposal 4 type INTEG has 2 transforms Aug 26 13:23:42.972110: | local proposal 4 type DH has 1 transforms Aug 26 13:23:42.972112: | local proposal 4 type ESN has 1 transforms Aug 26 13:23:42.972114: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:23:42.972116: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.972118: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:42.972120: | length: 32 (0x20) Aug 26 13:23:42.972122: | prop #: 1 (0x1) Aug 26 13:23:42.972123: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:42.972125: | spi size: 4 (0x4) Aug 26 13:23:42.972127: | # transforms: 2 (0x2) Aug 26 13:23:42.972129: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:42.972130: | remote SPI ba ca 5f 96 Aug 26 13:23:42.972133: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:23:42.972135: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972137: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972138: | length: 12 (0xc) Aug 26 13:23:42.972140: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.972143: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:42.972145: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.972147: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.972148: | length/value: 256 (0x100) Aug 26 13:23:42.972151: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:23:42.972153: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972155: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.972157: | length: 8 (0x8) Aug 26 13:23:42.972158: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:42.972160: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:42.972162: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:23:42.972164: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:23:42.972166: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:23:42.972168: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:23:42.972171: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 13:23:42.972174: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 13:23:42.972175: | remote proposal 1 matches local proposal 1 Aug 26 13:23:42.972177: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.972179: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:42.972181: | length: 32 (0x20) Aug 26 13:23:42.972182: | prop #: 2 (0x2) Aug 26 13:23:42.972184: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:42.972186: | spi size: 4 (0x4) Aug 26 13:23:42.972187: | # transforms: 2 (0x2) Aug 26 13:23:42.972189: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:42.972191: | remote SPI ba ca 5f 96 Aug 26 13:23:42.972193: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:42.972195: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972196: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972198: | length: 12 (0xc) Aug 26 13:23:42.972200: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.972201: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:42.972203: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.972205: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.972207: | length/value: 128 (0x80) Aug 26 13:23:42.972208: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972210: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.972212: | length: 8 (0x8) Aug 26 13:23:42.972214: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:42.972215: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:42.972217: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 13:23:42.972219: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 13:23:42.972221: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.972223: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:42.972224: | length: 48 (0x30) Aug 26 13:23:42.972226: | prop #: 3 (0x3) Aug 26 13:23:42.972228: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:42.972229: | spi size: 4 (0x4) Aug 26 13:23:42.972231: | # transforms: 4 (0x4) Aug 26 13:23:42.972233: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:42.972234: | remote SPI ba ca 5f 96 Aug 26 13:23:42.972236: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:42.972238: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972240: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972242: | length: 12 (0xc) Aug 26 13:23:42.972244: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.972246: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:42.972248: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.972249: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.972251: | length/value: 256 (0x100) Aug 26 13:23:42.972253: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972255: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972256: | length: 8 (0x8) Aug 26 13:23:42.972258: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:42.972260: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:42.972261: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972263: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972265: | length: 8 (0x8) Aug 26 13:23:42.972266: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:42.972268: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:42.972270: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972271: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.972273: | length: 8 (0x8) Aug 26 13:23:42.972275: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:42.972276: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:42.972279: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:23:42.972281: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:23:42.972282: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.972284: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:42.972286: | length: 48 (0x30) Aug 26 13:23:42.972287: | prop #: 4 (0x4) Aug 26 13:23:42.972294: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:42.972296: | spi size: 4 (0x4) Aug 26 13:23:42.972298: | # transforms: 4 (0x4) Aug 26 13:23:42.972300: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:42.972301: | remote SPI ba ca 5f 96 Aug 26 13:23:42.972303: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:42.972305: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972307: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972308: | length: 12 (0xc) Aug 26 13:23:42.972310: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.972312: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:42.972313: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.972315: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.972317: | length/value: 128 (0x80) Aug 26 13:23:42.972319: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972320: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972322: | length: 8 (0x8) Aug 26 13:23:42.972324: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:42.972328: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:42.972330: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972331: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972333: | length: 8 (0x8) Aug 26 13:23:42.972335: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:42.972336: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:42.972338: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972340: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.972341: | length: 8 (0x8) Aug 26 13:23:42.972343: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:42.972345: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:42.972347: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:23:42.972349: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:23:42.972353: "east" #1: proposal 1:ESP:SPI=baca5f96;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 13:23:42.972357: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=baca5f96;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 13:23:42.972358: | converting proposal to internal trans attrs Aug 26 13:23:42.972372: | netlink_get_spi: allocated 0x2fe6533b for esp.0@192.1.2.23 Aug 26 13:23:42.972374: | Emitting ikev2_proposal ... Aug 26 13:23:42.972376: | ****emit IKEv2 Security Association Payload: Aug 26 13:23:42.972378: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.972380: | flags: none (0x0) Aug 26 13:23:42.972382: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:23:42.972384: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.972386: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:23:42.972388: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:42.972389: | prop #: 1 (0x1) Aug 26 13:23:42.972391: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:42.972393: | spi size: 4 (0x4) Aug 26 13:23:42.972394: | # transforms: 2 (0x2) Aug 26 13:23:42.972396: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:23:42.972399: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:23:42.972400: | our spi 2f e6 53 3b Aug 26 13:23:42.972402: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972404: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972406: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:42.972407: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:42.972409: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:42.972411: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:23:42.972413: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:42.972415: | length/value: 256 (0x100) Aug 26 13:23:42.972417: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:23:42.972418: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:23:42.972420: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:42.972422: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:42.972423: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:42.972425: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:42.972427: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:42.972429: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:23:42.972431: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:23:42.972433: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:23:42.972435: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 13:23:42.972437: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:23:42.972439: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:23:42.972440: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.972442: | flags: none (0x0) Aug 26 13:23:42.972444: | number of TS: 1 (0x1) Aug 26 13:23:42.972446: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:23:42.972449: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.972451: | *****emit IKEv2 Traffic Selector: Aug 26 13:23:42.972453: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:42.972455: | IP Protocol ID: 0 (0x0) Aug 26 13:23:42.972457: | start port: 0 (0x0) Aug 26 13:23:42.972458: | end port: 65535 (0xffff) Aug 26 13:23:42.972460: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:23:42.972462: | ipv4 start c0 00 01 00 Aug 26 13:23:42.972464: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:23:42.972466: | ipv4 end c0 00 01 ff Aug 26 13:23:42.972467: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:23:42.972469: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:23:42.972471: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:23:42.972472: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:42.972474: | flags: none (0x0) Aug 26 13:23:42.972476: | number of TS: 1 (0x1) Aug 26 13:23:42.972478: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:23:42.972480: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:23:42.972482: | *****emit IKEv2 Traffic Selector: Aug 26 13:23:42.972483: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:42.972485: | IP Protocol ID: 0 (0x0) Aug 26 13:23:42.972486: | start port: 0 (0x0) Aug 26 13:23:42.972488: | end port: 65535 (0xffff) Aug 26 13:23:42.972490: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:23:42.972492: | ipv4 start c0 00 02 00 Aug 26 13:23:42.972493: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:23:42.972495: | ipv4 end c0 00 02 ff Aug 26 13:23:42.972497: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:23:42.972498: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:23:42.972500: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:23:42.972502: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:23:42.972597: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:23:42.972602: | #1 spent 1.21 milliseconds Aug 26 13:23:42.972605: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:23:42.972607: | could_route called for east (kind=CK_PERMANENT) Aug 26 13:23:42.972609: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:23:42.972611: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:23:42.972613: | conn east mark 0/00000000, 0/00000000 Aug 26 13:23:42.972615: | route owner of "east" unrouted: NULL; eroute owner: NULL Aug 26 13:23:42.972618: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:23:42.972621: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:23:42.972623: | AES_GCM_16 requires 4 salt bytes Aug 26 13:23:42.972625: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:23:42.972627: | setting IPsec SA replay-window to 32 Aug 26 13:23:42.972629: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:23:42.972631: | netlink: enabling tunnel mode Aug 26 13:23:42.972634: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:23:42.972636: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:23:42.972687: | netlink response for Add SA esp.baca5f96@192.1.2.45 included non-error error Aug 26 13:23:42.972691: | set up outgoing SA, ref=0/0 Aug 26 13:23:42.972693: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:23:42.972697: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:23:42.972699: | AES_GCM_16 requires 4 salt bytes Aug 26 13:23:42.972701: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:23:42.972703: | setting IPsec SA replay-window to 32 Aug 26 13:23:42.972705: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:23:42.972707: | netlink: enabling tunnel mode Aug 26 13:23:42.972709: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:23:42.972711: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:23:42.972734: | netlink response for Add SA esp.2fe6533b@192.1.2.23 included non-error error Aug 26 13:23:42.972737: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:23:42.972741: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:23:42.972744: | IPsec Sa SPD priority set to 1042407 Aug 26 13:23:42.972759: | raw_eroute result=success Aug 26 13:23:42.972762: | set up incoming SA, ref=0/0 Aug 26 13:23:42.972764: | sr for #2: unrouted Aug 26 13:23:42.972766: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:23:42.972768: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:23:42.972770: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:23:42.972771: | conn east mark 0/00000000, 0/00000000 Aug 26 13:23:42.972774: | route owner of "east" unrouted: NULL; eroute owner: NULL Aug 26 13:23:42.972776: | route_and_eroute with c: east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:23:42.972778: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:23:42.972783: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Aug 26 13:23:42.972785: | IPsec Sa SPD priority set to 1042407 Aug 26 13:23:42.972792: | raw_eroute result=success Aug 26 13:23:42.972795: | running updown command "ipsec _updown" for verb up Aug 26 13:23:42.972797: | command executing up-client Aug 26 13:23:42.972814: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xbaca5f96 SPI_OUT=0x2fe Aug 26 13:23:42.972816: | popen cmd is 1020 chars long Aug 26 13:23:42.972818: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFA: Aug 26 13:23:42.972820: | cmd( 80):CE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' : Aug 26 13:23:42.972822: | cmd( 160):PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_M: Aug 26 13:23:42.972824: | cmd( 240):ASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='1638: Aug 26 13:23:42.972825: | cmd( 320):8' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_: Aug 26 13:23:42.972827: | cmd( 400):CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK=': Aug 26 13:23:42.972829: | cmd( 480):255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUT: Aug 26 13:23:42.972831: | cmd( 560):O_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKE: Aug 26 13:23:42.972834: | cmd( 640):V2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO: Aug 26 13:23:42.972836: | cmd( 720):_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_IN: Aug 26 13:23:42.972838: | cmd( 800):FO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_: Aug 26 13:23:42.972839: | cmd( 880):CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED=: Aug 26 13:23:42.972841: | cmd( 960):'no' SPI_IN=0xbaca5f96 SPI_OUT=0x2fe6533b ipsec _updown 2>&1: Aug 26 13:23:42.980061: | route_and_eroute: firewall_notified: true Aug 26 13:23:42.980076: | running updown command "ipsec _updown" for verb prepare Aug 26 13:23:42.980079: | command executing prepare-client Aug 26 13:23:42.980100: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xbaca5f96 SPI Aug 26 13:23:42.980103: | popen cmd is 1025 chars long Aug 26 13:23:42.980105: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_IN: Aug 26 13:23:42.980107: | cmd( 80):TERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@e: Aug 26 13:23:42.980109: | cmd( 160):ast' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLI: Aug 26 13:23:42.980111: | cmd( 240):ENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID=: Aug 26 13:23:42.980112: | cmd( 320):'16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_: Aug 26 13:23:42.980114: | cmd( 400):PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_M: Aug 26 13:23:42.980116: | cmd( 480):ASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='': Aug 26 13:23:42.980118: | cmd( 560): PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PF: Aug 26 13:23:42.980119: | cmd( 640):S+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' : Aug 26 13:23:42.980121: | cmd( 720):PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_D: Aug 26 13:23:42.980123: | cmd( 800):NS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' P: Aug 26 13:23:42.980125: | cmd( 880):LUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH: Aug 26 13:23:42.980126: | cmd( 960):ARED='no' SPI_IN=0xbaca5f96 SPI_OUT=0x2fe6533b ipsec _updown 2>&1: Aug 26 13:23:42.987659: | running updown command "ipsec _updown" for verb route Aug 26 13:23:42.987677: | command executing route-client Aug 26 13:23:42.987715: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xbaca5f96 SPI_OUT Aug 26 13:23:42.987724: | popen cmd is 1023 chars long Aug 26 13:23:42.987728: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTE: Aug 26 13:23:42.987731: | cmd( 80):RFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@eas: Aug 26 13:23:42.987734: | cmd( 160):t' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIEN: Aug 26 13:23:42.987737: | cmd( 240):T_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='1: Aug 26 13:23:42.987740: | cmd( 320):6388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PE: Aug 26 13:23:42.987743: | cmd( 400):ER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MAS: Aug 26 13:23:42.987746: | cmd( 480):K='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' P: Aug 26 13:23:42.987749: | cmd( 560):LUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+: Aug 26 13:23:42.987752: | cmd( 640):IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PL: Aug 26 13:23:42.987755: | cmd( 720):UTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS: Aug 26 13:23:42.987758: | cmd( 800):_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLU: Aug 26 13:23:42.987761: | cmd( 880):TO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR: Aug 26 13:23:42.987763: | cmd( 960):ED='no' SPI_IN=0xbaca5f96 SPI_OUT=0x2fe6533b ipsec _updown 2>&1: Aug 26 13:23:42.997518: | route_and_eroute: instance "east", setting eroute_owner {spd=0x563761764728,sr=0x563761764728} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:23:42.997591: | #1 spent 1.75 milliseconds in install_ipsec_sa() Aug 26 13:23:42.997597: | ISAKMP_v2_IKE_AUTH: instance east[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:23:42.997601: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:23:42.997604: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:23:42.997607: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:23:42.997609: | emitting length of IKEv2 Encryption Payload: 197 Aug 26 13:23:42.997611: | emitting length of ISAKMP Message: 225 Aug 26 13:23:42.997638: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:23:42.997642: | #1 spent 3.01 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:23:42.997648: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:42.997652: | start processing: state #2 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:42.997655: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:23:42.997658: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:23:42.997660: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:23:42.997663: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:23:42.997667: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:23:42.997671: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:23:42.997675: | pstats #2 ikev2.child established Aug 26 13:23:42.997682: "east" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:23:42.997685: | NAT-T: encaps is 'auto' Aug 26 13:23:42.997688: "east" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xbaca5f96 <0x2fe6533b xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 13:23:42.997692: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:23:42.997698: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:23:42.997700: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:23:42.997702: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Aug 26 13:23:42.997704: | bd 73 2a 65 cb 59 90 a4 b1 d1 41 12 d4 29 51 35 Aug 26 13:23:42.997705: | cb ac 26 60 4e 7e c4 c0 64 d7 86 d8 9b 61 f1 57 Aug 26 13:23:42.997707: | 36 6e 44 21 3d b9 10 f4 e6 85 00 c2 ab a5 39 d7 Aug 26 13:23:42.997708: | b4 95 58 3b ac f2 ab f5 03 12 b0 c5 92 e6 d7 36 Aug 26 13:23:42.997710: | 82 88 af 3e b1 a2 91 7b 05 ff db f6 16 7e 85 5a Aug 26 13:23:42.997712: | 17 10 76 2b 42 01 c2 1f c2 88 28 21 8e ba 6f 8b Aug 26 13:23:42.997713: | c5 e3 ad 86 33 c2 07 bc bf 06 ea 0e 02 4d 77 ae Aug 26 13:23:42.997715: | 06 97 d9 9e 70 92 bf 5d ac 9e ee 33 fb fe d0 04 Aug 26 13:23:42.997717: | 5f be 64 8e e7 f1 35 9d 9b ea c4 19 ef 20 5e fe Aug 26 13:23:42.997718: | d1 9b 1a 79 1a a4 a3 62 a7 1c 86 ee ac 86 bb 8f Aug 26 13:23:42.997720: | 75 0f 02 92 d1 db 8b 12 a5 f4 13 2f 73 4b 5a eb Aug 26 13:23:42.997721: | 93 4e ca aa a7 8f b6 d6 e5 eb 0f 60 c0 8e ce 3c Aug 26 13:23:42.997723: | 4b Aug 26 13:23:42.997756: | releasing whack for #2 (sock=fd@-1) Aug 26 13:23:42.997760: | releasing whack and unpending for parent #1 Aug 26 13:23:42.997762: | unpending state #1 connection "east" Aug 26 13:23:42.997765: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:23:42.997768: | event_schedule: new EVENT_SA_REKEY-pe@0x7f6a18002b78 Aug 26 13:23:42.997770: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 13:23:42.997773: | libevent_malloc: new ptr-libevent@0x56376176c228 size 128 Aug 26 13:23:42.997785: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:23:42.997790: | #1 spent 3.29 milliseconds in resume sending helper answer Aug 26 13:23:42.997793: | stop processing: state #2 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:23:42.997797: | libevent_free: release ptr-libevent@0x7f6a10000f48 Aug 26 13:23:42.997808: | processing signal PLUTO_SIGCHLD Aug 26 13:23:42.997812: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:42.997815: | spent 0.00385 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:42.997817: | processing signal PLUTO_SIGCHLD Aug 26 13:23:42.997820: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:42.997822: | spent 0.00248 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:42.997824: | processing signal PLUTO_SIGCHLD Aug 26 13:23:42.997826: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:42.997829: | spent 0.00248 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:24:01.664358: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:24:01.664377: | expiring aged bare shunts from shunt table Aug 26 13:24:01.664383: | spent 0.00424 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:24:03.000878: | spent 0.00311 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:03.000899: | *received 661 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:03.000902: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:03.000904: | 2e 20 24 08 00 00 00 02 00 00 02 95 21 00 02 79 Aug 26 13:24:03.000908: | 17 f4 98 ea 3b 39 48 c3 83 0c f0 44 06 89 93 29 Aug 26 13:24:03.000910: | 2f 71 97 03 4e 51 53 3e a7 bf bf 8e ec 02 21 2c Aug 26 13:24:03.000912: | d7 48 f9 87 9d 95 db 1b 76 b9 90 85 1e f3 a7 9b Aug 26 13:24:03.000913: | ca b8 bb 42 bd 9d 61 3d 03 8b 71 a9 c5 de 74 f0 Aug 26 13:24:03.000915: | 69 17 60 df 52 36 e2 27 44 a3 d4 39 d1 fa 96 04 Aug 26 13:24:03.000930: | fe d3 21 7c cd 40 e5 40 1c 58 73 47 84 c7 5a b6 Aug 26 13:24:03.000931: | 95 5a 01 22 50 df 3c 27 3e 45 00 03 c1 f4 a5 27 Aug 26 13:24:03.000933: | 65 65 e0 6c bf 0e 85 36 78 34 24 aa 80 df 7f 55 Aug 26 13:24:03.000934: | d9 f7 0c ba c2 39 86 2a 24 23 29 cc 54 86 0d 57 Aug 26 13:24:03.000936: | 3e eb f1 cf e9 3a 38 45 73 92 a2 8e f7 29 1c da Aug 26 13:24:03.000938: | f4 2c 64 5b 88 54 f4 c7 23 5b 04 b0 68 1b 56 0c Aug 26 13:24:03.000939: | 61 11 97 86 65 ee 76 40 ee 4c 3e aa ed bf 79 6d Aug 26 13:24:03.000941: | 3a 0d c9 19 26 bb 08 c7 af c1 32 8d 37 77 8c c4 Aug 26 13:24:03.000942: | 2e 1a b0 7a 16 42 d4 25 92 b9 72 ea 59 36 50 02 Aug 26 13:24:03.000944: | dd f4 a1 e8 21 3b 88 03 a1 40 04 ae dc c7 c8 09 Aug 26 13:24:03.000945: | c2 6b cb 57 e1 ea e1 19 d1 42 91 65 1c 14 d5 cf Aug 26 13:24:03.000947: | a4 5e 9c 69 e0 e2 71 cf 78 7a 5c bb 29 d6 d7 09 Aug 26 13:24:03.000949: | 56 85 78 dd 4c 97 38 6b 87 d0 95 f4 f5 36 e3 09 Aug 26 13:24:03.000950: | 8c 10 65 89 9f 8e e1 fa e2 83 c9 d5 86 57 e9 a6 Aug 26 13:24:03.000952: | db 1d a8 be 8c c0 ed 82 e5 e1 06 e1 79 69 0b 1e Aug 26 13:24:03.000953: | 5c 6c f2 11 91 37 1c c3 2d db 4f f6 97 f1 c2 67 Aug 26 13:24:03.000955: | 87 43 33 06 d4 df 7d 0d a8 dd 0f 3e b3 de 13 87 Aug 26 13:24:03.000956: | 59 1a ea ca 44 27 96 c9 e5 c8 8b 67 7d 55 c7 e4 Aug 26 13:24:03.000958: | 34 e1 9c 94 70 6a 81 e8 2d d5 73 22 8a 0b e0 44 Aug 26 13:24:03.000960: | 7a 43 0d 02 c5 c8 d4 6b 07 dc 78 97 93 44 bf a5 Aug 26 13:24:03.000961: | 50 58 7e 9e f1 5f 05 3c 63 63 88 f7 77 fa 17 cc Aug 26 13:24:03.000963: | 28 37 c7 40 12 ba 32 b3 0c 9b 03 a1 19 a2 84 0d Aug 26 13:24:03.000964: | 78 d3 c0 e6 1e 49 c3 59 dd 2e b0 7c f6 16 7a 76 Aug 26 13:24:03.000966: | f9 90 94 62 1b da ae 80 ca 7f c9 96 c9 70 35 2f Aug 26 13:24:03.000967: | 36 e9 6d 8f c0 bd b4 cb 59 f4 52 3c 26 bc 42 f1 Aug 26 13:24:03.000969: | c1 ef 57 25 f7 92 a3 2c 3b 44 8d 96 5f a4 d2 22 Aug 26 13:24:03.000971: | e4 7c 9c 8a 61 d8 d5 4a e0 41 3b dd 4c e7 f9 7c Aug 26 13:24:03.000972: | cb eb df b1 e5 4b ed db 79 9b 55 74 26 54 2a c7 Aug 26 13:24:03.000974: | e8 dc e0 bd 43 6e 57 6a c7 4f e9 d2 1d 37 96 82 Aug 26 13:24:03.000975: | 19 7f 36 d7 46 05 37 20 3a e0 d9 58 2d 13 c8 ae Aug 26 13:24:03.000977: | cc 67 94 fb af 6a d3 6a 09 72 14 e1 a1 fc c0 c2 Aug 26 13:24:03.000978: | 32 f1 65 23 9b 1e 0c 88 23 de 8f 20 12 32 d3 1b Aug 26 13:24:03.000980: | 14 1c 1e ce 14 cc d6 c2 30 4c 0a 7f 9d 44 be 65 Aug 26 13:24:03.000982: | 8b ec b5 80 ba 27 ba af 1b 00 e6 e9 2d cc 28 f5 Aug 26 13:24:03.000983: | e0 cf 13 91 56 Aug 26 13:24:03.000986: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:03.000989: | **parse ISAKMP Message: Aug 26 13:24:03.000991: | initiator cookie: Aug 26 13:24:03.000993: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:03.000994: | responder cookie: Aug 26 13:24:03.000996: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:03.000998: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:03.001000: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:03.001001: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:03.001005: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:03.001006: | Message ID: 2 (0x2) Aug 26 13:24:03.001008: | length: 661 (0x295) Aug 26 13:24:03.001010: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:24:03.001029: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:24:03.001033: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:03.001042: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:03.001046: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:03.001051: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:03.001067: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:24:03.001070: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 13:24:03.001072: | unpacking clear payload Aug 26 13:24:03.001087: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:03.001089: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:03.001091: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:24:03.001093: | flags: none (0x0) Aug 26 13:24:03.001095: | length: 633 (0x279) Aug 26 13:24:03.001097: | processing payload: ISAKMP_NEXT_v2SK (len=629) Aug 26 13:24:03.001100: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 13:24:03.001102: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:03.001118: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Aug 26 13:24:03.001120: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:24:03.001122: | **parse IKEv2 Security Association Payload: Aug 26 13:24:03.001124: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:24:03.001126: | flags: none (0x0) Aug 26 13:24:03.001127: | length: 196 (0xc4) Aug 26 13:24:03.001129: | processing payload: ISAKMP_NEXT_v2SA (len=192) Aug 26 13:24:03.001131: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:24:03.001133: | **parse IKEv2 Nonce Payload: Aug 26 13:24:03.001134: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:24:03.001136: | flags: none (0x0) Aug 26 13:24:03.001142: | length: 36 (0x24) Aug 26 13:24:03.001146: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:24:03.001149: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:24:03.001153: | **parse IKEv2 Key Exchange Payload: Aug 26 13:24:03.001156: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:24:03.001159: | flags: none (0x0) Aug 26 13:24:03.001162: | length: 264 (0x108) Aug 26 13:24:03.001165: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:03.001168: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:24:03.001171: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:24:03.001174: | **parse IKEv2 Notify Payload: Aug 26 13:24:03.001177: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:24:03.001180: | flags: none (0x0) Aug 26 13:24:03.001183: | length: 12 (0xc) Aug 26 13:24:03.001187: | Protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:03.001190: | SPI size: 4 (0x4) Aug 26 13:24:03.001194: | Notify Message Type: v2N_REKEY_SA (0x4009) Aug 26 13:24:03.001197: | processing payload: ISAKMP_NEXT_v2N (len=4) Aug 26 13:24:03.001199: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:24:03.001201: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:03.001203: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:24:03.001205: | flags: none (0x0) Aug 26 13:24:03.001206: | length: 48 (0x30) Aug 26 13:24:03.001208: | number of TS: 1 (0x1) Aug 26 13:24:03.001210: | processing payload: ISAKMP_NEXT_v2TSi (len=40) Aug 26 13:24:03.001212: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:24:03.001213: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:03.001215: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.001217: | flags: none (0x0) Aug 26 13:24:03.001218: | length: 48 (0x30) Aug 26 13:24:03.001220: | number of TS: 1 (0x1) Aug 26 13:24:03.001222: | processing payload: ISAKMP_NEXT_v2TSr (len=40) Aug 26 13:24:03.001224: | state #1 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Aug 26 13:24:03.001228: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:03.001233: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:24:03.001238: | creating state object #3 at 0x563761771bc8 Aug 26 13:24:03.001242: | State DB: adding IKEv2 state #3 in UNDEFINED Aug 26 13:24:03.001251: | pstats #3 ikev2.child started Aug 26 13:24:03.001255: | duplicating state object #1 "east" as #3 for IPSEC SA Aug 26 13:24:03.001263: | #3 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:24:03.001273: | Message ID: init_child #1.#3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:24:03.001276: | child state #3: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Aug 26 13:24:03.001279: | "east" #1 received Child SA Request CREATE_CHILD_SA from 192.1.2.45:500 Child "east" #3 in STATE_V2_CREATE_R will process it further Aug 26 13:24:03.001282: | Message ID: switch-from #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Aug 26 13:24:03.001285: | Message ID: switch-to #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Aug 26 13:24:03.001287: | forcing ST #1 to CHILD #1.#3 in FSM processor Aug 26 13:24:03.001296: | Now let's proceed with state specific processing Aug 26 13:24:03.001299: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:03.001303: | create child proposal's DH changed from no-PFS to MODP2048, flushing Aug 26 13:24:03.001307: | constructing ESP/AH proposals with default DH MODP2048 for east (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Aug 26 13:24:03.001315: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:24:03.001335: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED Aug 26 13:24:03.001339: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:24:03.001345: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED Aug 26 13:24:03.001349: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:24:03.001355: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:03.001360: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:24:03.001365: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:03.001374: "east": constructed local ESP/AH proposals for east (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:03.001378: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:24:03.001382: | local proposal 1 type ENCR has 1 transforms Aug 26 13:24:03.001385: | local proposal 1 type PRF has 0 transforms Aug 26 13:24:03.001387: | local proposal 1 type INTEG has 1 transforms Aug 26 13:24:03.001390: | local proposal 1 type DH has 1 transforms Aug 26 13:24:03.001393: | local proposal 1 type ESN has 1 transforms Aug 26 13:24:03.001397: | local proposal 1 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:03.001399: | local proposal 2 type ENCR has 1 transforms Aug 26 13:24:03.001402: | local proposal 2 type PRF has 0 transforms Aug 26 13:24:03.001405: | local proposal 2 type INTEG has 1 transforms Aug 26 13:24:03.001412: | local proposal 2 type DH has 1 transforms Aug 26 13:24:03.001415: | local proposal 2 type ESN has 1 transforms Aug 26 13:24:03.001418: | local proposal 2 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:03.001421: | local proposal 3 type ENCR has 1 transforms Aug 26 13:24:03.001424: | local proposal 3 type PRF has 0 transforms Aug 26 13:24:03.001427: | local proposal 3 type INTEG has 2 transforms Aug 26 13:24:03.001430: | local proposal 3 type DH has 1 transforms Aug 26 13:24:03.001433: | local proposal 3 type ESN has 1 transforms Aug 26 13:24:03.001438: | local proposal 3 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:03.001441: | local proposal 4 type ENCR has 1 transforms Aug 26 13:24:03.001444: | local proposal 4 type PRF has 0 transforms Aug 26 13:24:03.001447: | local proposal 4 type INTEG has 2 transforms Aug 26 13:24:03.001450: | local proposal 4 type DH has 1 transforms Aug 26 13:24:03.001454: | local proposal 4 type ESN has 1 transforms Aug 26 13:24:03.001458: | local proposal 4 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:03.001461: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:03.001464: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:03.001466: | length: 40 (0x28) Aug 26 13:24:03.001467: | prop #: 1 (0x1) Aug 26 13:24:03.001469: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:03.001471: | spi size: 4 (0x4) Aug 26 13:24:03.001472: | # transforms: 3 (0x3) Aug 26 13:24:03.001475: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:03.001476: | remote SPI 27 47 66 ad Aug 26 13:24:03.001479: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:24:03.001481: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001482: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001484: | length: 12 (0xc) Aug 26 13:24:03.001486: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:03.001487: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:03.001489: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:03.001491: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:03.001493: | length/value: 256 (0x100) Aug 26 13:24:03.001496: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:24:03.001498: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001499: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001501: | length: 8 (0x8) Aug 26 13:24:03.001503: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:03.001504: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:03.001507: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:24:03.001509: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:24:03.001511: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:24:03.001513: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:24:03.001515: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001516: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:03.001518: | length: 8 (0x8) Aug 26 13:24:03.001520: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:03.001521: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:03.001527: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:24:03.001533: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:24:03.001536: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:24:03.001540: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:24:03.001546: | remote proposal 1 proposed transforms: ENCR+DH+ESN; matched: ENCR+DH+ESN; unmatched: none Aug 26 13:24:03.001550: | comparing remote proposal 1 containing ENCR+DH+ESN transforms to local proposal 1; required: ENCR+DH+ESN; optional: INTEG; matched: ENCR+DH+ESN Aug 26 13:24:03.001554: | remote proposal 1 matches local proposal 1 Aug 26 13:24:03.001557: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:03.001560: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:03.001563: | length: 40 (0x28) Aug 26 13:24:03.001566: | prop #: 2 (0x2) Aug 26 13:24:03.001568: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:03.001571: | spi size: 4 (0x4) Aug 26 13:24:03.001574: | # transforms: 3 (0x3) Aug 26 13:24:03.001577: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:03.001580: | remote SPI 27 47 66 ad Aug 26 13:24:03.001583: | Comparing remote proposal 2 containing 3 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:03.001587: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001590: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001593: | length: 12 (0xc) Aug 26 13:24:03.001618: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:03.001620: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:03.001622: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:03.001624: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:03.001626: | length/value: 128 (0x80) Aug 26 13:24:03.001628: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001630: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001631: | length: 8 (0x8) Aug 26 13:24:03.001633: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:03.001635: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:03.001637: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001639: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:03.001640: | length: 8 (0x8) Aug 26 13:24:03.001642: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:03.001644: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:03.001646: | remote proposal 2 proposed transforms: ENCR+DH+ESN; matched: none; unmatched: ENCR+DH+ESN Aug 26 13:24:03.001648: | remote proposal 2 does not match; unmatched remote transforms: ENCR+DH+ESN Aug 26 13:24:03.001651: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:03.001654: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:03.001657: | length: 56 (0x38) Aug 26 13:24:03.001659: | prop #: 3 (0x3) Aug 26 13:24:03.001662: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:03.001665: | spi size: 4 (0x4) Aug 26 13:24:03.001667: | # transforms: 5 (0x5) Aug 26 13:24:03.001671: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:03.001674: | remote SPI 27 47 66 ad Aug 26 13:24:03.001677: | Comparing remote proposal 3 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:03.001680: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001683: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001686: | length: 12 (0xc) Aug 26 13:24:03.001688: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:03.001691: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:03.001694: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:03.001697: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:03.001700: | length/value: 256 (0x100) Aug 26 13:24:03.001704: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001707: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001710: | length: 8 (0x8) Aug 26 13:24:03.001713: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:03.001716: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:03.001719: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001722: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001739: | length: 8 (0x8) Aug 26 13:24:03.001742: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:03.001745: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:03.001748: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001750: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001753: | length: 8 (0x8) Aug 26 13:24:03.001756: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:03.001758: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:03.001761: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001763: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:03.001779: | length: 8 (0x8) Aug 26 13:24:03.001781: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:03.001784: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:03.001789: | remote proposal 3 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:03.001792: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:03.001796: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:03.001798: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:03.001801: | length: 56 (0x38) Aug 26 13:24:03.001803: | prop #: 4 (0x4) Aug 26 13:24:03.001806: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:03.001809: | spi size: 4 (0x4) Aug 26 13:24:03.001811: | # transforms: 5 (0x5) Aug 26 13:24:03.001814: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:03.001817: | remote SPI 27 47 66 ad Aug 26 13:24:03.001820: | Comparing remote proposal 4 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:03.001823: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001826: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001828: | length: 12 (0xc) Aug 26 13:24:03.001830: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:03.001833: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:03.001835: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:03.001838: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:03.001841: | length/value: 128 (0x80) Aug 26 13:24:03.001844: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001846: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001849: | length: 8 (0x8) Aug 26 13:24:03.001852: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:03.001854: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:03.001857: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001860: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001862: | length: 8 (0x8) Aug 26 13:24:03.001865: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:03.001867: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:03.001870: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001873: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.001875: | length: 8 (0x8) Aug 26 13:24:03.001878: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:03.001881: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:03.001883: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:03.001886: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:03.001888: | length: 8 (0x8) Aug 26 13:24:03.001891: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:03.001894: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:03.001897: | remote proposal 4 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:03.001900: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:03.001906: "east" #1: proposal 1:ESP:SPI=274766ad;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:03.001926: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=274766ad;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED Aug 26 13:24:03.001929: | converting proposal to internal trans attrs Aug 26 13:24:03.001934: | updating #3's .st_oakley with preserved PRF, but why update? Aug 26 13:24:03.001937: | received v2N_REKEY_SA Aug 26 13:24:03.001940: | child state #3: V2_CREATE_R(established IKE SA) => V2_REKEY_CHILD_R(established IKE SA) Aug 26 13:24:03.001943: | CREATE_CHILD_SA IPsec SA rekey Protocol PROTO_v2_ESP Aug 26 13:24:03.001946: | parsing 4 raw bytes of IKEv2 Notify Payload into SPI Aug 26 13:24:03.001949: | SPI ba ca 5f 96 Aug 26 13:24:03.001952: | CREATE_CHILD_S to rekey IPsec SA(0xbaca5f96) Protocol PROTO_v2_ESP Aug 26 13:24:03.001955: | v2 CHILD SA #2 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:03.001958: | State DB: found IKEv2 state #2 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:03.001961: | #3 rekey request for "east" #2 TSi TSr Aug 26 13:24:03.001963: | printing contents struct traffic_selector Aug 26 13:24:03.001966: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:03.001968: | ipprotoid: 0 Aug 26 13:24:03.001971: | port range: 0-65535 Aug 26 13:24:03.001975: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:03.001977: | printing contents struct traffic_selector Aug 26 13:24:03.001980: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:03.001982: | ipprotoid: 0 Aug 26 13:24:03.001985: | port range: 0-65535 Aug 26 13:24:03.001988: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:03.001994: | adding Child Rekey Responder KE and nonce nr work-order 3 for state #3 Aug 26 13:24:03.001998: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56376176fd28 Aug 26 13:24:03.002002: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Aug 26 13:24:03.002005: | libevent_malloc: new ptr-libevent@0x7f6a10000f48 size 128 Aug 26 13:24:03.002016: | #3 spent 0.712 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Aug 26 13:24:03.002021: | crypto helper 1 resuming Aug 26 13:24:03.002022: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:03.002034: | crypto helper 1 starting work-order 3 for state #3 Aug 26 13:24:03.002037: | start processing: state #3 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:03.002038: | crypto helper 1 doing build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 3 Aug 26 13:24:03.002044: | #3 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:03.002047: | suspending state #3 and saving MD Aug 26 13:24:03.002050: | #3 is busy; has a suspended MD Aug 26 13:24:03.002054: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:03.002058: | "east" #3 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:03.002063: | stop processing: state #3 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:03.002069: | #1 spent 1.17 milliseconds in ikev2_process_packet() Aug 26 13:24:03.002074: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:03.002078: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:03.002081: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:03.002086: | spent 1.19 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:24:03.002971: | crypto helper 1 finished build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 3 time elapsed 0.000931 seconds Aug 26 13:24:03.002984: | (#3) spent 0.939 milliseconds in crypto helper computing work-order 3: Child Rekey Responder KE and nonce nr (pcr) Aug 26 13:24:03.002988: | crypto helper 1 sending results from work-order 3 for state #3 to event queue Aug 26 13:24:03.002992: | scheduling resume sending helper answer for #3 Aug 26 13:24:03.002996: | libevent_malloc: new ptr-libevent@0x7f6a14002888 size 128 Aug 26 13:24:03.003000: | libevent_realloc: release ptr-libevent@0x563761746558 Aug 26 13:24:03.003003: | libevent_realloc: new ptr-libevent@0x7f6a140027d8 size 128 Aug 26 13:24:03.003010: | crypto helper 1 waiting (nothing to do) Aug 26 13:24:03.003017: | processing resume sending helper answer for #3 Aug 26 13:24:03.003023: | start processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:03.003026: | crypto helper 1 replies to request ID 3 Aug 26 13:24:03.003028: | calling continuation function 0x56375fad2b50 Aug 26 13:24:03.003030: | ikev2_child_inIoutR_continue for #3 STATE_V2_REKEY_CHILD_R Aug 26 13:24:03.003033: | adding DHv2 for child sa work-order 4 for state #3 Aug 26 13:24:03.003035: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:03.003037: | libevent_free: release ptr-libevent@0x7f6a10000f48 Aug 26 13:24:03.003039: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56376176fd28 Aug 26 13:24:03.003041: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56376176fd28 Aug 26 13:24:03.003044: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Aug 26 13:24:03.003046: | libevent_malloc: new ptr-libevent@0x7f6a10000f48 size 128 Aug 26 13:24:03.003053: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:03.003056: | crypto helper 2 resuming Aug 26 13:24:03.003058: | #3 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:03.003066: | crypto helper 2 starting work-order 4 for state #3 Aug 26 13:24:03.003070: | suspending state #3 and saving MD Aug 26 13:24:03.003074: | crypto helper 2 doing crypto (DHv2 for child sa); request ID 4 Aug 26 13:24:03.003074: | #3 is busy; has a suspended MD Aug 26 13:24:03.003083: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:03.003086: | "east" #3 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:03.003090: | resume sending helper answer for #3 suppresed complete_v2_state_transition() and stole MD Aug 26 13:24:03.003096: | #3 spent 0.065 milliseconds in resume sending helper answer Aug 26 13:24:03.003101: | stop processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:03.003104: | libevent_free: release ptr-libevent@0x7f6a14002888 Aug 26 13:24:03.003636: | crypto helper 2 finished crypto (DHv2 for child sa); request ID 4 time elapsed 0.000562 seconds Aug 26 13:24:03.003644: | (#3) spent 0.567 milliseconds in crypto helper computing work-order 4: DHv2 for child sa (dh) Aug 26 13:24:03.003646: | crypto helper 2 sending results from work-order 4 for state #3 to event queue Aug 26 13:24:03.003648: | scheduling resume sending helper answer for #3 Aug 26 13:24:03.003650: | libevent_malloc: new ptr-libevent@0x7f6a08001f78 size 128 Aug 26 13:24:03.003656: | crypto helper 2 waiting (nothing to do) Aug 26 13:24:03.003660: | processing resume sending helper answer for #3 Aug 26 13:24:03.003665: | start processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:03.003668: | crypto helper 2 replies to request ID 4 Aug 26 13:24:03.003670: | calling continuation function 0x56375fad39d0 Aug 26 13:24:03.003672: | ikev2_child_inIoutR_continue_continue for #3 STATE_V2_REKEY_CHILD_R Aug 26 13:24:03.003695: | **emit ISAKMP Message: Aug 26 13:24:03.003697: | initiator cookie: Aug 26 13:24:03.003698: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:03.003700: | responder cookie: Aug 26 13:24:03.003702: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:03.003704: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:03.003706: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:03.003707: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:03.003709: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:03.003711: | Message ID: 2 (0x2) Aug 26 13:24:03.003713: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:03.003715: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:03.003717: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.003718: | flags: none (0x0) Aug 26 13:24:03.003721: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:03.003723: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:24:03.003725: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:03.003731: | #3 inherit spd, TSi TSr, from "east" #2 Aug 26 13:24:03.003733: | printing contents struct traffic_selector Aug 26 13:24:03.003735: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:03.003736: | ipprotoid: 0 Aug 26 13:24:03.003738: | port range: 0-65535 Aug 26 13:24:03.003741: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:03.003742: | printing contents struct traffic_selector Aug 26 13:24:03.003744: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:03.003745: | ipprotoid: 0 Aug 26 13:24:03.003747: | port range: 0-65535 Aug 26 13:24:03.003749: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:03.003763: | netlink_get_spi: allocated 0x128b59c6 for esp.0@192.1.2.23 Aug 26 13:24:03.003765: | Emitting ikev2_proposal ... Aug 26 13:24:03.003767: | ****emit IKEv2 Security Association Payload: Aug 26 13:24:03.003769: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.003771: | flags: none (0x0) Aug 26 13:24:03.003773: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:24:03.003775: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:24:03.003777: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:24:03.003778: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:03.003780: | prop #: 1 (0x1) Aug 26 13:24:03.003782: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:03.003783: | spi size: 4 (0x4) Aug 26 13:24:03.003785: | # transforms: 3 (0x3) Aug 26 13:24:03.003787: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:24:03.003790: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:24:03.003791: | our spi 12 8b 59 c6 Aug 26 13:24:03.003793: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:03.003795: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.003797: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:03.003798: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:03.003800: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:03.003802: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:24:03.003804: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:03.003806: | length/value: 256 (0x100) Aug 26 13:24:03.003808: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:24:03.003810: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:03.003811: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.003814: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:03.003816: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:03.003818: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.003820: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:03.003822: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:03.003824: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:03.003825: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:03.003827: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:03.003829: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:03.003831: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:03.003833: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:03.003834: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:03.003836: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:24:03.003838: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:24:03.003840: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:24:03.003842: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:24:03.003844: | ****emit IKEv2 Nonce Payload: Aug 26 13:24:03.003845: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.003847: | flags: none (0x0) Aug 26 13:24:03.003849: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:24:03.003851: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:24:03.003853: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:24:03.003855: | IKEv2 nonce c2 42 8f 97 4e f8 d6 42 a5 91 f8 35 7b fa e7 db Aug 26 13:24:03.003857: | IKEv2 nonce 79 2c c0 78 e0 bf 94 05 a0 7b 3f 6b d5 78 53 f4 Aug 26 13:24:03.003858: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:24:03.003860: | ****emit IKEv2 Key Exchange Payload: Aug 26 13:24:03.003862: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.003863: | flags: none (0x0) Aug 26 13:24:03.003865: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:03.003867: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:24:03.003869: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:24:03.003871: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:24:03.003873: | ikev2 g^x dd 0e 1f f7 1b 22 61 ee 3d c3 f7 6e 28 33 fa cc Aug 26 13:24:03.003874: | ikev2 g^x a5 6b fe 9d 2b 42 f1 67 98 32 29 f1 44 3f ce 46 Aug 26 13:24:03.003876: | ikev2 g^x 74 6b e4 e2 2b 69 5f 2d de c5 cd b2 1e 66 01 4f Aug 26 13:24:03.003878: | ikev2 g^x d7 92 0f 5b 65 9a 9d 86 97 c8 86 ef d3 7d 03 f7 Aug 26 13:24:03.003879: | ikev2 g^x b1 68 d2 04 ae 11 7e 53 3d 38 6f 2d 1b 68 72 31 Aug 26 13:24:03.003881: | ikev2 g^x 00 b9 f1 72 b9 c6 c4 59 38 7b 51 1f c3 d0 44 5d Aug 26 13:24:03.003882: | ikev2 g^x af c9 60 22 a2 5b 35 48 de 48 6a a1 42 b1 9e ed Aug 26 13:24:03.003884: | ikev2 g^x 94 c5 86 dd ee c1 bf 77 d9 18 dc 5e 05 dc f7 1d Aug 26 13:24:03.003886: | ikev2 g^x 18 4f fc 32 93 d6 54 ba 4d 9a 5f a2 51 6c 3b 73 Aug 26 13:24:03.003887: | ikev2 g^x 1e 03 a8 15 a7 35 f0 71 79 eb 9c 5b af 62 64 cb Aug 26 13:24:03.003889: | ikev2 g^x 6d 66 da 9f b1 fb be 25 75 8c b8 9f 79 69 d1 22 Aug 26 13:24:03.003892: | ikev2 g^x 48 de 1e 11 3e 76 b0 91 05 4d 47 74 7b 37 b6 88 Aug 26 13:24:03.003893: | ikev2 g^x 16 61 f2 4d 90 b6 f2 0d 2a 91 1d c8 77 b5 39 85 Aug 26 13:24:03.003895: | ikev2 g^x cf f9 71 74 a4 dd 9b b7 db 79 43 e0 16 74 ee c1 Aug 26 13:24:03.003897: | ikev2 g^x b7 7a 99 f9 b2 43 5d 26 16 f3 b0 49 92 e4 39 4b Aug 26 13:24:03.003898: | ikev2 g^x b9 e4 8a 7c 77 c9 8e b3 4f 3d ef 63 46 e9 08 1d Aug 26 13:24:03.003900: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:24:03.003902: | received REKEY_SA already proceesd Aug 26 13:24:03.003904: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:03.003905: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.003907: | flags: none (0x0) Aug 26 13:24:03.003908: | number of TS: 1 (0x1) Aug 26 13:24:03.003911: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:24:03.003913: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:03.003914: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:03.003916: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:03.003918: | IP Protocol ID: 0 (0x0) Aug 26 13:24:03.003920: | start port: 0 (0x0) Aug 26 13:24:03.003921: | end port: 65535 (0xffff) Aug 26 13:24:03.003923: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:03.003925: | ipv4 start c0 00 01 00 Aug 26 13:24:03.003927: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:03.003928: | ipv4 end c0 00 01 ff Aug 26 13:24:03.003930: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:03.003932: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:24:03.003933: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:03.003935: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.003937: | flags: none (0x0) Aug 26 13:24:03.003938: | number of TS: 1 (0x1) Aug 26 13:24:03.003940: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:24:03.003942: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:03.003944: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:03.003946: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:03.003947: | IP Protocol ID: 0 (0x0) Aug 26 13:24:03.003949: | start port: 0 (0x0) Aug 26 13:24:03.003950: | end port: 65535 (0xffff) Aug 26 13:24:03.003952: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:03.003954: | ipv4 start c0 00 02 00 Aug 26 13:24:03.003956: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:03.003957: | ipv4 end c0 00 02 ff Aug 26 13:24:03.003959: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:03.003961: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:24:03.003963: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:24:03.003965: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:24:03.004085: | install_ipsec_sa() for #3: inbound and outbound Aug 26 13:24:03.004089: | could_route called for east (kind=CK_PERMANENT) Aug 26 13:24:03.004091: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:03.004093: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:03.004095: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:03.004098: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:03.004100: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:03.004103: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:03.004106: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:03.004108: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:03.004111: | setting IPsec SA replay-window to 32 Aug 26 13:24:03.004113: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:03.004115: | netlink: enabling tunnel mode Aug 26 13:24:03.004117: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:03.004119: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:03.004173: | netlink response for Add SA esp.274766ad@192.1.2.45 included non-error error Aug 26 13:24:03.004190: | set up outgoing SA, ref=0/0 Aug 26 13:24:03.004193: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:03.004195: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:03.004196: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:03.004198: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:03.004201: | setting IPsec SA replay-window to 32 Aug 26 13:24:03.004203: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:03.004204: | netlink: enabling tunnel mode Aug 26 13:24:03.004206: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:03.004208: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:03.004233: | netlink response for Add SA esp.128b59c6@192.1.2.23 included non-error error Aug 26 13:24:03.004236: | set up incoming SA, ref=0/0 Aug 26 13:24:03.004238: | sr for #3: erouted Aug 26 13:24:03.004240: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:24:03.004242: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:03.004244: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:03.004246: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:03.004248: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:03.004250: | route_and_eroute with c: east (next: none) ero:east esr:{(nil)} ro:east rosr:{(nil)} and state: #3 Aug 26 13:24:03.004253: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:03.004258: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) Aug 26 13:24:03.004261: | IPsec Sa SPD priority set to 1042407 Aug 26 13:24:03.004273: | raw_eroute result=success Aug 26 13:24:03.004275: | route_and_eroute: firewall_notified: true Aug 26 13:24:03.004278: | route_and_eroute: instance "east", setting eroute_owner {spd=0x563761764728,sr=0x563761764728} to #3 (was #2) (newest_ipsec_sa=#2) Aug 26 13:24:03.004348: | #1 spent 0.238 milliseconds in install_ipsec_sa() Aug 26 13:24:03.004369: | ISAKMP_v2_CREATE_CHILD_SA: instance east[0], setting IKEv2 newest_ipsec_sa to #3 (was #2) (spd.eroute=#3) cloned from #1 Aug 26 13:24:03.004387: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:03.004391: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:03.004395: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:03.004398: | emitting length of IKEv2 Encryption Payload: 421 Aug 26 13:24:03.004401: | emitting length of ISAKMP Message: 449 Aug 26 13:24:03.004418: "east" #3: negotiated new IPsec SA [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:03.004426: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:03.004443: | #3 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_OK Aug 26 13:24:03.004447: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Aug 26 13:24:03.004450: | child state #3: V2_REKEY_CHILD_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Aug 26 13:24:03.004454: | Message ID: updating counters for #3 to 2 after switching state Aug 26 13:24:03.004464: | Message ID: recv #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Aug 26 13:24:03.004469: | Message ID: sent #1.#3 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:24:03.004472: | pstats #3 ikev2.child established Aug 26 13:24:03.004479: "east" #3: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:03.004483: | NAT-T: encaps is 'auto' Aug 26 13:24:03.004488: "east" #3: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x274766ad <0x128b59c6 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} Aug 26 13:24:03.004493: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:24:03.004500: | sending 449 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:03.004503: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:03.004505: | 2e 20 24 20 00 00 00 02 00 00 01 c1 21 00 01 a5 Aug 26 13:24:03.004508: | 50 1b 9e 5e ef 23 19 17 36 27 f5 e5 5c a3 78 1e Aug 26 13:24:03.004510: | 55 44 c9 32 b0 3a 9b 8f f1 68 61 28 66 2f 29 72 Aug 26 13:24:03.004513: | 74 c4 f9 06 e8 e7 a1 86 13 f5 49 f4 d3 f1 1c b7 Aug 26 13:24:03.004516: | 6e c5 ed 06 7c c3 b8 ce 2d 98 85 c4 60 26 49 01 Aug 26 13:24:03.004518: | 29 18 a8 aa 83 6d 65 42 b5 d9 1c 73 97 cc e2 15 Aug 26 13:24:03.004521: | 1f b2 bf c4 a7 e1 f3 e5 83 7a ea 39 92 cd 93 80 Aug 26 13:24:03.004523: | 67 4c 07 df de 95 bd 04 aa d8 22 52 75 ab 14 6d Aug 26 13:24:03.004526: | 61 2e d8 2d 10 a4 0a 83 77 5c a8 bf 8d 4f d9 5f Aug 26 13:24:03.004528: | ad 2e 65 01 47 b1 c3 f7 3f 6a 4a 95 aa 86 3c 9f Aug 26 13:24:03.004531: | 8e 7e 61 a5 01 50 4a e7 ed dd 53 15 0e c8 b2 c5 Aug 26 13:24:03.004533: | 45 b4 40 2e c7 cc ed 26 b0 22 18 84 59 22 b3 f8 Aug 26 13:24:03.004536: | 56 df 8c d1 45 af 4a 67 72 4b 89 46 66 70 8f 51 Aug 26 13:24:03.004538: | b2 a6 23 36 61 90 cd 2a 68 73 0c 34 ea 56 33 8c Aug 26 13:24:03.004541: | e0 1b ca bf 6c 5f cb e9 cd 0a aa 49 f2 15 9e 86 Aug 26 13:24:03.004544: | 0a 41 5b 31 0b 3d 25 1b 11 1b 18 52 b4 06 c3 ee Aug 26 13:24:03.004546: | 3d 1f 00 a5 7c 57 c5 8a 14 7c ec 3c 4c 55 c4 51 Aug 26 13:24:03.004549: | 2e 41 7f 04 08 4c 60 d8 cb 9f a7 15 4b 8e 31 63 Aug 26 13:24:03.004551: | df c6 23 fb c0 54 c5 84 97 c8 ed 8d 9e ca e3 62 Aug 26 13:24:03.004554: | 5b 1c be 01 9c b3 1b 4f 7e 0f c0 7f 2d 90 ad c7 Aug 26 13:24:03.004556: | a1 e5 a1 93 69 8f 17 ac 3c 4f 6a e1 22 a7 2b 5e Aug 26 13:24:03.004559: | 0e a9 15 6e 3b 10 f8 08 2a a0 dd 41 49 e1 36 b1 Aug 26 13:24:03.004562: | d7 41 5d 21 6e 8d 4e 2a 61 65 f7 25 c7 94 f0 de Aug 26 13:24:03.004564: | e2 24 39 31 39 fe 1f b1 6d 97 f7 72 98 df 28 b1 Aug 26 13:24:03.004566: | d1 75 6d e0 c2 c7 ee 6b 46 9c f1 64 fe 75 a5 76 Aug 26 13:24:03.004569: | a0 45 75 3d fa 0b 64 c6 79 bd 7b c2 77 11 9b 57 Aug 26 13:24:03.004572: | 30 14 85 cd 69 d1 e2 73 26 3d 2a 95 9e d9 87 5b Aug 26 13:24:03.004574: | 09 Aug 26 13:24:03.004608: | releasing whack for #3 (sock=fd@-1) Aug 26 13:24:03.004612: | releasing whack and unpending for parent #1 Aug 26 13:24:03.004615: | unpending state #1 connection "east" Aug 26 13:24:03.004620: | #3 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:24:03.004623: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:03.004627: | libevent_free: release ptr-libevent@0x7f6a10000f48 Aug 26 13:24:03.004630: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56376176fd28 Aug 26 13:24:03.004634: | event_schedule: new EVENT_SA_REKEY-pe@0x56376176fd28 Aug 26 13:24:03.004637: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #3 Aug 26 13:24:03.004641: | libevent_malloc: new ptr-libevent@0x7f6a14002888 size 128 Aug 26 13:24:03.004649: | #3 spent 0.939 milliseconds in resume sending helper answer Aug 26 13:24:03.004655: | stop processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:03.004658: | libevent_free: release ptr-libevent@0x7f6a08001f78 Aug 26 13:24:04.007704: | spent 0.00292 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:04.007727: | *received 69 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:04.007730: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:04.007732: | 2e 20 25 08 00 00 00 03 00 00 00 45 2a 00 00 29 Aug 26 13:24:04.007734: | 93 25 d8 36 40 df 61 25 59 0f 91 26 c8 70 0c 22 Aug 26 13:24:04.007736: | 20 78 b1 79 1a 82 65 ce 64 3f 43 e3 5e 2f 1d f3 Aug 26 13:24:04.007738: | f1 28 e9 61 79 Aug 26 13:24:04.007744: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:04.007752: | **parse ISAKMP Message: Aug 26 13:24:04.007756: | initiator cookie: Aug 26 13:24:04.007759: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:04.007763: | responder cookie: Aug 26 13:24:04.007766: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:04.007770: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:04.007774: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:04.007778: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:04.007782: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:04.007785: | Message ID: 3 (0x3) Aug 26 13:24:04.007789: | length: 69 (0x45) Aug 26 13:24:04.007794: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:24:04.007798: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:24:04.007805: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:04.007815: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:04.007820: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:04.007828: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:04.007832: | #1 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 Aug 26 13:24:04.007840: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 Aug 26 13:24:04.007844: | unpacking clear payload Aug 26 13:24:04.007848: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:04.007852: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:04.007857: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:24:04.007861: | flags: none (0x0) Aug 26 13:24:04.007864: | length: 41 (0x29) Aug 26 13:24:04.007867: | processing payload: ISAKMP_NEXT_v2SK (len=37) Aug 26 13:24:04.007871: | Message ID: start-responder #1 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1->3 Aug 26 13:24:04.007873: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:04.007887: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:24:04.007889: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:24:04.007892: | **parse IKEv2 Delete Payload: Aug 26 13:24:04.007894: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:04.007896: | flags: none (0x0) Aug 26 13:24:04.007898: | length: 12 (0xc) Aug 26 13:24:04.007900: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:04.007902: | SPI size: 4 (0x4) Aug 26 13:24:04.007904: | number of SPIs: 1 (0x1) Aug 26 13:24:04.007906: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:24:04.007908: | selected state microcode R2: process INFORMATIONAL Request Aug 26 13:24:04.007910: | Now let's proceed with state specific processing Aug 26 13:24:04.007912: | calling processor R2: process INFORMATIONAL Request Aug 26 13:24:04.007916: | an informational request should send a response Aug 26 13:24:04.007921: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:24:04.007926: | **emit ISAKMP Message: Aug 26 13:24:04.007929: | initiator cookie: Aug 26 13:24:04.007931: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:04.007933: | responder cookie: Aug 26 13:24:04.007934: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:04.007936: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:04.007939: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:04.007941: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:04.007943: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:04.007945: | Message ID: 3 (0x3) Aug 26 13:24:04.007947: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:04.007949: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:04.007951: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:04.007953: | flags: none (0x0) Aug 26 13:24:04.007956: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:04.007958: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:04.007961: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:04.007966: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:24:04.007968: | SPI ba ca 5f 96 Aug 26 13:24:04.007971: | delete PROTO_v2_ESP SA(0xbaca5f96) Aug 26 13:24:04.007973: | v2 CHILD SA #2 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:04.007976: | State DB: found IKEv2 state #2 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:04.007978: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0xbaca5f96) Aug 26 13:24:04.007981: "east" #1: received Delete SA payload: delete IPsec State #2 now Aug 26 13:24:04.007983: | pstats #2 ikev2.child deleted completed Aug 26 13:24:04.007987: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:04.007991: | start processing: state #2 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:04.007994: "east" #2: deleting other state #2 (STATE_V2_IPSEC_R) aged 21.036s and NOT sending notification Aug 26 13:24:04.007996: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:24:04.008000: | get_sa_info esp.baca5f96@192.1.2.45 Aug 26 13:24:04.008013: | get_sa_info esp.2fe6533b@192.1.2.23 Aug 26 13:24:04.008020: "east" #2: ESP traffic information: in=1KB out=1KB Aug 26 13:24:04.008023: | child state #2: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:24:04.008025: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:24:04.008028: | libevent_free: release ptr-libevent@0x56376176c228 Aug 26 13:24:04.008031: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f6a18002b78 Aug 26 13:24:04.008076: | delete esp.baca5f96@192.1.2.45 Aug 26 13:24:04.008098: | netlink response for Del SA esp.baca5f96@192.1.2.45 included non-error error Aug 26 13:24:04.008105: | delete esp.2fe6533b@192.1.2.23 Aug 26 13:24:04.008120: | netlink response for Del SA esp.2fe6533b@192.1.2.23 included non-error error Aug 26 13:24:04.008126: | in connection_discard for connection east Aug 26 13:24:04.008130: | State DB: deleting IKEv2 state #2 in CHILDSA_DEL Aug 26 13:24:04.008136: | child state #2: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:24:04.008146: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:04.008151: | resume processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:04.008156: | ****emit IKEv2 Delete Payload: Aug 26 13:24:04.008158: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:04.008160: | flags: none (0x0) Aug 26 13:24:04.008162: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:04.008164: | SPI size: 4 (0x4) Aug 26 13:24:04.008168: | number of SPIs: 1 (0x1) Aug 26 13:24:04.008171: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:24:04.008173: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:04.008176: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:24:04.008178: | local SPIs 2f e6 53 3b Aug 26 13:24:04.008180: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:24:04.008182: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:04.008185: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:04.008187: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:04.008189: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:24:04.008191: | emitting length of ISAKMP Message: 69 Aug 26 13:24:04.008203: | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:04.008205: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:04.008207: | 2e 20 25 20 00 00 00 03 00 00 00 45 2a 00 00 29 Aug 26 13:24:04.008209: | f6 a5 33 b4 49 3f d1 b8 a6 03 3f ac 5b 93 16 23 Aug 26 13:24:04.008211: | 26 54 57 b4 a7 71 de 53 03 e3 a3 42 ae 60 87 84 Aug 26 13:24:04.008213: | c9 8c 00 86 7c Aug 26 13:24:04.008240: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=3 Aug 26 13:24:04.008245: | Message ID: sent #1 response 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2->3 responder.recv=2 wip.initiator=-1 wip.responder=3 Aug 26 13:24:04.008250: | #1 spent 0.318 