Aug 26 13:23:36.130588: FIPS Product: YES Aug 26 13:23:36.130676: FIPS Kernel: NO Aug 26 13:23:36.130680: FIPS Mode: NO Aug 26 13:23:36.130683: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:23:36.130818: Initializing NSS Aug 26 13:23:36.130826: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:23:36.153993: NSS initialized Aug 26 13:23:36.154003: NSS crypto library initialized Aug 26 13:23:36.154006: FIPS HMAC integrity support [enabled] Aug 26 13:23:36.154007: FIPS mode disabled for pluto daemon Aug 26 13:23:36.179644: FIPS HMAC integrity verification self-test FAILED Aug 26 13:23:36.179729: libcap-ng support [enabled] Aug 26 13:23:36.179737: Linux audit support [enabled] Aug 26 13:23:36.179767: Linux audit activated Aug 26 13:23:36.179770: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:12974 Aug 26 13:23:36.179772: core dump dir: /tmp Aug 26 13:23:36.179774: secrets file: /etc/ipsec.secrets Aug 26 13:23:36.179775: leak-detective enabled Aug 26 13:23:36.179776: NSS crypto [enabled] Aug 26 13:23:36.179778: XAUTH PAM support [enabled] Aug 26 13:23:36.179836: | libevent is using pluto's memory allocator Aug 26 13:23:36.179844: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:23:36.179856: | libevent_malloc: new ptr-libevent@0x562136062f78 size 40 Aug 26 13:23:36.179859: | libevent_malloc: new ptr-libevent@0x56213605dcd8 size 40 Aug 26 13:23:36.179862: | libevent_malloc: new ptr-libevent@0x56213605ddd8 size 40 Aug 26 13:23:36.179863: | creating event base Aug 26 13:23:36.179865: | libevent_malloc: new ptr-libevent@0x5621360e2448 size 56 Aug 26 13:23:36.179869: | libevent_malloc: new ptr-libevent@0x562136086688 size 664 Aug 26 13:23:36.179877: | libevent_malloc: new ptr-libevent@0x5621360e24b8 size 24 Aug 26 13:23:36.179879: | libevent_malloc: new ptr-libevent@0x5621360e2508 size 384 Aug 26 13:23:36.179886: | libevent_malloc: new ptr-libevent@0x5621360e2408 size 16 Aug 26 13:23:36.179888: | libevent_malloc: new ptr-libevent@0x56213605d908 size 40 Aug 26 13:23:36.179889: | libevent_malloc: new ptr-libevent@0x56213605dd38 size 48 Aug 26 13:23:36.179893: | libevent_realloc: new ptr-libevent@0x562136086318 size 256 Aug 26 13:23:36.179895: | libevent_malloc: new ptr-libevent@0x5621360e26b8 size 16 Aug 26 13:23:36.179899: | libevent_free: release ptr-libevent@0x5621360e2448 Aug 26 13:23:36.179902: | libevent initialized Aug 26 13:23:36.179904: | libevent_realloc: new ptr-libevent@0x5621360e2448 size 64 Aug 26 13:23:36.179907: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:23:36.179917: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:23:36.179919: NAT-Traversal support [enabled] Aug 26 13:23:36.179921: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:23:36.179925: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:23:36.179930: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:23:36.179957: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:23:36.179959: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:23:36.179962: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:23:36.179994: Encryption algorithms: Aug 26 13:23:36.180000: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:23:36.180003: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:23:36.180005: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:23:36.180007: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:23:36.180009: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:23:36.180016: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:23:36.180019: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:23:36.180021: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:23:36.180023: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:23:36.180025: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:23:36.180027: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:23:36.180030: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:23:36.180032: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:23:36.180034: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:23:36.180036: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:23:36.180038: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:23:36.180040: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:23:36.180045: Hash algorithms: Aug 26 13:23:36.180047: MD5 IKEv1: IKE IKEv2: Aug 26 13:23:36.180049: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:23:36.180051: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:23:36.180053: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:23:36.180054: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:23:36.180063: PRF algorithms: Aug 26 13:23:36.180065: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:23:36.180067: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:23:36.180069: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:23:36.180071: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:23:36.180073: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:23:36.180075: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:23:36.180090: Integrity algorithms: Aug 26 13:23:36.180093: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:23:36.180095: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:23:36.180097: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:23:36.180100: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:23:36.180102: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:23:36.180104: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:23:36.180106: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:23:36.180108: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:23:36.180110: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:23:36.180118: DH algorithms: Aug 26 13:23:36.180120: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:23:36.180122: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:23:36.180124: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:23:36.180127: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:23:36.180129: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:23:36.180131: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:23:36.180132: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:23:36.180134: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:23:36.180136: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:23:36.180138: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:23:36.180140: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:23:36.180142: testing CAMELLIA_CBC: Aug 26 13:23:36.180144: Camellia: 16 bytes with 128-bit key Aug 26 13:23:36.180228: Camellia: 16 bytes with 128-bit key Aug 26 13:23:36.180247: Camellia: 16 bytes with 256-bit key Aug 26 13:23:36.180265: Camellia: 16 bytes with 256-bit key Aug 26 13:23:36.180282: testing AES_GCM_16: Aug 26 13:23:36.180284: empty string Aug 26 13:23:36.180329: one block Aug 26 13:23:36.180347: two blocks Aug 26 13:23:36.180378: two blocks with associated data Aug 26 13:23:36.180394: testing AES_CTR: Aug 26 13:23:36.180396: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:23:36.180412: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:23:36.180430: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:23:36.180448: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:23:36.180465: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:23:36.180481: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:23:36.180497: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:23:36.180513: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:23:36.180530: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:23:36.180547: testing AES_CBC: Aug 26 13:23:36.180549: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:23:36.180565: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:23:36.180582: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:23:36.180599: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:23:36.180619: testing AES_XCBC: Aug 26 13:23:36.180621: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:23:36.180693: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:23:36.180771: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:23:36.180844: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:23:36.180917: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:23:36.180992: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:23:36.181067: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:23:36.181232: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:23:36.181336: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:23:36.181432: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:23:36.181571: testing HMAC_MD5: Aug 26 13:23:36.181574: RFC 2104: MD5_HMAC test 1 Aug 26 13:23:36.181675: RFC 2104: MD5_HMAC test 2 Aug 26 13:23:36.181765: RFC 2104: MD5_HMAC test 3 Aug 26 13:23:36.181882: 8 CPU cores online Aug 26 13:23:36.181885: starting up 7 crypto helpers Aug 26 13:23:36.181912: started thread for crypto helper 0 Aug 26 13:23:36.181929: started thread for crypto helper 1 Aug 26 13:23:36.181942: started thread for crypto helper 2 Aug 26 13:23:36.181945: | starting up helper thread 0 Aug 26 13:23:36.181956: started thread for