milliseconds in processing: R2: process INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:24:04.008254: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:04.008257: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:24:04.008260: | Message ID: updating counters for #1 to 3 after switching state Aug 26 13:24:04.008263: | Message ID: recv #1 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=2->3 wip.initiator=-1 wip.responder=3->-1 Aug 26 13:24:04.008266: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=-1 Aug 26 13:24:04.008269: "east" #1: STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:04.008272: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:04.008276: | #1 spent 0.543 milliseconds in ikev2_process_packet() Aug 26 13:24:04.008279: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:04.008282: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:04.008284: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:04.008287: | spent 0.555 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:24:21.662361: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:24:21.662381: | expiring aged bare shunts from shunt table Aug 26 13:24:21.662387: | spent 0.00434 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:24:23.008616: | spent 0.00504 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:23.008659: | *received 661 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:23.008668: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:23.008674: | 2e 20 24 08 00 00 00 04 00 00 02 95 21 00 02 79 Aug 26 13:24:23.008680: | de 6e d3 90 e6 a6 71 b8 f6 a7 33 84 bc d7 f9 6e Aug 26 13:24:23.008697: | 35 9a 54 1d 57 70 24 68 e5 2b 92 22 c9 87 05 b2 Aug 26 13:24:23.008703: | db 7a c5 0c ee 4b c3 80 ae 4a 60 96 b2 51 92 5a Aug 26 13:24:23.008709: | 71 89 18 2f dc a3 a3 a2 9e c8 04 68 a9 d6 7d 2a Aug 26 13:24:23.008714: | 2a 3c 31 45 12 34 00 3b eb dc 0c 3c ad 45 de 2f Aug 26 13:24:23.008720: | 3d e6 93 9d ca c5 b6 e2 43 6c 5d e0 b1 50 67 d4 Aug 26 13:24:23.008724: | 08 1f e1 68 40 6d bb a3 f3 a8 d2 5b 51 68 cf 24 Aug 26 13:24:23.008728: | da f4 d9 b2 2a cf 00 dd bd 86 e5 6f 54 87 c8 2c Aug 26 13:24:23.008731: | 91 be a7 b1 bf 4c 88 57 60 ce 38 19 7a 71 5f d8 Aug 26 13:24:23.008735: | 00 74 3b 18 7e 41 42 31 ec 7f 63 b7 54 15 c3 e3 Aug 26 13:24:23.008738: | 03 55 3a 88 81 d7 1b 30 85 65 5a f8 29 b0 d3 3f Aug 26 13:24:23.008742: | 4b 0b 48 6f 8b b0 7c 10 64 7b 91 75 67 60 cc c4 Aug 26 13:24:23.008745: | d5 3e 8e 42 27 bb ce 66 3b b9 21 f5 ee c8 35 1f Aug 26 13:24:23.008749: | ab 14 9f 41 a2 be f3 6c be 51 c6 47 a9 1d f3 b5 Aug 26 13:24:23.008753: | 3a 2a 0b cd d5 d0 3d 0c fe 35 d3 06 c4 86 a1 69 Aug 26 13:24:23.008756: | 38 f1 69 3f 80 f1 99 2e 46 0d ae 2f 71 ac bb ff Aug 26 13:24:23.008760: | 03 f6 42 bc 70 bc 47 44 74 e6 da 4e de 67 9f 01 Aug 26 13:24:23.008763: | 2d 34 ff 29 76 6e b3 ea 39 18 a2 22 ff 7b 43 07 Aug 26 13:24:23.008767: | 66 7d cf b0 8e b5 6e 2a ef 7a 51 9c 12 12 af 2f Aug 26 13:24:23.008770: | 1f e1 57 97 af cc 4f cb e5 6f ad c2 fb f6 95 ff Aug 26 13:24:23.008774: | 6f 9c b2 4f 7c a3 5a d4 eb 7b dd 82 6c 67 29 45 Aug 26 13:24:23.008777: | c8 6a df 88 43 f0 a5 de 58 bf c5 44 ef 7e 2c 82 Aug 26 13:24:23.008781: | e5 6c a4 95 db 58 23 c1 0b ef 26 e1 9b 83 16 90 Aug 26 13:24:23.008784: | e8 3c 17 0c 51 ae 27 0f 92 46 bc 2e 22 11 84 ae Aug 26 13:24:23.008788: | a5 28 e4 91 61 88 f9 74 b2 87 35 0c d4 77 fe 30 Aug 26 13:24:23.008791: | 1d 8e e7 3d e6 b3 c0 1c ba 09 d3 3c 51 ab af d5 Aug 26 13:24:23.008795: | 2b 92 dc f5 fc 0e ee dd 9f ee 67 67 6e 35 4a f0 Aug 26 13:24:23.008799: | 8f d4 dd b5 71 06 13 5f 5c f3 18 2b 05 10 97 e0 Aug 26 13:24:23.008802: | 59 de d4 2a 5c b4 62 e1 ca cc 4d 8d cc ac 28 0b Aug 26 13:24:23.008806: | ed 83 1e a9 fd 0d af a8 09 a0 9f 4f 30 c4 59 88 Aug 26 13:24:23.008809: | 09 32 b4 1f fb ab 64 ba b0 26 0f e6 a7 4e 8c 7b Aug 26 13:24:23.008813: | 96 74 ab 66 77 00 54 f5 e4 59 75 8e 2b 08 ce b0 Aug 26 13:24:23.008816: | 4b 5d 25 33 65 17 f3 53 9e 7a 41 29 1d 58 6e be Aug 26 13:24:23.008820: | af 1e b7 40 ae c0 33 e2 24 c4 08 0e 75 75 57 f5 Aug 26 13:24:23.008823: | 01 93 8e d4 e6 b1 61 bf a5 c8 76 87 22 26 a4 c6 Aug 26 13:24:23.008827: | f4 de 37 e4 a3 e9 a8 d5 80 1f 1e 90 80 44 ad dc Aug 26 13:24:23.008830: | 3f 07 9a 1c d7 dc c6 a0 d3 83 28 79 8f 93 3a c7 Aug 26 13:24:23.008834: | 5e 50 c6 74 e2 56 99 29 c4 d5 e6 f3 6d d3 c9 36 Aug 26 13:24:23.008837: | c2 d6 be d1 cb 12 73 42 e9 7c 2e 2f 41 a9 51 14 Aug 26 13:24:23.008841: | e6 61 82 e8 7f Aug 26 13:24:23.008848: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:23.008854: | **parse ISAKMP Message: Aug 26 13:24:23.008859: | initiator cookie: Aug 26 13:24:23.008862: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:23.008866: | responder cookie: Aug 26 13:24:23.008870: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:23.008874: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:23.008878: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:23.008882: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:23.008886: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:23.008890: | Message ID: 4 (0x4) Aug 26 13:24:23.008894: | length: 661 (0x295) Aug 26 13:24:23.008899: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:24:23.008904: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:24:23.008910: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:23.008922: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:23.008927: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:23.008933: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:23.008938: | #1 st.st_msgid_lastrecv 3 md.hdr.isa_msgid 00000004 Aug 26 13:24:23.008944: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 Aug 26 13:24:23.008948: | unpacking clear payload Aug 26 13:24:23.008952: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:23.008956: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:23.008960: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:24:23.008964: | flags: none (0x0) Aug 26 13:24:23.008968: | length: 633 (0x279) Aug 26 13:24:23.008972: | processing payload: ISAKMP_NEXT_v2SK (len=629) Aug 26 13:24:23.008979: | Message ID: start-responder #1 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=-1->4 Aug 26 13:24:23.008983: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:23.009006: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Aug 26 13:24:23.009011: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:24:23.009015: | **parse IKEv2 Security Association Payload: Aug 26 13:24:23.009019: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:24:23.009023: | flags: none (0x0) Aug 26 13:24:23.009026: | length: 196 (0xc4) Aug 26 13:24:23.009030: | processing payload: ISAKMP_NEXT_v2SA (len=192) Aug 26 13:24:23.009034: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:24:23.009037: | **parse IKEv2 Nonce Payload: Aug 26 13:24:23.009041: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:24:23.009045: | flags: none (0x0) Aug 26 13:24:23.009048: | length: 36 (0x24) Aug 26 13:24:23.009052: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:24:23.009056: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:24:23.009060: | **parse IKEv2 Key Exchange Payload: Aug 26 13:24:23.009064: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:24:23.009067: | flags: none (0x0) Aug 26 13:24:23.009071: | length: 264 (0x108) Aug 26 13:24:23.009075: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:23.009078: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:24:23.009082: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:24:23.009086: | **parse IKEv2 Notify Payload: Aug 26 13:24:23.009090: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:24:23.009093: | flags: none (0x0) Aug 26 13:24:23.009097: | length: 12 (0xc) Aug 26 13:24:23.009101: | Protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:23.009104: | SPI size: 4 (0x4) Aug 26 13:24:23.009108: | Notify Message Type: v2N_REKEY_SA (0x4009) Aug 26 13:24:23.009112: | processing payload: ISAKMP_NEXT_v2N (len=4) Aug 26 13:24:23.009116: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:24:23.009120: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:23.009123: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:24:23.009127: | flags: none (0x0) Aug 26 13:24:23.009131: | length: 48 (0x30) Aug 26 13:24:23.009134: | number of TS: 1 (0x1) Aug 26 13:24:23.009138: | processing payload: ISAKMP_NEXT_v2TSi (len=40) Aug 26 13:24:23.009142: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:24:23.009145: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:23.009149: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:23.009153: | flags: none (0x0) Aug 26 13:24:23.009156: | length: 48 (0x30) Aug 26 13:24:23.009160: | number of TS: 1 (0x1) Aug 26 13:24:23.009163: | processing payload: ISAKMP_NEXT_v2TSr (len=40) Aug 26 13:24:23.009169: | state #1 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Aug 26 13:24:23.009175: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:23.009183: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:24:23.009191: | creating state object #4 at 0x56376176c228 Aug 26 13:24:23.009195: | State DB: adding IKEv2 state #4 in UNDEFINED Aug 26 13:24:23.009200: | pstats #4 ikev2.child started Aug 26 13:24:23.009204: | duplicating state object #1 "east" as #4 for IPSEC SA Aug 26 13:24:23.009211: | #4 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:24:23.009220: | Message ID: init_child #1.#4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:24:23.009225: | child state #4: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Aug 26 13:24:23.009232: | "east" #1 received Child SA Request CREATE_CHILD_SA from 192.1.2.45:500 Child "east" #4 in STATE_V2_CREATE_R will process it further Aug 26 13:24:23.009238: | Message ID: switch-from #1 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=4->-1 Aug 26 13:24:23.009245: | Message ID: switch-to #1.#4 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3; child: wip.initiator=-1 wip.responder=-1->4 Aug 26 13:24:23.009249: | forcing ST #1 to CHILD #1.#4 in FSM processor Aug 26 13:24:23.009252: | Now let's proceed with state specific processing Aug 26 13:24:23.009256: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:23.009274: | using existing local ESP/AH proposals for east (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:23.009279: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:24:23.009284: | local proposal 1 type ENCR has 1 transforms Aug 26 13:24:23.009294: | local proposal 1 type PRF has 0 transforms Aug 26 13:24:23.009298: | local proposal 1 type INTEG has 1 transforms Aug 26 13:24:23.009302: | local proposal 1 type DH has 1 transforms Aug 26 13:24:23.009306: | local proposal 1 type ESN has 1 transforms Aug 26 13:24:23.009311: | local proposal 1 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:23.009315: | local proposal 2 type ENCR has 1 transforms Aug 26 13:24:23.009319: | local proposal 2 type PRF has 0 transforms Aug 26 13:24:23.009322: | local proposal 2 type INTEG has 1 transforms Aug 26 13:24:23.009326: | local proposal 2 type DH has 1 transforms Aug 26 13:24:23.009330: | local proposal 2 type ESN has 1 transforms Aug 26 13:24:23.009338: | local proposal 2 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:23.009342: | local proposal 3 type ENCR has 1 transforms Aug 26 13:24:23.009346: | local proposal 3 type PRF has 0 transforms Aug 26 13:24:23.009350: | local proposal 3 type INTEG has 2 transforms Aug 26 13:24:23.009353: | local proposal 3 type DH has 1 transforms Aug 26 13:24:23.009357: | local proposal 3 type ESN has 1 transforms Aug 26 13:24:23.009361: | local proposal 3 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:23.009365: | local proposal 4 type ENCR has 1 transforms Aug 26 13:24:23.009369: | local proposal 4 type PRF has 0 transforms Aug 26 13:24:23.009373: | local proposal 4 type INTEG has 2 transforms Aug 26 13:24:23.009376: | local proposal 4 type DH has 1 transforms Aug 26 13:24:23.009380: | local proposal 4 type ESN has 1 transforms Aug 26 13:24:23.009384: | local proposal 4 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:23.009391: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:23.009396: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:23.009400: | length: 40 (0x28) Aug 26 13:24:23.009403: | prop #: 1 (0x1) Aug 26 13:24:23.009407: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:23.009411: | spi size: 4 (0x4) Aug 26 13:24:23.009414: | # transforms: 3 (0x3) Aug 26 13:24:23.009419: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:23.009423: | remote SPI b2 1a 3e ab Aug 26 13:24:23.009428: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:24:23.009432: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009436: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009440: | length: 12 (0xc) Aug 26 13:24:23.009444: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:23.009448: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:23.009452: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:23.009456: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:23.009459: | length/value: 256 (0x100) Aug 26 13:24:23.009466: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:24:23.009470: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009474: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009477: | length: 8 (0x8) Aug 26 13:24:23.009481: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:23.009485: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:23.009490: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:24:23.009495: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:24:23.009499: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:24:23.009504: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:24:23.009507: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009511: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:23.009515: | length: 8 (0x8) Aug 26 13:24:23.009519: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:23.009522: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:23.009527: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:24:23.009532: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:24:23.009536: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:24:23.009541: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:24:23.009546: | remote proposal 1 proposed transforms: ENCR+DH+ESN; matched: ENCR+DH+ESN; unmatched: none Aug 26 13:24:23.009552: | comparing remote proposal 1 containing ENCR+DH+ESN transforms to local proposal 1; required: ENCR+DH+ESN; optional: INTEG; matched: ENCR+DH+ESN Aug 26 13:24:23.009556: | remote proposal 1 matches local proposal 1 Aug 26 13:24:23.009561: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:23.009564: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:23.009568: | length: 40 (0x28) Aug 26 13:24:23.009572: | prop #: 2 (0x2) Aug 26 13:24:23.009575: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:23.009579: | spi size: 4 (0x4) Aug 26 13:24:23.009583: | # transforms: 3 (0x3) Aug 26 13:24:23.009587: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:23.009591: | remote SPI b2 1a 3e ab Aug 26 13:24:23.009595: | Comparing remote proposal 2 containing 3 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:23.009599: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009603: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009608: | length: 12 (0xc) Aug 26 13:24:23.009612: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:23.009616: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:23.009619: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:23.009623: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:23.009627: | length/value: 128 (0x80) Aug 26 13:24:23.009631: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009635: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009639: | length: 8 (0x8) Aug 26 13:24:23.009642: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:23.009646: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:23.009650: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009654: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:23.009657: | length: 8 (0x8) Aug 26 13:24:23.009661: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:23.009664: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:23.009669: | remote proposal 2 proposed transforms: ENCR+DH+ESN; matched: none; unmatched: ENCR+DH+ESN Aug 26 13:24:23.009674: | remote proposal 2 does not match; unmatched remote transforms: ENCR+DH+ESN Aug 26 13:24:23.009678: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:23.009682: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:23.009685: | length: 56 (0x38) Aug 26 13:24:23.009689: | prop #: 3 (0x3) Aug 26 13:24:23.009692: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:23.009696: | spi size: 4 (0x4) Aug 26 13:24:23.009699: | # transforms: 5 (0x5) Aug 26 13:24:23.009703: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:23.009707: | remote SPI b2 1a 3e ab Aug 26 13:24:23.009711: | Comparing remote proposal 3 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:23.009715: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009719: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009722: | length: 12 (0xc) Aug 26 13:24:23.009726: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:23.009730: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:23.009733: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:23.009737: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:23.009741: | length/value: 256 (0x100) Aug 26 13:24:23.009745: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009749: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009752: | length: 8 (0x8) Aug 26 13:24:23.009756: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:23.009760: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:23.009764: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009768: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009771: | length: 8 (0x8) Aug 26 13:24:23.009775: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:23.009779: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:23.009783: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009786: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009790: | length: 8 (0x8) Aug 26 13:24:23.009793: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:23.009797: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:23.009801: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009805: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:23.009808: | length: 8 (0x8) Aug 26 13:24:23.009812: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:23.009816: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:23.009821: | remote proposal 3 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:23.009825: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:23.009831: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:23.009835: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:23.009838: | length: 56 (0x38) Aug 26 13:24:23.009842: | prop #: 4 (0x4) Aug 26 