crypto helper 3 Aug 26 13:23:36.181980: | starting up helper thread 3 Aug 26 13:23:36.182000: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:23:36.181988: | starting up helper thread 2 Aug 26 13:23:36.182029: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:23:36.182032: started thread for crypto helper 4 Aug 26 13:23:36.182052: | starting up helper thread 4 Aug 26 13:23:36.182006: | crypto helper 3 waiting (nothing to do) Aug 26 13:23:36.181985: | starting up helper thread 1 Aug 26 13:23:36.182068: | crypto helper 2 waiting (nothing to do) Aug 26 13:23:36.182070: started thread for crypto helper 5 Aug 26 13:23:36.182065: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:23:36.182081: | crypto helper 4 waiting (nothing to do) Aug 26 13:23:36.182082: | starting up helper thread 5 Aug 26 13:23:36.182073: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:23:36.182105: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:23:36.182108: | crypto helper 5 waiting (nothing to do) Aug 26 13:23:36.181982: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:23:36.182103: started thread for crypto helper 6 Aug 26 13:23:36.182127: | crypto helper 1 waiting (nothing to do) Aug 26 13:23:36.182154: | checking IKEv1 state table Aug 26 13:23:36.182163: | crypto helper 0 waiting (nothing to do) Aug 26 13:23:36.182168: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:23:36.182172: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:23:36.182174: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:23:36.182177: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:23:36.182179: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:23:36.182181: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:23:36.182184: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:36.182186: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:36.182188: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:23:36.182191: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:23:36.182193: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:36.182195: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:36.182198: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:23:36.182213: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:23:36.182215: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:23:36.182217: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:23:36.182220: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:23:36.182222: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:23:36.182224: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:23:36.182227: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:23:36.182230: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:23:36.182232: | -> UNDEFINED EVENT_NULL Aug 26 13:23:36.182235: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:23:36.182237: | -> UNDEFINED EVENT_NULL Aug 26 13:23:36.182239: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:23:36.182242: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:23:36.182244: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:23:36.182247: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:23:36.182249: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:23:36.182251: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:23:36.182253: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:23:36.182256: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:23:36.182258: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:23:36.182261: | -> UNDEFINED EVENT_NULL Aug 26 13:23:36.182263: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:23:36.182265: | -> UNDEFINED EVENT_NULL Aug 26 13:23:36.182268: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:23:36.182271: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:23:36.182273: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:23:36.182276: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:23:36.182278: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:23:36.182284: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:23:36.182285: | starting up helper thread 6 Aug 26 13:23:36.182293: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:23:36.182304: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:23:36.182307: | -> UNDEFINED EVENT_NULL Aug 26 13:23:36.182308: | crypto helper 6 waiting (nothing to do) Aug 26 13:23:36.182313: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:23:36.182332: | -> UNDEFINED EVENT_NULL Aug 26 13:23:36.182335: | INFO: category: informational flags: 0: Aug 26 13:23:36.182336: | -> UNDEFINED EVENT_NULL Aug 26 13:23:36.182338: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:23:36.182339: | -> UNDEFINED EVENT_NULL Aug 26 13:23:36.182341: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:23:36.182343: | -> XAUTH_R1 EVENT_NULL Aug 26 13:23:36.182344: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:23:36.182346: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:23:36.182348: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:23:36.182349: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:23:36.182351: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:23:36.182352: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:23:36.182354: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:23:36.182356: | -> UNDEFINED EVENT_NULL Aug 26 13:23:36.182357: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:23:36.182359: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:23:36.182361: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:23:36.182362: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:23:36.182364: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:23:36.182365: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:23:36.182370: | checking IKEv2 state table Aug 26 13:23:36.182374: | PARENT_I0: category: ignore flags: 0: Aug 26 13:23:36.182376: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:23:36.182378: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:23:36.182380: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:23:36.182382: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:23:36.182384: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:23:36.182386: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:23:36.182388: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:23:36.182389: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:23:36.182391: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:23:36.182393: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:23:36.182395: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:23:36.182396: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:23:36.182398: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:23:36.182400: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:23:36.182401: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:23:36.182403: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:23:36.182405: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:23:36.182407: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:23:36.182408: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:23:36.182410: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:23:36.182412: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:23:36.182413: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:23:36.182417: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:23:36.182419: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:23:36.182421: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:23:36.182423: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:23:36.182424: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:23:36.182426: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:23:36.182428: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:23:36.182430: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:23:36.182431: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:23:36.182433: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:23:36.182435: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:23:36.182437: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:23:36.182439: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:23:36.182440: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:23:36.182442: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:23:36.182444: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:23:36.182446: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:23:36.182447: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:23:36.182449: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:23:36.182451: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:23:36.182453: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:23:36.182455: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:23:36.182456: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:23:36.182458: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:23:36.182466: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:23:36.182502: | Hard-wiring algorithms Aug 26 13:23:36.182504: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:23:36.182507: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:23:36.182509: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:23:36.182510: | adding 3DES_CBC to kernel algorithm db Aug 26 13:23:36.182512: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:23:36.182514: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:23:36.182515: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:23:36.182517: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:23:36.182519: | adding AES_CTR to kernel algorithm db Aug 26 13:23:36.182520: | adding AES_CBC to kernel algorithm db Aug 26 13:23:36.182522: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:23:36.182523: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:23:36.182525: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:23:36.182527: | adding NULL to kernel algorithm db Aug 26 13:23:36.182529: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:23:36.182530: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:23:36.182532: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:23:36.182534: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:23:36.182535: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:23:36.182537: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:23:36.182538: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:23:36.182540: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:23:36.182541: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:23:36.182543: | adding NONE to kernel algorithm db Aug 26 13:23:36.182560: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:23:36.182564: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:23:36.182565: | setup kernel fd callback Aug 26 13:23:36.182568: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5621360e7058 Aug 26 13:23:36.182571: | libevent_malloc: new ptr-libevent@0x5621360cb5b8 size 128 Aug 26 13:23:36.182573: | libevent_malloc: new ptr-libevent@0x5621360e7168 size 16 Aug 26 13:23:36.182577: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x5621360e7b98 Aug 26 13:23:36.182580: | libevent_malloc: new ptr-libevent@0x562136089688 size 128 Aug 26 13:23:36.182581: | libevent_malloc: new ptr-libevent@0x5621360e7b58 size 16 Aug 26 13:23:36.182717: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:23:36.182723: selinux support is enabled. Aug 26 13:23:36.182896: | unbound context created - setting debug level to 5 Aug 26 13:23:36.182914: | /etc/hosts lookups activated Aug 26 13:23:36.182922: | /etc/resolv.conf usage activated Aug 26 13:23:36.182958: | outgoing-port-avoid set 0-65535 Aug 26 13:23:36.182975: | outgoing-port-permit set 32768-60999 Aug 26 13:23:36.182977: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:23:36.182979: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:23:36.182981: | Setting up events, loop start Aug 26 13:23:36.182983: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x5621360e7c08 Aug 26 13:23:36.182985: | libevent_malloc: new ptr-libevent@0x5621360f3e98 size 128 Aug 26 13:23:36.182987: | libevent_malloc: new ptr-libevent@0x5621360ff168 size 16 Aug 26 13:23:36.182991: | libevent_realloc: new ptr-libevent@0x5621360ff1a8 size 256 Aug 26 13:23:36.182993: | libevent_malloc: new ptr-libevent@0x5621360ff2d8 size 8 Aug 26 13:23:36.182995: | libevent_realloc: new ptr-libevent@0x562136059918 size 144 Aug 26 13:23:36.182997: | libevent_malloc: new ptr-libevent@0x5621360871e8 size 152 Aug 26 13:23:36.182999: | libevent_malloc: new ptr-libevent@0x5621360ff318 size 16 Aug 26 13:23:36.183002: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:23:36.183004: | libevent_malloc: new ptr-libevent@0x5621360ff358 size 8 Aug 26 13:23:36.183007: | libevent_malloc: new ptr-libevent@0x56213608aeb8 size 152 Aug 26 13:23:36.183009: | signal event handler PLUTO_SIGTERM installed Aug 26 13:23:36.183011: | libevent_malloc: new ptr-libevent@0x5621360ff398 size 8 Aug 26 13:23:36.183012: | libevent_malloc: new ptr-libevent@0x5621360ff3d8 size 152 Aug 26 13:23:36.183014: | signal event handler PLUTO_SIGHUP installed Aug 26 13:23:36.183016: | libevent_malloc: new ptr-libevent@0x5621360ff4a8 size 8 Aug 26 13:23:36.183018: | libevent_realloc: release ptr-libevent@0x562136059918 Aug 26 13:23:36.183020: | libevent_realloc: new ptr-libevent@0x5621360ff4e8 size 256 Aug 26 13:23:36.183021: | libevent_malloc: new ptr-libevent@0x5621360ff618 size 152 Aug 26 13:23:36.183023: | signal event handler PLUTO_SIGSYS installed Aug 26 13:23:36.183252: | created addconn helper (pid:13001) using fork+execve Aug 26 13:23:36.183269: | forked child 13001 Aug 26 13:23:36.187107: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:36.187126: listening for IKE messages Aug 26 13:23:36.187155: | Inspecting interface lo Aug 26 13:23:36.187161: | found lo with address 127.0.0.1 Aug 26 13:23:36.187163: | Inspecting interface eth0 Aug 26 13:23:36.187166: | found eth0 with address 192.0.2.254 Aug 26 13:23:36.187168: | Inspecting interface eth1 Aug 26 13:23:36.187170: | found eth1 with address 192.1.2.23 Aug 26 13:23:36.187234: Kernel supports NIC esp-hw-offload Aug 26 13:23:36.187242: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:23:36.187258: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:23:36.187261: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:23:36.187264: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:23:36.187286: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:23:36.187338: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:23:36.187343: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:23:36.187346: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:23:36.187363: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:23:36.187378: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:23:36.187381: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:23:36.187383: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:23:36.187423: | no interfaces to sort Aug 26 13:23:36.187426: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:23:36.187431: | add_fd_read_event_handler: new ethX-pe@0x5621360ffae8 Aug 26 13:23:36.187434: | libevent_malloc: new ptr-libevent@0x5621360f3de8 size 128 Aug 26 13:23:36.187436: | libevent_malloc: new ptr-libevent@0x5621360ffb58 size 16 Aug 26 13:23:36.187442: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:23:36.187444: | add_fd_read_event_handler: new ethX-pe@0x5621360ffb98 Aug 26 13:23:36.187446: | libevent_malloc: new ptr-libevent@0x562136088e68 size 128 Aug 26 13:23:36.187448: | libevent_malloc: new ptr-libevent@0x5621360ffc08 size 16 Aug 26 13:23:36.187451: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:23:36.187453: | add_fd_read_event_handler: new ethX-pe@0x5621360ffc48 Aug 26 13:23:36.187455: | libevent_malloc: new ptr-libevent@0x562136089f08 size 128 Aug 26 13:23:36.187456: | libevent_malloc: new ptr-libevent@0x5621360ffcb8 size 16 Aug 26 13:23:36.187459: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:23:36.187461: | add_fd_read_event_handler: new ethX-pe@0x5621360ffcf8 Aug 26 13:23:36.187464: | libevent_malloc: new ptr-libevent@0x56213608aa28 size 128 Aug 26 13:23:36.187465: | libevent_malloc: new ptr-libevent@0x5621360ffd68 size 16 Aug 26 13:23:36.187468: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:23:36.187470: | add_fd_read_event_handler: new ethX-pe@0x5621360ffda8 Aug 26 13:23:36.187473: | libevent_malloc: new ptr-libevent@0x56213605e4e8 size 128 Aug 26 13:23:36.187474: | libevent_malloc: new ptr-libevent@0x5621360ffe18 size 16 Aug 26 13:23:36.187477: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:23:36.187479: | add_fd_read_event_handler: new ethX-pe@0x5621360ffe58 Aug 26 13:23:36.187481: | libevent_malloc: new ptr-libevent@0x56213605e1d8 size 128 Aug 26 13:23:36.187483: | libevent_malloc: new ptr-libevent@0x5621360ffec8 size 16 Aug 26 13:23:36.187486: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:23:36.187489: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:23:36.187490: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:23:36.187504: loading secrets from "/etc/ipsec.secrets" Aug 26 13:23:36.187514: | id type added to secret(0x562136059b58) PKK_PSK: @west Aug 26 13:23:36.187516: | id type added to secret(0x562136059b58) PKK_PSK: @east Aug 26 13:23:36.187519: | Processing PSK at line 1: passed Aug 26 13:23:36.187521: | certs and keys locked by 'process_secret' Aug 26 13:23:36.187523: | certs and keys unlocked by 'process_secret' Aug 26 13:23:36.187533: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:36.187540: | spent 0.437 milliseconds in whack Aug 26 13:23:36.200986: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:36.201003: listening for IKE messages Aug 26 13:23:36.201027: | Inspecting interface lo Aug 26 13:23:36.201032: | found lo with address 127.0.0.1 Aug 26 13:23:36.201034: | Inspecting interface eth0 Aug 26 13:23:36.201037: | found eth0 with address 192.0.2.254 Aug 26 13:23:36.201038: | Inspecting interface eth1 Aug 26 13:23:36.201041: | found eth1 with address 192.1.2.23 Aug 26 13:23:36.201077: | no interfaces to sort Aug 26 13:23:36.201087: | libevent_free: release ptr-libevent@0x5621360f3de8 Aug 26 13:23:36.201090: | free_event_entry: release EVENT_NULL-pe@0x5621360ffae8 