13:24:23.009845: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:23.009849: | spi size: 4 (0x4) Aug 26 13:24:23.009852: | # transforms: 5 (0x5) Aug 26 13:24:23.009857: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:23.009860: | remote SPI b2 1a 3e ab Aug 26 13:24:23.009865: | Comparing remote proposal 4 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:23.009868: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009872: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009875: | length: 12 (0xc) Aug 26 13:24:23.009879: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:23.009883: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:23.009887: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:23.009890: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:23.009894: | length/value: 128 (0x80) Aug 26 13:24:23.009898: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009902: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009905: | length: 8 (0x8) Aug 26 13:24:23.009909: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:23.009913: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:23.009917: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009920: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009924: | length: 8 (0x8) Aug 26 13:24:23.009927: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:23.009931: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:23.009935: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009939: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.009942: | length: 8 (0x8) Aug 26 13:24:23.009946: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:23.009950: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:23.009953: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:23.009957: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:23.009961: | length: 8 (0x8) Aug 26 13:24:23.009964: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:23.009968: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:23.009973: | remote proposal 4 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:23.009977: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:23.009985: "east" #1: proposal 1:ESP:SPI=b21a3eab;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:23.009992: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=b21a3eab;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED Aug 26 13:24:23.009996: | converting proposal to internal trans attrs Aug 26 13:24:23.010003: | updating #4's .st_oakley with preserved PRF, but why update? Aug 26 13:24:23.010008: | received v2N_REKEY_SA Aug 26 13:24:23.010013: | child state #4: V2_CREATE_R(established IKE SA) => V2_REKEY_CHILD_R(established IKE SA) Aug 26 13:24:23.010017: | CREATE_CHILD_SA IPsec SA rekey Protocol PROTO_v2_ESP Aug 26 13:24:23.010021: | parsing 4 raw bytes of IKEv2 Notify Payload into SPI Aug 26 13:24:23.010025: | SPI 27 47 66 ad Aug 26 13:24:23.010029: | CREATE_CHILD_S to rekey IPsec SA(0x274766ad) Protocol PROTO_v2_ESP Aug 26 13:24:23.010033: | v2 CHILD SA #3 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:23.010040: | State DB: found IKEv2 state #3 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:23.010044: | #4 rekey request for "east" #3 TSi TSr Aug 26 13:24:23.010048: | printing contents struct traffic_selector Aug 26 13:24:23.010052: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:23.010055: | ipprotoid: 0 Aug 26 13:24:23.010059: | port range: 0-65535 Aug 26 13:24:23.010065: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:23.010069: | printing contents struct traffic_selector Aug 26 13:24:23.010073: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:23.010076: | ipprotoid: 0 Aug 26 13:24:23.010080: | port range: 0-65535 Aug 26 13:24:23.010085: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:23.010091: | adding Child Rekey Responder KE and nonce nr work-order 5 for state #4 Aug 26 13:24:23.010095: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f6a18002b78 Aug 26 13:24:23.010101: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Aug 26 13:24:23.010106: | libevent_malloc: new ptr-libevent@0x7f6a08001f78 size 128 Aug 26 13:24:23.010122: | #4 spent 0.853 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Aug 26 13:24:23.010131: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:23.010137: | start processing: state #4 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:23.010143: | #4 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:23.010147: | suspending state #4 and saving MD Aug 26 13:24:23.010151: | #4 is busy; has a suspended MD Aug 26 13:24:23.010157: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:23.010162: | "east" #4 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:23.010167: | crypto helper 4 resuming Aug 26 13:24:23.010168: | stop processing: state #4 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:23.010197: | crypto helper 4 starting work-order 5 for state #4 Aug 26 13:24:23.010204: | #1 spent 1.55 milliseconds in ikev2_process_packet() Aug 26 13:24:23.010208: | crypto helper 4 doing build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 5 Aug 26 13:24:23.010211: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:23.010218: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:23.010223: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:23.010229: | spent 1.57 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:24:23.011395: | crypto helper 4 finished build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 5 time elapsed 0.001186 seconds Aug 26 13:24:23.011416: | (#4) spent 1.19 milliseconds in crypto helper computing work-order 5: Child Rekey Responder KE and nonce nr (pcr) Aug 26 13:24:23.011422: | crypto helper 4 sending results from work-order 5 for state #4 to event queue Aug 26 13:24:23.011427: | scheduling resume sending helper answer for #4 Aug 26 13:24:23.011432: | libevent_malloc: new ptr-libevent@0x7f6a0c002888 size 128 Aug 26 13:24:23.011444: | crypto helper 4 waiting (nothing to do) Aug 26 13:24:23.011494: | processing resume sending helper answer for #4 Aug 26 13:24:23.011514: | start processing: state #4 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:23.011522: | crypto helper 4 replies to request ID 5 Aug 26 13:24:23.011526: | calling continuation function 0x56375fad2b50 Aug 26 13:24:23.011531: | ikev2_child_inIoutR_continue for #4 STATE_V2_REKEY_CHILD_R Aug 26 13:24:23.011544: | adding DHv2 for child sa work-order 6 for state #4 Aug 26 13:24:23.011549: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:23.011557: | libevent_free: release ptr-libevent@0x7f6a08001f78 Aug 26 13:24:23.011562: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f6a18002b78 Aug 26 13:24:23.011567: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f6a18002b78 Aug 26 13:24:23.011573: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Aug 26 13:24:23.011577: | libevent_malloc: new ptr-libevent@0x7f6a08001f78 size 128 Aug 26 13:24:23.011594: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:23.011600: | #4 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:23.011605: | suspending state #4 and saving MD Aug 26 13:24:23.011609: | #4 is busy; has a suspended MD Aug 26 13:24:23.011615: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:23.011620: | "east" #4 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:23.011626: | resume sending helper answer for #4 suppresed complete_v2_state_transition() and stole MD Aug 26 13:24:23.011634: | #4 spent 0.11 milliseconds in resume sending helper answer Aug 26 13:24:23.011641: | crypto helper 5 resuming Aug 26 13:24:23.011670: | crypto helper 5 starting work-order 6 for state #4 Aug 26 13:24:23.011641: | stop processing: state #4 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:23.011679: | crypto helper 5 doing crypto (DHv2 for child sa); request ID 6 Aug 26 13:24:23.011691: | libevent_free: release ptr-libevent@0x7f6a0c002888 Aug 26 13:24:23.012839: | crypto helper 5 finished crypto (DHv2 for child sa); request ID 6 time elapsed 0.00116 seconds Aug 26 13:24:23.012859: | (#4) spent 1.16 milliseconds in crypto helper computing work-order 6: DHv2 for child sa (dh) Aug 26 13:24:23.012865: | crypto helper 5 sending results from work-order 6 for state #4 to event queue Aug 26 13:24:23.012870: | scheduling resume sending helper answer for #4 Aug 26 13:24:23.012875: | libevent_malloc: new ptr-libevent@0x7f6a00001f78 size 128 Aug 26 13:24:23.012887: | crypto helper 5 waiting (nothing to do) Aug 26 13:24:23.012894: | processing resume sending helper answer for #4 Aug 26 13:24:23.012904: | start processing: state #4 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:23.012910: | crypto helper 5 replies to request ID 6 Aug 26 13:24:23.012913: | calling continuation function 0x56375fad39d0 Aug 26 13:24:23.012918: | ikev2_child_inIoutR_continue_continue for #4 STATE_V2_REKEY_CHILD_R Aug 26 13:24:23.012928: | **emit ISAKMP Message: Aug 26 13:24:23.012932: | initiator cookie: Aug 26 13:24:23.012936: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:23.012940: | responder cookie: Aug 26 13:24:23.012943: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:23.012948: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:23.012952: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:23.012956: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:23.012960: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:23.012964: | Message ID: 4 (0x4) Aug 26 13:24:23.012968: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:23.012973: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:23.012977: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:23.012981: | flags: none (0x0) Aug 26 13:24:23.012986: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:23.012990: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:24:23.012995: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:23.013010: | #4 inherit spd, TSi TSr, from "east" #3 Aug 26 13:24:23.013015: | printing contents struct traffic_selector Aug 26 13:24:23.013019: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:23.013023: | ipprotoid: 0 Aug 26 13:24:23.013027: | port range: 0-65535 Aug 26 13:24:23.013033: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:23.013036: | printing contents struct traffic_selector Aug 26 13:24:23.013040: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:23.013043: | ipprotoid: 0 Aug 26 13:24:23.013047: | port range: 0-65535 Aug 26 13:24:23.013052: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:23.013076: | netlink_get_spi: allocated 0x22689a39 for esp.0@192.1.2.23 Aug 26 13:24:23.013081: | Emitting ikev2_proposal ... Aug 26 13:24:23.013085: | ****emit IKEv2 Security Association Payload: Aug 26 13:24:23.013089: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:23.013093: | flags: none (0x0) Aug 26 13:24:23.013097: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:24:23.013102: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:24:23.013106: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:24:23.013110: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:23.013114: | prop #: 1 (0x1) Aug 26 13:24:23.013118: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:23.013122: | spi size: 4 (0x4) Aug 26 13:24:23.013125: | # transforms: 3 (0x3) Aug 26 13:24:23.013130: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:24:23.013135: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:24:23.013139: | our spi 22 68 9a 39 Aug 26 13:24:23.013143: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:23.013147: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.013151: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:23.013155: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:23.013159: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:23.013164: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:24:23.013168: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:23.013172: | length/value: 256 (0x100) Aug 26 13:24:23.013176: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:24:23.013180: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:23.013184: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.013188: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:23.013192: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:23.013197: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.013201: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:23.013205: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:23.013209: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:23.013213: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:23.013216: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:23.013220: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:23.013225: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:23.013229: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:23.013233: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:23.013237: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:24:23.013244: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:24:23.013248: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:24:23.013252: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:24:23.013256: | ****emit IKEv2 Nonce Payload: Aug 26 13:24:23.013260: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:23.013263: | flags: none (0x0) Aug 26 13:24:23.013268: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:24:23.013273: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:24:23.013277: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:24:23.013281: | IKEv2 nonce 17 9a 80 37 a4 d2 71 e8 5d 31 2c f9 a6 46 ff 77 Aug 26 13:24:23.013285: | IKEv2 nonce 53 7f f9 cf e0 56 0c 85 de 36 5a c1 12 3a b0 95 Aug 26 13:24:23.013296: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:24:23.013305: | ****emit IKEv2 Key Exchange Payload: Aug 26 13:24:23.013309: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:23.013313: | flags: none (0x0) Aug 26 13:24:23.013317: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:23.013321: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:24:23.013326: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:24:23.013330: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:24:23.013334: | ikev2 g^x db 50 00 d4 19 28 f7 28 61 b5 44 76 57 47 a6 80 Aug 26 13:24:23.013338: | ikev2 g^x 6b 46 c2 b2 e8 d7 a5 50 0a 6d 8f 57 d1 9a e5 c9 Aug 26 13:24:23.013342: | ikev2 g^x f2 44 73 96 92 6e 51 fa 56 ac 50 61 b2 fb 7c 5e Aug 26 13:24:23.013345: | ikev2 g^x dd 6a 30 27 52 1c 0f 9b 45 bd 12 b0 7b 34 8f 28 Aug 26 13:24:23.013349: | ikev2 g^x 77 2c 64 34 a2 96 af 28 3a 5c c0 b1 a4 60 24 48 Aug 26 13:24:23.013353: | ikev2 g^x 87 ff 94 1d a1 f2 54 7d c4 83 04 c9 23 69 4f dc Aug 26 13:24:23.013356: | ikev2 g^x c7 bc 3c d1 a1 5a 84 62 77 81 cc 26 3f bf 4a c1 Aug 26 13:24:23.013360: | ikev2 g^x 3a 24 4d 62 f7 61 73 a4 e9 16 52 1d cb f4 61 97 Aug 26 13:24:23.013364: | ikev2 g^x 0a 3f 6d a3 26 46 11 87 18 f2 df 17 64 5b a0 50 Aug 26 13:24:23.013367: | ikev2 g^x 5f 58 5f 06 79 ff 8f a2 f5 b9 f9 dc f4 5b ba 7d Aug 26 13:24:23.013371: | ikev2 g^x 15 c0 5f af 0c 81 50 05 98 f1 7b ac f5 51 5d a0 Aug 26 13:24:23.013374: | ikev2 g^x ac 67 2b 72 1f 15 a2 32 bc 25 fe 2c 68 d3 87 91 Aug 26 13:24:23.013378: | ikev2 g^x e7 e7 1a 25 41 01 da f2 0c cd 7b 2a 1e 50 bf de Aug 26 13:24:23.013382: | ikev2 g^x 46 b2 bc 04 a2 b3 a4 5e 0f ea fc 25 ee a4 2a 83 Aug 26 13:24:23.013385: | ikev2 g^x 72 56 ff fa bb fa 4f 18 30 96 d4 c4 f2 08 64 a1 Aug 26 13:24:23.013389: | ikev2 g^x 0d c9 6e 92 f0 91 23 3b db 71 5a 95 6b 74 d3 09 Aug 26 13:24:23.013393: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:24:23.013397: | received REKEY_SA already proceesd Aug 26 13:24:23.013401: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:23.013405: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:23.013408: | flags: none (0x0) Aug 26 13:24:23.013412: | number of TS: 1 (0x1) Aug 26 13:24:23.013417: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:24:23.013421: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:23.013425: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:23.013429: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:23.013435: | IP Protocol ID: 0 (0x0) Aug 26 13:24:23.013439: | start port: 0 (0x0) Aug 26 13:24:23.013443: | end port: 65535 (0xffff) Aug 26 13:24:23.013448: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:23.013467: | ipv4 start c0 00 01 00 Aug 26 13:24:23.013472: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:23.013476: | ipv4 end c0 00 01 ff Aug 26 13:24:23.013481: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:23.013486: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:24:23.013491: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:23.013495: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:23.013499: | flags: none (0x0) Aug 26 13:24:23.013504: | number of TS: 1 (0x1) Aug 26 13:24:23.013510: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:24:23.013515: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:23.013519: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:23.013524: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:23.013528: | IP Protocol ID: 0 (0x0) Aug 26 13:24:23.013533: | start port: 0 (0x0) Aug 26 13:24:23.013537: | end port: 65535 (0xffff) Aug 26 13:24:23.013542: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:23.013546: | ipv4 start c0 00 02 00 Aug 26 13:24:23.013551: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:23.013555: | ipv4 end c0 00 02 ff Aug 26 13:24:23.013560: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:23.013565: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:24:23.013570: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:24:23.013576: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:24:23.013852: | install_ipsec_sa() for #4: inbound and outbound Aug 26 13:24:23.013863: | could_route called for east (kind=CK_PERMANENT) Aug 26 13:24:23.013868: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:23.013874: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:23.013879: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:23.013886: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:23.013893: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:23.013899: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:23.013904: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:23.013909: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:23.013917: | setting IPsec SA replay-window to 32 Aug 26 13:24:23.013922: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:23.013928: | netlink: enabling tunnel mode Aug 26 13:24:23.013933: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:23.013938: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:23.014049: | netlink response for Add SA esp.b21a3eab@192.1.2.45 included non-error error Aug 26 13:24:23.014058: | set up outgoing SA, ref=0/0 Aug 26 13:24:23.014063: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:23.014068: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:23.014073: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:23.014078: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:23.014084: | setting IPsec SA replay-window to 32 Aug 26 13:24:23.014089: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:23.014095: | netlink: enabling tunnel mode Aug 26 13:24:23.014111: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:23.014129: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:23.014221: | netlink response for Add SA esp.22689a39@192.1.2.23 included non-error error Aug 26 13:24:23.014237: | set up incoming SA, ref=0/0 Aug 26 13:24:23.014247: | sr for #4: erouted Aug 26 13:24:23.014258: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:24:23.014268: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:23.014277: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:23.014287: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:23.014328: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:23.014342: | route_and_eroute with c: east (next: none) ero:east esr:{(nil)} ro:east rosr:{(nil)} and state: #4 Aug 26 13:24:23.014353: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:23.014380: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) Aug 26 13:24:23.014391: | IPsec Sa SPD priority set to 1042407 Aug 26 13:24:23.014437: | raw_eroute result=success Aug 26 13:24:23.014450: | route_and_eroute: firewall_notified: true Aug 26 13:24:23.014463: | route_and_eroute: instance "east", setting eroute_owner {spd=0x563761764728,sr=0x563761764728} to #4 (was #3) (newest_ipsec_sa=#3) Aug 26 13:24:23.014604: | #1 spent 0.726 milliseconds in install_ipsec_sa() Aug 26 13:24:23.014623: | ISAKMP_v2_CREATE_CHILD_SA: instance east[0], setting IKEv2 newest_ipsec_sa to #4 (was #3) (spd.eroute=#4) cloned from #1 Aug 26 13:24:23.014635: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:23.014647: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:23.014659: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:23.014667: | emitting length of IKEv2 Encryption Payload: 421 Aug 26 13:24:23.014676: | emitting length of ISAKMP Message: 449 Aug 26 13:24:23.014720: "east" #4: negotiated new IPsec SA [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:23.014745: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:23.014761: | #4 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_OK Aug 26 13:24:23.014771: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Aug 26 13:24:23.014782: | child state #4: V2_REKEY_CHILD_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Aug 26 13:24:23.014792: | Message ID: updating counters for #4 to 4 after switching state Aug 26 13:24:23.014810: | Message ID: recv #1.