Aug 26 13:23:36.201092: | add_fd_read_event_handler: new ethX-pe@0x5621360ffae8 Aug 26 13:23:36.201094: | libevent_malloc: new ptr-libevent@0x5621360f3de8 size 128 Aug 26 13:23:36.201098: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:23:36.201101: | libevent_free: release ptr-libevent@0x562136088e68 Aug 26 13:23:36.201103: | free_event_entry: release EVENT_NULL-pe@0x5621360ffb98 Aug 26 13:23:36.201105: | add_fd_read_event_handler: new ethX-pe@0x5621360ffb98 Aug 26 13:23:36.201106: | libevent_malloc: new ptr-libevent@0x562136088e68 size 128 Aug 26 13:23:36.201109: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:23:36.201112: | libevent_free: release ptr-libevent@0x562136089f08 Aug 26 13:23:36.201114: | free_event_entry: release EVENT_NULL-pe@0x5621360ffc48 Aug 26 13:23:36.201115: | add_fd_read_event_handler: new ethX-pe@0x5621360ffc48 Aug 26 13:23:36.201117: | libevent_malloc: new ptr-libevent@0x562136089f08 size 128 Aug 26 13:23:36.201120: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:23:36.201122: | libevent_free: release ptr-libevent@0x56213608aa28 Aug 26 13:23:36.201124: | free_event_entry: release EVENT_NULL-pe@0x5621360ffcf8 Aug 26 13:23:36.201126: | add_fd_read_event_handler: new ethX-pe@0x5621360ffcf8 Aug 26 13:23:36.201128: | libevent_malloc: new ptr-libevent@0x56213608aa28 size 128 Aug 26 13:23:36.201130: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:23:36.201133: | libevent_free: release ptr-libevent@0x56213605e4e8 Aug 26 13:23:36.201135: | free_event_entry: release EVENT_NULL-pe@0x5621360ffda8 Aug 26 13:23:36.201136: | add_fd_read_event_handler: new ethX-pe@0x5621360ffda8 Aug 26 13:23:36.201138: | libevent_malloc: new ptr-libevent@0x56213605e4e8 size 128 Aug 26 13:23:36.201141: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:23:36.201143: | libevent_free: release ptr-libevent@0x56213605e1d8 Aug 26 13:23:36.201145: | free_event_entry: release EVENT_NULL-pe@0x5621360ffe58 Aug 26 13:23:36.201147: | add_fd_read_event_handler: new ethX-pe@0x5621360ffe58 Aug 26 13:23:36.201148: | libevent_malloc: new ptr-libevent@0x56213605e1d8 size 128 Aug 26 13:23:36.201151: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:23:36.201153: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:23:36.201155: forgetting secrets Aug 26 13:23:36.201160: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:23:36.201170: loading secrets from "/etc/ipsec.secrets" Aug 26 13:23:36.201176: | id type added to secret(0x562136059b58) PKK_PSK: @west Aug 26 13:23:36.201178: | id type added to secret(0x562136059b58) PKK_PSK: @east Aug 26 13:23:36.201181: | Processing PSK at line 1: passed Aug 26 13:23:36.201183: | certs and keys locked by 'process_secret' Aug 26 13:23:36.201184: | certs and keys unlocked by 'process_secret' Aug 26 13:23:36.201191: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:36.201195: | spent 0.215 milliseconds in whack Aug 26 13:23:36.201542: | processing signal PLUTO_SIGCHLD Aug 26 13:23:36.201555: | waitpid returned pid 13001 (exited with status 0) Aug 26 13:23:36.201559: | reaped addconn helper child (status 0) Aug 26 13:23:36.201563: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:36.201567: | spent 0.0142 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:36.263368: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:36.263390: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:23:36.263393: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:23:36.263394: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:23:36.263396: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:23:36.263399: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:23:36.263405: | Added new connection east with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:23:36.263449: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:23:36.263451: | from whack: got --esp= Aug 26 13:23:36.263490: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 13:23:36.263496: | counting wild cards for @west is 0 Aug 26 13:23:36.263500: | counting wild cards for @east is 0 Aug 26 13:23:36.263511: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Aug 26 13:23:36.263514: | new hp@0x562136102248 Aug 26 13:23:36.263518: added connection description "east" Aug 26 13:23:36.263528: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 5s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:23:36.263539: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 Aug 26 13:23:36.263547: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:36.263555: | spent 0.206 milliseconds in whack Aug 26 13:23:36.263618: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:36.263641: add keyid @west Aug 26 13:23:36.263646: | add pubkey 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 Aug 26 13:23:36.263649: | add pubkey 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e Aug 26 13:23:36.263651: | add pubkey b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 Aug 26 13:23:36.263654: | add pubkey 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 Aug 26 13:23:36.263656: | add pubkey 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 Aug 26 13:23:36.263658: | add pubkey f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c Aug 26 13:23:36.263661: | add pubkey ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a Aug 26 13:23:36.263663: | add pubkey 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 Aug 26 13:23:36.263666: | add pubkey b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 Aug 26 13:23:36.263668: | add pubkey 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a Aug 26 13:23:36.263670: | add pubkey 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 Aug 26 13:23:36.263673: | add pubkey ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc Aug 26 13:23:36.263675: | add pubkey 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e Aug 26 13:23:36.263678: | add pubkey d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 Aug 26 13:23:36.263680: | add pubkey 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d Aug 26 13:23:36.263682: | add pubkey 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f Aug 26 13:23:36.263685: | add pubkey c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 Aug 26 13:23:36.263687: | add pubkey 15 04 37 f9 Aug 26 13:23:36.263726: | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 Aug 26 13:23:36.263730: | computed rsa CKAID 7f 0f 03 50 Aug 26 13:23:36.263743: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:36.263749: | spent 0.136 milliseconds in whack Aug 26 13:23:36.263808: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:36.263820: add keyid @east Aug 26 13:23:36.263824: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 13:23:36.263827: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 13:23:36.263830: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 13:23:36.263832: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 13:23:36.263838: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 13:23:36.263841: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 13:23:36.263844: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 13:23:36.263847: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 13:23:36.263849: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 13:23:36.263852: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 13:23:36.263855: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 13:23:36.263858: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 13:23:36.263860: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 13:23:36.263862: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 13:23:36.263865: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 13:23:36.263868: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 13:23:36.263870: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 13:23:36.263873: | add pubkey 51 51 48 ef Aug 26 13:23:36.263885: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 13:23:36.263888: | computed rsa CKAID 8a 82 25 f1 Aug 26 13:23:36.263899: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:36.263905: | spent 0.101 milliseconds in whack Aug 26 13:23:37.451180: | spent 0.00248 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:23:37.451208: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:23:37.451211: | 34 f5 76 a9 3e 8c 98 bc 00 00 00 00 00 00 00 00 Aug 26 