#4 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3->4; child: wip.initiator=-1 wip.responder=4->-1 Aug 26 13:24:23.014827: | Message ID: sent #1.#4 response 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3->4 responder.recv=4; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:24:23.014839: | pstats #4 ikev2.child established Aug 26 13:24:23.014851: "east" #4: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:23.014857: | NAT-T: encaps is 'auto' Aug 26 13:24:23.014865: "east" #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xb21a3eab <0x22689a39 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} Aug 26 13:24:23.014873: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:24:23.014883: | sending 449 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:23.014888: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:23.014892: | 2e 20 24 20 00 00 00 04 00 00 01 c1 21 00 01 a5 Aug 26 13:24:23.014897: | aa a7 7b 07 47 5a dc 16 05 64 1d ad a4 b0 72 ad Aug 26 13:24:23.014901: | ee 71 e6 7b c1 6f 55 b6 4b 37 29 06 72 fb a2 1d Aug 26 13:24:23.014910: | 45 9f 5c f8 9c e2 fe fb 5b a4 59 e1 52 98 76 ca Aug 26 13:24:23.014915: | c8 f6 0c a7 1d 8d 94 71 3a 40 60 8f ab 67 de 71 Aug 26 13:24:23.014919: | 26 6a 08 3a 40 f0 50 c5 eb 31 28 02 17 4e 73 51 Aug 26 13:24:23.014923: | 26 7f 84 b0 e5 25 01 a5 56 94 3f ec fc 20 73 76 Aug 26 13:24:23.014927: | f5 b0 9c 26 75 f9 1a 41 c8 de f1 bb 99 1c 1e 98 Aug 26 13:24:23.014932: | 96 c3 69 ac a0 87 7b e4 c9 90 a8 f5 4f 2a 7c 17 Aug 26 13:24:23.014936: | 87 0f 35 c5 3f c7 56 1c bc f6 ff f5 74 e2 6d 1e Aug 26 13:24:23.014940: | 88 09 e1 24 01 74 d0 fe 90 02 ed 18 a6 1e 3d 4d Aug 26 13:24:23.014944: | 29 6c 47 80 2a 39 b7 e3 ba 0e c3 20 dd d5 6e 3f Aug 26 13:24:23.014949: | c0 44 15 41 19 64 f9 2a 8e 93 9d be 32 dd cb 88 Aug 26 13:24:23.014953: | 4b d8 f6 69 fc 9d 54 35 07 1f d3 57 56 df e8 88 Aug 26 13:24:23.014957: | 5f 81 3a 65 5c dd ae de c1 be 66 af f0 07 c7 3d Aug 26 13:24:23.014961: | 68 58 6f 46 5b a1 26 aa f3 3d 48 45 91 03 36 b0 Aug 26 13:24:23.014965: | aa c7 ba b2 00 7b 35 5c 27 24 1b f4 78 3a 2e 66 Aug 26 13:24:23.014970: | 0f 19 2d 2d f8 40 66 6b ad 5c e1 0e bf 83 cc 38 Aug 26 13:24:23.014974: | 24 05 8c 94 97 1d 82 32 e4 bc fd 14 4b fb f2 91 Aug 26 13:24:23.014978: | f6 cd 11 0a 24 c6 39 51 be 46 e4 1d 18 b3 c3 b6 Aug 26 13:24:23.014982: | 4a f3 62 16 85 ec 2f c2 66 a4 7f b7 47 7e c1 f5 Aug 26 13:24:23.014987: | 0d 91 fb ce 1a 3b fe 13 cc 97 db c9 7f 89 e4 98 Aug 26 13:24:23.014991: | e0 65 e8 ed bf b4 db 02 1d c7 b1 53 09 3d 48 fa Aug 26 13:24:23.014995: | e2 a7 27 76 d9 0d 68 64 75 03 7d 34 ce 3e 14 27 Aug 26 13:24:23.014999: | 3a e0 c6 59 44 d4 57 2d 1f 68 b6 06 cd 74 87 d5 Aug 26 13:24:23.015004: | 06 ac 1a a3 2a 10 46 a5 37 6b 11 29 2a 47 ad 5d Aug 26 13:24:23.015008: | 86 9b 94 d5 48 97 e3 1c 7a 21 bd 31 ea ee 70 65 Aug 26 13:24:23.015012: | c7 Aug 26 13:24:23.015065: | releasing whack for #4 (sock=fd@-1) Aug 26 13:24:23.015084: | releasing whack and unpending for parent #1 Aug 26 13:24:23.015094: | unpending state #1 connection "east" Aug 26 13:24:23.015106: | #4 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:24:23.015115: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:23.015126: | libevent_free: release ptr-libevent@0x7f6a08001f78 Aug 26 13:24:23.015135: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f6a18002b78 Aug 26 13:24:23.015145: | event_schedule: new EVENT_SA_REKEY-pe@0x7f6a18002b78 Aug 26 13:24:23.015155: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #4 Aug 26 13:24:23.015164: | libevent_malloc: new ptr-libevent@0x7f6a0c002888 size 128 Aug 26 13:24:23.015181: | #4 spent 2.22 milliseconds in resume sending helper answer Aug 26 13:24:23.015197: | stop processing: state #4 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:23.015206: | libevent_free: release ptr-libevent@0x7f6a00001f78 Aug 26 13:24:24.019851: | spent 0.00295 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:24.019871: | *received 69 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:24.019874: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:24.019876: | 2e 20 25 08 00 00 00 05 00 00 00 45 2a 00 00 29 Aug 26 13:24:24.019878: | 3f 55 89 ff c3 4a 7e fc 0b 3d ed 50 b8 68 20 40 Aug 26 13:24:24.019879: | db 89 1c 0b 1a 4c 8e 2c eb 42 89 93 00 98 73 72 Aug 26 13:24:24.019881: | 35 e2 4d 6b 39 Aug 26 13:24:24.019884: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:24.019887: | **parse ISAKMP Message: Aug 26 13:24:24.019889: | initiator cookie: Aug 26 13:24:24.019891: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:24.019893: | responder cookie: Aug 26 13:24:24.019894: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:24.019896: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:24.019898: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:24.019903: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:24.019905: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:24.019907: | Message ID: 5 (0x5) Aug 26 13:24:24.019908: | length: 69 (0x45) Aug 26 13:24:24.019910: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:24:24.019913: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:24:24.019916: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:24.019921: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:24.019923: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:24.019926: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:24.019928: | #1 st.st_msgid_lastrecv 4 md.hdr.isa_msgid 00000005 Aug 26 13:24:24.019931: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 Aug 26 13:24:24.019933: | unpacking clear payload Aug 26 13:24:24.019935: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:24.019937: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:24.019939: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:24:24.019940: | flags: none (0x0) Aug 26 13:24:24.019942: | length: 41 (0x29) Aug 26 13:24:24.019944: | processing payload: ISAKMP_NEXT_v2SK (len=37) Aug 26 13:24:24.019947: | Message ID: start-responder #1 request 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1->5 Aug 26 13:24:24.019949: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:24.019961: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:24:24.019963: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:24:24.019965: | **parse IKEv2 Delete Payload: Aug 26 13:24:24.019967: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:24.019968: | flags: none (0x0) Aug 26 13:24:24.019970: | length: 12 (0xc) Aug 26 13:24:24.019972: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:24.019974: | SPI size: 4 (0x4) Aug 26 13:24:24.019975: | number of SPIs: 1 (0x1) Aug 26 13:24:24.019977: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:24:24.019979: | selected state microcode R2: process INFORMATIONAL Request Aug 26 13:24:24.019981: | Now let's proceed with state specific processing Aug 26 13:24:24.019983: | calling processor R2: process INFORMATIONAL Request Aug 26 13:24:24.019985: | an informational request should send a response Aug 26 13:24:24.019990: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:24:24.019992: | **emit ISAKMP Message: Aug 26 13:24:24.019994: | initiator cookie: Aug 26 13:24:24.019996: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:24.019997: | responder cookie: Aug 26 13:24:24.019999: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:24.020001: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:24.020003: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:24.020004: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:24.020006: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:24.020008: | Message ID: 5 (0x5) Aug 26 13:24:24.020010: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:24.020012: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:24.020014: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:24.020015: | flags: none (0x0) Aug 26 13:24:24.020018: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:24.020020: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:24.020022: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:24.020028: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:24:24.020030: | SPI 27 47 66 ad Aug 26 13:24:24.020032: | delete PROTO_v2_ESP SA(0x274766ad) Aug 26 13:24:24.020034: | v2 CHILD SA #3 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:24.020036: | State DB: found IKEv2 state #3 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:24.020038: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x274766ad) Aug 26 13:24:24.020040: "east" #1: received Delete SA payload: delete IPsec State #3 now Aug 26 13:24:24.020043: | pstats #3 ikev2.child deleted completed Aug 26 13:24:24.020045: | #3 spent 3.22 milliseconds in total Aug 26 13:24:24.020048: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:24.020051: | start processing: state #3 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:24.020054: "east" #3: deleting other state #3 (STATE_V2_IPSEC_R) aged 21.018s and NOT sending notification Aug 26 13:24:24.020056: | child state #3: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:24:24.020059: | get_sa_info esp.274766ad@192.1.2.45 Aug 26 13:24:24.020069: | get_sa_info esp.128b59c6@192.1.2.23 Aug 26 13:24:24.020075: "east" #3: ESP traffic information: in=1KB out=1KB Aug 26 13:24:24.020078: | child state #3: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:24:24.020080: | state #3 requesting EVENT_SA_REKEY to be deleted Aug 26 13:24:24.020082: | libevent_free: release ptr-libevent@0x7f6a14002888 Aug 26 13:24:24.020084: | free_event_entry: release EVENT_SA_REKEY-pe@0x56376176fd28 Aug 26 13:24:24.020117: | delete esp.274766ad@192.1.2.45 Aug 26 13:24:24.020129: | netlink response for Del SA esp.274766ad@192.1.2.45 included non-error error Aug 26 13:24:24.020132: | delete esp.128b59c6@192.1.2.23 Aug 26 13:24:24.020138: | netlink response for Del SA esp.128b59c6@192.1.2.23 included non-error error Aug 26 13:24:24.020141: | in connection_discard for connection east Aug 26 13:24:24.020143: | State DB: deleting IKEv2 state #3 in CHILDSA_DEL Aug 26 13:24:24.020146: | child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:24:24.020184: | stop processing: state #3 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:24.020188: | resume processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:24.020194: | ****emit IKEv2 Delete Payload: Aug 26 13:24:24.020196: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:24.020198: | flags: none (0x0) Aug 26 13:24:24.020200: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:24.020202: | SPI size: 4 (0x4) Aug 26 13:24:24.020203: | number of SPIs: 1 (0x1) Aug 26 13:24:24.020206: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:24:24.020208: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:24.020210: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:24:24.020212: | local SPIs 12 8b 59 c6 Aug 26 13:24:24.020214: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:24:24.020216: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:24.020218: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:24.020220: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:24.020222: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:24:24.020223: | emitting length of ISAKMP Message: 69 Aug 26 13:24:24.020233: | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:24.020235: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:24.020238: | 2e 20 25 20 00 00 00 05 00 00 00 45 2a 00 00 29 Aug 26 13:24:24.020240: | 11 f4 77 bc 5d 97 ac 0d 74 4a fc d9 a0 55 05 3a Aug 26 13:24:24.020242: | 72 21 93 f5 68 16 8a 85 4c 06 11 b9 f6 97 06 ed Aug 26 13:24:24.020243: | 77 66 cd 00 c9 Aug 26 13:24:24.020265: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=5 Aug 26 13:24:24.020270: | Message ID: sent #1 response 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4->5 responder.recv=4 wip.initiator=-1 wip.responder=5 Aug 26 13:24:24.020274: | #1 spent 0.278 milliseconds in processing: R2: process INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:24:24.020277: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:24.020280: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:24:24.020283: | Message ID: updating counters for #1 to 5 after switching state Aug 26 13:24:24.020286: | Message ID: recv #1 request 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=5 responder.recv=4->5 wip.initiator=-1 wip.responder=5->-1 Aug 26 13:24:24.020297: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=5 responder.recv=5 wip.initiator=-1 wip.responder=-1 Aug 26 13:24:24.020302: "east" #1: STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:24.020306: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:24.020321: | #1 spent 0.429 milliseconds in ikev2_process_packet() Aug 26 13:24:24.020324: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:24.020327: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:24.020329: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:24.020331: | spent 0.452 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:24:32.897668: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:24:32.897913: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:24:32.897918: | FOR_EACH_STATE_... in sort_states Aug 26 13:24:32.897924: | get_sa_info esp.22689a39@192.1.2.23 Aug 26 13:24:32.897937: | get_sa_info esp.b21a3eab@192.1.2.45 Aug 26 13:24:32.897952: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:24:32.897958: | spent 0.298 milliseconds in whack Aug 26 13:24:32.963794: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:24:32.964944: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:24:32.964988: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:24:32.965317: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:24:32.965347: | FOR_EACH_STATE_... in sort_states Aug 26 13:24:32.965408: | get_sa_info esp.22689a39@192.1.2.23 Aug 26 13:24:32.965463: | get_sa_info esp.b21a3eab@192.1.2.45 Aug 26 13:24:32.965558: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:24:32.965591: | spent 1.79 milliseconds in whack Aug 26 13:24:33.302097: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:24:33.302316: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:24:33.302338: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:24:33.302403: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:24:33.302408: | FOR_EACH_STATE_... in sort_states Aug 26 13:24:33.302421: | get_sa_info esp.22689a39@192.1.2.23 Aug 26 13:24:33.302440: | get_sa_info esp.b21a3eab@192.1.2.45 Aug 26 13:24:33.302466: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:24:33.302478: | spent 0.385 milliseconds in whack Aug 26 13:24:34.389917: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:24:34.389938: shutting down Aug 26 13:24:34.389945: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:24:34.389948: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:24:34.389949: forgetting secrets Aug 26 13:24:34.389954: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:24:34.389957: | unreference key: 0x5637617665c8 @east cnt 1-- Aug 26 13:24:34.389961: | unreference key: 0x5637616bdc48 @west cnt 1-- Aug 26 13:24:34.389965: | start processing: connection "east" (in delete_connection() at connections.c:189) Aug 26 13:24:34.389967: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:24:34.389969: | pass 0 Aug 26 13:24:34.389971: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:24:34.389973: | state #4 Aug 26 13:24:34.389992: | suspend processing: connection "east" (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:24:34.389996: | start processing: state #4 connection "east" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:24:34.390011: | pstats #4 ikev2.child deleted completed Aug 26 13:24:34.390016: | #4 spent 5.54 milliseconds in total Aug 26 13:24:34.390019: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:34.390022: "east" #4: deleting state (STATE_V2_IPSEC_R) aged 11.380s and sending notification Aug 26 13:24:34.390025: | child state #4: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:24:34.390028: | get_sa_info esp.b21a3eab@192.1.2.45 Aug 26 13:24:34.390040: | get_sa_info esp.22689a39@192.1.2.23 Aug 26 13:24:34.390046: "east" #4: ESP traffic information: in=1KB out=1KB Aug 26 13:24:34.390048: | #4 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:24:34.390051: | Opening output PBS informational exchange delete request Aug 26 13:24:34.390053: | **emit ISAKMP Message: Aug 26 13:24:34.390055: | initiator cookie: Aug 26 13:24:34.390057: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:34.390059: | responder cookie: Aug 26 13:24:34.390060: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:34.390062: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:34.390064: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:34.390066: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:34.390068: | flags: none (0x0) Aug 26 13:24:34.390070: | Message ID: 0 (0x0) Aug 26 13:24:34.390072: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:34.390074: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:34.390076: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:34.390078: | flags: none (0x0) Aug 26 13:24:34.390080: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:34.390082: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:24:34.390085: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:34.390092: | ****emit IKEv2 Delete Payload: Aug 26 13:24:34.390094: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:34.390096: | flags: none (0x0) Aug 26 13:24:34.390098: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:34.390099: | SPI size: 4 (0x4) Aug 26 13:24:34.390101: | number of SPIs: 1 (0x1) Aug 26 13:24:34.390103: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:24:34.390105: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:24:34.390107: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:24:34.390112: | local spis 22 68 9a 39 Aug 26 13:24:34.390114: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:24:34.390116: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:34.390118: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:34.390120: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:34.390122: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:24:34.390123: | emitting length of ISAKMP Message: 69 Aug 26 13:24:34.390142: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #4) Aug 26 13:24:34.390145: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:34.390147: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:24:34.390149: | 42 9a 76 10 b4 6e 00 4e 14 ed ee 22 23 6c 94 cd Aug 26 13:24:34.390150: | 40 e1 ee 92 3d 21 76 fb 34 86 f6 71 6e f4 e9 c7 Aug 26 13:24:34.390152: | ff 61 3b 5d 8b Aug 26 13:24:34.390186: | Message ID: IKE #1 sender #4 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 13:24:34.390189: | Message ID: IKE #1 sender #4 in send_delete hacking around record ' send Aug 26 13:24:34.390192: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=5 responder.recv=5 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:24:34.390195: | state #4 requesting EVENT_SA_REKEY to be deleted Aug 26 13:24:34.390198: | libevent_free: release ptr-libevent@0x7f6a0c002888 Aug 26 13:24:34.390200: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f6a18002b78 Aug 26 13:24:34.390254: | running updown command "ipsec _updown" for verb down Aug 26 13:24:34.390258: | command executing down-client Aug 26 13:24:34.390293: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825863' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xb21a3eab Aug 26 13:24:34.390302: | popen cmd is 1031 chars long Aug 26 13:24:34.390307: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTER: Aug 26 13:24:34.390311: | cmd( 80):FACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east: Aug 26 13:24:34.390327: | cmd( 160):' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT: Aug 26 13:24:34.390330: | cmd( 240):_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16: Aug 26 13:24:34.390334: | cmd( 320):388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEE: Aug 26 13:24:34.390338: | cmd( 400):R_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK: Aug 26 13:24:34.390341: | cmd( 480):='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PL: Aug 26 13:24:34.390344: | cmd( 560):UTO_STACK='netkey' PLUTO_ADDTIME='1566825863' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUN: Aug 26 13:24:34.390348: | cmd( 640):NEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMA: Aug 26 13:24:34.390352: | cmd( 720):NENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_: Aug 26 13:24:34.390372: | cmd( 800):PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER: Aug 26 13:24:34.390375: | cmd( 880):='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' : Aug 26 13:24:34.390377: | cmd( 960):VTI_SHARED='no' SPI_IN=0xb21a3eab SPI_OUT=0x22689a39 ipsec _updown 2>&1: Aug 26 13:24:34.397564: | shunt_eroute() called for connection 'east' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:24:34.397582: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:24:34.397585: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:34.397590: | IPsec Sa SPD priority set to 1042407 Aug 26 13:24:34.397637: | delete esp.b21a3eab@192.1.2.45 Aug 26 13:24:34.397653: | netlink response for Del SA esp.b21a3eab@192.1.2.45 included non-error error Aug 26 13:24:34.397656: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:34.397661: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:24:34.397688: | raw_eroute result=success Aug 26 13:24:34.397692: | delete esp.22689a39@192.1.2.23 Aug 26 13:24:34.397713: | netlink response for Del SA esp.22689a39@192.1.2.23 included non-error error Aug 26 13:24:34.397723: | stop processing: connection "east" (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:24:34.397727: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:24:34.397729: | in connection_discard for connection east Aug 26 13:24:34.397731: | State DB: deleting IKEv2 state #4 in V2_IPSEC_R Aug 26 13:24:34.397737: | child state #4: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:24:34.397786: | stop processing: state #4 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:34.397808: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:24:34.397810: | state #1 Aug 26 13:24:34.397812: | pass 1 Aug 26 13:24:34.397814: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:24:34.397815: | state #1 Aug 26 13:24:34.397818: | start processing: state #1 connection "east" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:24:34.397821: | pstats #1 ikev2.ike deleted completed Aug 26 13:24:34.397828: | #1 spent 11.9 milliseconds in total Aug 26 13:24:34.397830: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:34.397833: "east" #1: deleting state (STATE_PARENT_R2) aged 51.432s and sending notification Aug 26 13:24:34.397836: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 13:24:34.397886: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 13:24:34.397889: | Opening output PBS informational exchange delete request Aug 26 13:24:34.397892: | **emit ISAKMP Message: Aug 26 13:24:34.397894: | initiator cookie: Aug 26 13:24:34.397896: | be 09 7a a2 43 c3 23 61 Aug 26 13:24:34.397898: | responder cookie: Aug 26 13:24:34.397899: | 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:34.397901: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:34.397903: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:34.397905: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:34.397908: | flags: none (0x0) Aug 26 13:24:34.397910: | Message ID: 1 (0x1) Aug 26 13:24:34.397913: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:34.397915: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:34.397917: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:34.397932: | flags: none (0x0) Aug 26 13:24:34.397934: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:34.397939: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:24:34.397941: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:34.397951: | ****emit IKEv2 Delete Payload: Aug 26 13:24:34.397953: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:34.397955: | flags: none (0x0) Aug 26 13:24:34.397956: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:24:34.397958: | SPI size: 0 (0x0) Aug 26 13:24:34.397960: | number of SPIs: 0 (0x0) Aug 26 13:24:34.397962: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:24:34.397964: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:24:34.397966: | emitting length of IKEv2 Delete Payload: 8 Aug 26 13:24:34.397968: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:34.397970: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:34.397972: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:34.397974: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 13:24:34.397976: | emitting length of ISAKMP Message: 65 Aug 26 13:24:34.397996: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:34.397999: | be 09 7a a2 43 c3 23 61 1a 03 8f 34 26 a1 74 69 Aug 26 13:24:34.398000: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 13:24:34.398002: | 6f af d9 0c f8 cf c0 82 00 50 c0 63 8d 52 c4 22 Aug 26 13:24:34.398004: | 7d 27 37 87 47 96 01 2c e9 f9 75 74 a4 9b 0d c6 Aug 26 13:24:34.398005: | d6 Aug 26 13:24:34.398042: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 13:24:34.398045: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 13:24:34.398048: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=5 responder.recv=5 wip.initiator=1 wip.responder=-1 Aug 26 13:24:34.398052: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=5 responder.recv=5 wip.initiator=0->1 wip.responder=-1 Aug 26 13:24:34.398054: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:24:34.398061: | libevent_free: release ptr-libevent@0x56376176b5b8 Aug 26 13:24:34.398063: | free_event_entry: release EVENT_SA_REKEY-pe@0x563761766268 Aug 26 13:24:34.398067: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:24:34.398069: | in connection_discard for connection east Aug 26 13:24:34.398071: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 13:24:34.398073: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 13:24:34.398088: | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:34.398115: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:24:34.398119: | shunt_eroute() called for connection 'east' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:24:34.398121: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:24:34.398124: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:34.398150: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:34.398158: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:34.398160: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:34.398162: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:34.398165: | route owner of "east" unrouted: NULL Aug 26 13:24:34.398167: | running updown command "ipsec _updown" for verb unroute Aug 26 13:24:34.398169: | command executing unroute-client Aug 26 13:24:34.398187: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0 Aug 26 13:24:34.398192: | popen cmd is 1012 chars long Aug 26 13:24:34.398194: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_IN: Aug 26 13:24:34.398196: | cmd( 80):TERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@e: Aug 26 13:24:34.398198: | cmd( 160):ast' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLI: Aug 26 13:24:34.398200: | cmd( 240):ENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID=: Aug 26 13:24:34.398202: | cmd( 320):'16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO: Aug 26 13:24:34.398203: | cmd( 400):_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_: Aug 26 13:24:34.398205: | cmd( 480):MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=': Aug 26 13:24:34.398207: | cmd( 560):' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+P: Aug 26 13:24:34.398210: | cmd( 640):FS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT': Aug 26 13:24:34.398213: | cmd( 720): PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_: Aug 26 13:24:34.398216: | cmd( 800):DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' : Aug 26 13:24:34.398218: | cmd( 880):PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_S: Aug 26 13:24:34.398221: | cmd( 960):HARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:24:34.406338: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406370: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406372: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406375: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406388: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406392: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406446: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406453: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406455: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406457: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406458: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406461: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406462: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406465: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406471: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406481: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406492: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406501: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406510: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406519: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406627: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406637: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406646: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.406656: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:34.410998: | free hp@0x563761766188 Aug 26 13:24:34.411011: | flush revival: connection 'east' wasn't on the list Aug 26 13:24:34.411014: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:24:34.411032: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:24:34.411034: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:24:34.411045: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:24:34.411047: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:24:34.411049: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 13:24:34.411051: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 13:24:34.411053: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 13:24:34.411055: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 13:24:34.411059: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:24:34.411068: | libevent_free: release ptr-libevent@0x563761757eb8 Aug 26 13:24:34.411070: | free_event_entry: release EVENT_NULL-pe@0x563761763a98 Aug 26 13:24:34.411080: | libevent_free: release ptr-libevent@0x5637616ece08 Aug 26 13:24:34.411082: | free_event_entry: release EVENT_NULL-pe@0x563761763b48 Aug 26 13:24:34.411088: | libevent_free: release ptr-libevent@0x5637616edea8 Aug 26 13:24:34.411090: | free_event_entry: release EVENT_NULL-pe@0x563761763bf8 Aug 26 13:24:34.411096: | libevent_free: release ptr-libevent@0x5637616eeaa8 Aug 26 13:24:34.411098: | free_event_entry: release EVENT_NULL-pe@0x563761763ca8 Aug 26 13:24:34.411104: | libevent_free: release ptr-libevent@0x5637616c7b78 Aug 26 13:24:34.411106: | free_event_entry: release EVENT_NULL-pe@0x563761763d58 Aug 26 13:24:34.411110: | libevent_free: release ptr-libevent@0x5637616c21d8 Aug 26 13:24:34.411112: | free_event_entry: release EVENT_NULL-pe@0x563761763e08 Aug 26 13:24:34.411116: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:24:34.411520: | libevent_free: release ptr-libevent@0x563761757f68 Aug 26 13:24:34.411526: | free_event_entry: release EVENT_NULL-pe@0x56376174bdd8 Aug 26 13:24:34.411531: | libevent_free: release ptr-libevent@0x5637616ed578 Aug 26 13:24:34.411533: | free_event_entry: release EVENT_NULL-pe@0x56376174bd68 Aug 26 13:24:34.411536: | libevent_free: release ptr-libevent@0x56376172f688 Aug 26 13:24:34.411538: | free_event_entry: release EVENT_NULL-pe@0x56376174b228 Aug 26 13:24:34.411541: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:24:34.411543: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:24:34.411545: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:24:34.411546: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:24:34.411548: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:24:34.411550: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:24:34.411551: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:24:34.411553: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:24:34.411554: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:24:34.411559: | libevent_free: release ptr-libevent@0x5637616eb188 Aug 26 13:24:34.411561: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:24:34.411563: | libevent_free: release ptr-libevent@0x5637616eef38 Aug 26 13:24:34.411565: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:24:34.411567: | libevent_free: release ptr-libevent@0x5637617632f8 Aug 26 13:24:34.411568: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:24:34.411573: | libevent_free: release ptr-libevent@0x563761763538 Aug 26 13:24:34.411574: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:24:34.411576: | releasing event base Aug 26 13:24:34.411585: | libevent_free: release ptr-libevent@0x563761763408 Aug 26 13:24:34.411587: | libevent_free: release ptr-libevent@0x563761746618 Aug 26 13:24:34.411590: | libevent_free: release ptr-libevent@0x5637617465c8 Aug 26 13:24:34.411592: | libevent_free: release ptr-libevent@0x7f6a140027d8 Aug 26 13:24:34.411595: | libevent_free: release ptr-libevent@0x563761746518 Aug 26 13:24:34.411597: | libevent_free: release ptr-libevent@0x5637617631b8 Aug 26 13:24:34.411599: | libevent_free: release ptr-libevent@0x563761763238 Aug 26 13:24:34.411600: | libevent_free: release ptr-libevent@0x5637617467c8 Aug 26 13:24:34.411602: | libevent_free: release ptr-libevent@0x56376174b338 Aug 26 13:24:34.411604: | libevent_free: release ptr-libevent@0x56376174bd28 Aug 26 13:24:34.411605: | libevent_free: release ptr-libevent@0x563761763e78 Aug 26 13:24:34.411607: | libevent_free: release ptr-libevent@0x563761763dc8 Aug 26 13:24:34.411608: | libevent_free: release ptr-libevent@0x563761763d18 Aug 26 13:24:34.411610: | libevent_free: release ptr-libevent@0x563761763c68 Aug 26 13:24:34.411612: | libevent_free: release ptr-libevent@0x563761763bb8 Aug 26 13:24:34.411613: | libevent_free: release ptr-libevent@0x563761763b08 Aug 26 13:24:34.411615: | libevent_free: release ptr-libevent@0x5637616ecee8 Aug 26 13:24:34.411617: | libevent_free: release ptr-libevent@0x5637617632b8 Aug 26 13:24:34.411618: | libevent_free: release ptr-libevent@0x563761763278 Aug 26 13:24:34.411620: | libevent_free: release ptr-libevent@0x5637617631f8 Aug 26 13:24:34.411622: | libevent_free: release ptr-libevent@0x5637617633c8 Aug 26 13:24:34.411623: | libevent_free: release ptr-libevent@0x5637616ea2b8 Aug 26 13:24:34.411625: | libevent_free: release ptr-libevent@0x5637616c1908 Aug 26 13:24:34.411627: | libevent_free: release ptr-libevent@0x5637616c1d38 Aug 26 13:24:34.411629: | libevent_free: release ptr-libevent@0x5637616ea628 Aug 26 13:24:34.411630: | releasing global libevent data Aug 26 13:24:34.411632: | libevent_free: release ptr-libevent@0x5637616c7158 Aug 26 13:24:34.411634: | libevent_free: release ptr-libevent@0x5637616c1cd8 Aug 26 13:24:34.411636: | libevent_free: release ptr-libevent@0x5637616c1dd8 Aug 26 13:24:34.411666: leak detective found no leaks