13:23:37.451213: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:23:37.451215: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:23:37.451216: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:23:37.451218: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:23:37.451220: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:23:37.451221: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:23:37.451223: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:23:37.451225: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:23:37.451226: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:23:37.451228: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:23:37.451229: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:23:37.451231: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:23:37.451233: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:23:37.451234: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:23:37.451236: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:23:37.451237: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:23:37.451239: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:23:37.451241: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:23:37.451242: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:23:37.451244: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:23:37.451246: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:23:37.451247: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:23:37.451249: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:23:37.451250: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:23:37.451252: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:23:37.451254: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:23:37.451255: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:23:37.451257: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:23:37.451258: | 28 00 01 08 00 0e 00 00 19 46 de e4 06 33 a2 86 Aug 26 13:23:37.451263: | 54 89 5b 97 8a f7 58 8d b5 98 f5 cf 14 fb e3 bf Aug 26 13:23:37.451264: | 06 04 f7 07 d2 8c 42 05 78 08 e1 89 e9 ae b4 0e Aug 26 13:23:37.451266: | b4 51 e4 2a 3e ba cd dc b7 9f 99 63 b5 37 07 ed Aug 26 13:23:37.451268: | 59 41 cc 5a d1 7a 88 9f 87 4c e6 94 45 cd e4 e7 Aug 26 13:23:37.451269: | 75 4b 5a df c1 63 58 98 c6 4d 85 80 ec 45 f3 c3 Aug 26 13:23:37.451271: | a0 bb a9 bc be b7 53 b0 cc 13 28 47 e8 e9 ba f5 Aug 26 13:23:37.451273: | 9a 0d ec ef 59 84 a2 4b 98 80 b6 e3 44 1f 66 46 Aug 26 13:23:37.451274: | d6 22 61 f2 cb 6a 31 90 dc 83 92 c0 54 10 6b 69 Aug 26 13:23:37.451276: | 1b e3 7a a1 a5 f7 3b 79 ce 7c d6 12 44 09 47 25 Aug 26 13:23:37.451277: | 45 ca e9 71 cc 89 0d c8 0e 44 06 05 bf 53 2c 29 Aug 26 13:23:37.451279: | 59 83 a6 9b 5f bc 84 d7 d4 93 3a ac b0 78 59 46 Aug 26 13:23:37.451281: | b2 7b ed d8 68 dc 7c eb f3 4a 7d ec bb 78 27 99 Aug 26 13:23:37.451282: | 5a b1 f8 42 a8 3a 64 19 54 ad 9e 13 16 4e 00 98 Aug 26 13:23:37.451284: | e4 85 29 43 84 23 40 61 45 cb 19 21 54 f9 18 48 Aug 26 13:23:37.451286: | df ff 68 61 a9 65 b5 b0 47 21 51 18 54 9b bc 00 Aug 26 13:23:37.451287: | aa da 9d 72 dd c4 a3 e4 29 00 00 24 a3 7a 86 ad Aug 26 13:23:37.451314: | 87 7f 9d 47 ff 50 6f f7 ea 10 c6 9a c6 70 32 65 Aug 26 13:23:37.451316: | 5f 8d 7d 94 86 b5 25 76 75 38 1e e2 29 00 00 08 Aug 26 13:23:37.451318: | 00 00 40 2e 29 00 00 1c 00 00 40 04 b6 35 97 e8 Aug 26 13:23:37.451333: | c2 30 2a c9 c7 ab d6 79 e3 97 05 43 20 51 53 64 Aug 26 13:23:37.451335: | 00 00 00 1c 00 00 40 05 01 04 5d fa ed 5a d1 3b Aug 26 13:23:37.451338: | 29 f0 60 3e 1e 65 8d 0b 1d 98 5e bc Aug 26 13:23:37.451343: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:23:37.451346: | **parse ISAKMP Message: Aug 26 13:23:37.451348: | initiator cookie: Aug 26 13:23:37.451350: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:23:37.451351: | responder cookie: Aug 26 13:23:37.451353: | 00 00 00 00 00 00 00 00 Aug 26 13:23:37.451355: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:23:37.451357: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:37.451358: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:23:37.451360: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:23:37.451362: | Message ID: 0 (0x0) Aug 26 13:23:37.451364: | length: 828 (0x33c) Aug 26 13:23:37.451366: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:23:37.451371: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:23:37.451373: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:23:37.451375: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:23:37.451378: | ***parse IKEv2 Security Association Payload: Aug 26 13:23:37.451380: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:23:37.451381: | flags: none (0x0) Aug 26 13:23:37.451383: | length: 436 (0x1b4) Aug 26 13:23:37.451384: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:23:37.451386: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:23:37.451388: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:23:37.451390: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:23:37.451391: | flags: none (0x0) Aug 26 13:23:37.451393: | length: 264 (0x108) Aug 26 13:23:37.451394: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:37.451396: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:23:37.451397: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:23:37.451399: | ***parse IKEv2 Nonce Payload: Aug 26 13:23:37.451401: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:37.451402: | flags: none (0x0) Aug 26 13:23:37.451404: | length: 36 (0x24) Aug 26 13:23:37.451405: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:23:37.451407: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:23:37.451409: | ***parse IKEv2 Notify Payload: Aug 26 13:23:37.451412: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:37.451414: | flags: none (0x0) Aug 26 13:23:37.451415: | length: 8 (0x8) Aug 26 13:23:37.451417: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:37.451419: | SPI size: 0 (0x0) Aug 26 13:23:37.451421: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:23:37.451422: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:23:37.451424: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:23:37.451425: | ***parse IKEv2 Notify Payload: Aug 26 13:23:37.451427: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:37.451428: | flags: none (0x0) Aug 26 13:23:37.451430: | length: 28 (0x1c) Aug 26 13:23:37.451431: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:37.451433: | SPI size: 0 (0x0) Aug 26 13:23:37.451435: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:23:37.451436: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:23:37.451438: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:23:37.451439: | ***parse IKEv2 Notify Payload: Aug 26 13:23:37.451441: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.451442: | flags: none (0x0) Aug 26 13:23:37.451444: | length: 28 (0x1c) Aug 26 13:23:37.451445: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:37.451447: | SPI size: 0 (0x0) Aug 26 13:23:37.451449: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:23:37.451450: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:23:37.451452: | DDOS disabled and no cookie sent, continuing Aug 26 13:23:37.451456: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:23:37.451459: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:37.451461: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:23:37.451463: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 13:23:37.451465: | find_next_host_connection returns empty Aug 26 13:23:37.451468: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:23:37.451470: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:23:37.451471: | find_next_host_connection returns empty Aug 26 13:23:37.451474: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:23:37.451477: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:23:37.451480: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:37.451481: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:23:37.451483: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 13:23:37.451485: | find_next_host_connection returns empty Aug 26 13:23:37.451487: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:23:37.451489: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:23:37.451491: | find_next_host_connection returns empty Aug 26 13:23:37.451493: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:23:37.451496: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:23:37.451498: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:37.451500: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:23:37.451502: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 13:23:37.451504: | find_next_host_connection returns east Aug 26 13:23:37.451505: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:23:37.451508: | find_next_host_connection returns empty Aug 26 13:23:37.451510: | found connection: east with policy PSK+IKEV2_ALLOW Aug 26 13:23:37.451525: | creating state object #1 at 0x562136104488 Aug 26 13:23:37.451527: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:23:37.451534: | pstats #1 ikev2.ike started Aug 26 13:23:37.451536: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:23:37.451538: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:23:37.451541: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:23:37.451548: | start processing: state #1 connection "east" from 192.1.2.45 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:23:37.451550: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:23:37.451553: | [RE]START processing: state #1 connection "east" from 192.1.2.45 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:23:37.451555: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:23:37.451557: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:23:37.451560: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:23:37.451562: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:23:37.451564: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:23:37.451566: | Now let's proceed with state specific processing Aug 26 13:23:37.451567: | calling processor Respond to IKE_SA_INIT Aug 26 13:23:37.451571: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:23:37.451573: | constructing local IKE proposals for east (IKE SA responder matching remote proposals) Aug 26 13:23:37.451580: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:37.451585: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:37.451587: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:37.451591: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:37.451593: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:37.451597: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:37.451599: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:37.451602: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:37.451608: "east": constructed local IKE proposals for east (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:37.451612: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:23:37.451616: | local proposal 1 type ENCR has 1 transforms Aug 26 13:23:37.451618: | local proposal 1 type PRF has 2 transforms Aug 26 13:23:37.451619: | local proposal 1 type INTEG has 1 transforms Aug 26 13:23:37.451621: | local proposal 1 type DH has 8 transforms Aug 26 13:23:37.451623: | local proposal 1 type ESN has 0 transforms Aug 26 13:23:37.451625: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:23:37.451627: | local proposal 2 type ENCR has 1 transforms Aug 26 13:23:37.451628: | local proposal 2 type PRF has 2 transforms Aug 26 13:23:37.451630: | local proposal 2 type INTEG has 1 transforms Aug 26 13:23:37.451632: | local proposal 2 type DH has 8 transforms Aug 26 13:23:37.451633: | local proposal 2 type ESN has 0 transforms Aug 26 13:23:37.451635: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:23:37.451637: | local proposal 3 type ENCR has 1 transforms Aug 26 13:23:37.451638: | local proposal 3 type PRF has 2 transforms Aug 26 13:23:37.451640: | local proposal 3 type INTEG has 2 transforms Aug 26 13:23:37.451641: | local proposal 3 type DH has 8 transforms Aug 26 13:23:37.451643: | local proposal 3 type ESN has 0 transforms Aug 26 13:23:37.451645: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:23:37.451647: | local proposal 4 type ENCR has 1 transforms Aug 26 13:23:37.451648: | local proposal 4 type PRF has 2 transforms Aug 26 13:23:37.451650: | local proposal 4 type INTEG has 2 transforms Aug 26 13:23:37.451651: | local proposal 4 type DH has 8 transforms Aug 26 13:23:37.451653: | local proposal 4 type ESN has 0 transforms Aug 26 13:23:37.451655: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:23:37.451657: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.451659: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:37.451660: | length: 100 (0x64) Aug 26 13:23:37.451662: | prop #: 1 (0x1) Aug 26 13:23:37.451664: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:37.451665: | spi size: 0 (0x0) Aug 26 13:23:37.451667: | # transforms: 11 (0xb) Aug 26 13:23:37.451669: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:23:37.451671: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451673: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451675: | length: 12 (0xc) Aug 26 13:23:37.451676: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.451678: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:37.451680: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.451682: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.451683: | length/value: 256 (0x100) Aug 26 13:23:37.451686: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:23:37.451688: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451689: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451691: | length: 8 (0x8) Aug 26 13:23:37.451693: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:37.451694: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:37.451697: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:23:37.451699: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:23:37.451701: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:23:37.451703: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:23:37.451704: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451707: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451709: | length: 8 (0x8) Aug 26 13:23:37.451710: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:37.451712: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:37.451714: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451715: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451717: | length: 8 (0x8) Aug 26 13:23:37.451718: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451720: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:37.451722: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:23:37.451724: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:23:37.451726: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:23:37.451728: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:23:37.451730: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451731: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451733: | length: 8 (0x8) Aug 26 13:23:37.451735: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451736: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:37.451738: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451739: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451741: | length: 8 (0x8) Aug 26 13:23:37.451743: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451744: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:37.451746: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451748: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451749: | length: 8 (0x8) Aug 26 13:23:37.451751: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451752: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:37.451754: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451755: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451757: | length: 8 (0x8) Aug 26 13:23:37.451759: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451760: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:37.451762: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451763: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451765: | length: 8 (0x8) Aug 26 13:23:37.451767: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451768: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:37.451770: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451772: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451773: | length: 8 (0x8) Aug 26 13:23:37.451775: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451776: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:37.451778: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451780: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.451781: | length: 8 (0x8) Aug 26 13:23:37.451783: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451784: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:37.451787: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:23:37.451789: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:23:37.451791: | remote proposal 1 matches local proposal 1 Aug 26 13:23:37.451793: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.451795: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:37.451796: | length: 100 (0x64) Aug 26 13:23:37.451798: | prop #: 2 (0x2) Aug 26 13:23:37.451799: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:37.451803: | spi size: 0 (0x0) Aug 26 13:23:37.451805: | # transforms: 11 (0xb) Aug 26 13:23:37.451807: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:37.451809: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451810: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451812: | length: 12 (0xc) Aug 26 13:23:37.451813: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.451815: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:37.451816: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.451818: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.451820: | length/value: 128 (0x80) Aug 26 13:23:37.451821: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451823: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451825: | length: 8 (0x8) Aug 26 13:23:37.451826: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:37.451828: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:37.451829: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451831: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451833: | length: 8 (0x8) Aug 26 13:23:37.451834: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:37.451836: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:37.451837: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451839: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451841: | length: 8 (0x8) Aug 26 13:23:37.451842: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451844: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:37.451845: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451847: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451849: | length: 8 (0x8) Aug 26 13:23:37.451850: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451852: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:37.451853: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451855: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451857: | length: 8 (0x8) Aug 26 13:23:37.451858: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451860: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:37.451861: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451863: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451864: | length: 8 (0x8) Aug 26 13:23:37.451866: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451868: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:37.451871: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451874: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451876: | length: 8 (0x8) Aug 26 13:23:37.451878: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451881: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:37.451882: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451884: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451885: | length: 8 (0x8) Aug 26 13:23:37.451887: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451889: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:37.451890: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451892: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451893: | length: 8 (0x8) Aug 26 13:23:37.451895: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451897: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:37.451898: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451900: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.451901: | length: 8 (0x8) Aug 26 13:23:37.451903: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.451906: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:37.451908: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:23:37.451910: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:23:37.451912: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.451913: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:37.451915: | length: 116 (0x74) Aug 26 13:23:37.451916: | prop #: 3 (0x3) Aug 26 13:23:37.451918: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:37.451919: | spi size: 0 (0x0) Aug 26 13:23:37.451921: | # transforms: 13 (0xd) Aug 26 13:23:37.451924: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:37.451926: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451929: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451931: | length: 12 (0xc) Aug 26 13:23:37.451934: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.451937: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:37.451939: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.451942: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.451945: | length/value: 256 (0x100) Aug 26 13:23:37.451948: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451950: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451953: | length: 8 (0x8) Aug 26 13:23:37.451955: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:37.451958: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:37.451961: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451964: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451966: | length: 8 (0x8) Aug 26 13:23:37.451969: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:37.451971: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:37.451974: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451976: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451979: | length: 8 (0x8) Aug 26 13:23:37.451981: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:37.451984: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:37.451987: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.451989: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.451992: | length: 8 (0x8) Aug 26 13:23:37.451995: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:37.451997: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:37.452000: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452003: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452006: | length: 8 (0x8) Aug 26 13:23:37.452008: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452011: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:37.452014: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452017: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452019: | length: 8 (0x8) Aug 26 13:23:37.452022: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452025: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:37.452028: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452031: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452033: | length: 8 (0x8) Aug 26 13:23:37.452036: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452038: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:37.452041: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452043: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452046: | length: 8 (0x8) Aug 26 13:23:37.452049: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452052: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:37.452057: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452060: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452062: | length: 8 (0x8) Aug 26 13:23:37.452065: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452068: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:37.452071: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452073: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452076: | length: 8 (0x8) Aug 26 13:23:37.452078: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452081: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:37.452083: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452086: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452088: | length: 8 (0x8) Aug 26 13:23:37.452091: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452094: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:37.452097: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452100: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.452102: | length: 8 (0x8) Aug 26 13:23:37.452104: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452107: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:37.452111: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:23:37.452115: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:23:37.452118: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.452121: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:37.452123: | length: 116 (0x74) Aug 26 13:23:37.452126: | prop #: 4 (0x4) Aug 26 13:23:37.452128: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:37.452131: | spi size: 0 (0x0) Aug 26 13:23:37.452133: | # transforms: 13 (0xd) Aug 26 13:23:37.452137: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:37.452140: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452142: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452145: | length: 12 (0xc) Aug 26 13:23:37.452148: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.452151: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:37.452154: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.452157: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.452159: | length/value: 128 (0x80) Aug 26 13:23:37.452163: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452165: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452168: | length: 8 (0x8) Aug 26 13:23:37.452171: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:37.452173: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:37.452176: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452179: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452181: | length: 8 (0x8) Aug 26 13:23:37.452184: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:37.452187: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:37.452190: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452193: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452196: | length: 8 (0x8) Aug 26 13:23:37.452199: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:37.452202: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:37.452205: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452208: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452211: | length: 8 (0x8) Aug 26 13:23:37.452214: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:37.452217: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:37.452220: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452227: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452230: | length: 8 (0x8) Aug 26 13:23:37.452233: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452235: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:37.452238: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452241: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452243: | length: 8 (0x8) Aug 26 13:23:37.452246: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452248: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:37.452251: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452253: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452255: | length: 8 (0x8) Aug 26 13:23:37.452258: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452260: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:37.452262: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452265: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452267: | length: 8 (0x8) Aug 26 13:23:37.452269: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452271: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:37.452274: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452277: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452279: | length: 8 (0x8) Aug 26 13:23:37.452281: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452284: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:37.452286: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452292: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452294: | length: 8 (0x8) Aug 26 13:23:37.452297: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452299: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:37.452302: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452305: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.452325: | length: 8 (0x8) Aug 26 13:23:37.452327: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452332: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:37.452335: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.452338: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.452340: | length: 8 (0x8) Aug 26 13:23:37.452343: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.452345: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:37.452362: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:23:37.452365: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:23:37.452369: "east" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:23:37.452374: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:23:37.452377: | converting proposal to internal trans attrs Aug 26 13:23:37.452381: | natd_hash: rcookie is zero Aug 26 13:23:37.452393: | natd_hash: hasher=0x562135dbf800(20) Aug 26 13:23:37.452396: | natd_hash: icookie= 34 f5 76 a9 3e 8c 98 bc Aug 26 13:23:37.452400: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:23:37.452402: | natd_hash: ip= c0 01 02 17 Aug 26 13:23:37.452405: | natd_hash: port=500 Aug 26 13:23:37.452407: | natd_hash: hash= 01 04 5d fa ed 5a d1 3b 29 f0 60 3e 1e 65 8d 0b Aug 26 13:23:37.452409: | natd_hash: hash= 1d 98 5e bc Aug 26 13:23:37.452412: | natd_hash: rcookie is zero Aug 26 13:23:37.452418: | natd_hash: hasher=0x562135dbf800(20) Aug 26 13:23:37.452422: | natd_hash: icookie= 34 f5 76 a9 3e 8c 98 bc Aug 26 13:23:37.452424: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:23:37.452427: | natd_hash: ip= c0 01 02 2d Aug 26 13:23:37.452429: | natd_hash: port=500 Aug 26 13:23:37.452432: | natd_hash: hash= b6 35 97 e8 c2 30 2a c9 c7 ab d6 79 e3 97 05 43 Aug 26 13:23:37.452434: | natd_hash: hash= 20 51 53 64 Aug 26 13:23:37.452437: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:23:37.452440: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:23:37.452442: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:23:37.452446: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Aug 26 13:23:37.452452: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:23:37.452455: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x562136102328 Aug 26 13:23:37.452460: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:23:37.452463: | libevent_malloc: new ptr-libevent@0x562136106588 size 128 Aug 26 13:23:37.452475: | #1 spent 0.901 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:23:37.452481: | crypto helper 3 resuming Aug 26 13:23:37.452483: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:37.452500: | crypto helper 3 starting work-order 1 for state #1 Aug 26 13:23:37.452502: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:23:37.452508: | crypto helper 3 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:23:37.452509: | suspending state #1 and saving MD Aug 26 13:23:37.452517: | #1 is busy; has a suspended MD Aug 26 13:23:37.452521: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:23:37.452523: | "east" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:23:37.452526: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:23:37.452529: | #1 spent 1.32 milliseconds in ikev2_process_packet() Aug 26 13:23:37.452532: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:23:37.452534: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:23:37.452536: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:23:37.452539: | spent 1.33 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:23:37.453484: | crypto helper 3 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000976 seconds Aug 26 13:23:37.453497: | (#1) spent 0.985 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:23:37.453501: | crypto helper 3 sending results from work-order 1 for state #1 to event queue Aug 26 13:23:37.453505: | scheduling resume sending helper answer for #1 Aug 26 13:23:37.453508: | libevent_malloc: new ptr-libevent@0x7f0a2c002888 size 128 Aug 26 13:23:37.453516: | crypto helper 3 waiting (nothing to do) Aug 26 13:23:37.453553: | processing resume sending helper answer for #1 Aug 26 13:23:37.453563: | start processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:23:37.453567: | crypto helper 3 replies to request ID 1 Aug 26 13:23:37.453569: | calling continuation function 0x562135ceab50 Aug 26 13:23:37.453571: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:23:37.453598: | **emit ISAKMP Message: Aug 26 13:23:37.453600: | initiator cookie: Aug 26 13:23:37.453602: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:23:37.453603: | responder cookie: Aug 26 13:23:37.453605: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:23:37.453607: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:23:37.453609: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:37.453611: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:23:37.453613: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:23:37.453614: | Message ID: 0 (0x0) Aug 26 13:23:37.453616: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:23:37.453618: | Emitting ikev2_proposal ... Aug 26 13:23:37.453620: | ***emit IKEv2 Security Association Payload: Aug 26 13:23:37.453622: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.453624: | flags: none (0x0) Aug 26 13:23:37.453626: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:23:37.453628: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.453630: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.453632: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:37.453633: | prop #: 1 (0x1) Aug 26 13:23:37.453635: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:37.453637: | spi size: 0 (0x0) Aug 26 13:23:37.453638: | # transforms: 3 (0x3) Aug 26 13:23:37.453640: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:23:37.453642: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:23:37.453644: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.453646: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.453647: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:37.453649: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:37.453651: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.453653: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.453655: | length/value: 256 (0x100) Aug 26 13:23:37.453657: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:23:37.453659: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:23:37.453660: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.453662: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:37.453664: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:37.453666: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.453668: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:37.453669: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:23:37.453671: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:23:37.453673: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.453674: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:37.453676: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:37.453678: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.453680: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:37.453682: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:23:37.453683: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:23:37.453685: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:23:37.453688: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:23:37.453690: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:23:37.453692: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:23:37.453694: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.453695: | flags: none (0x0) Aug 26 13:23:37.453697: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:37.453699: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:23:37.453701: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.453703: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:23:37.453705: | ikev2 g^x a4 fb c5 7c 21 9e 70 59 4e 5a 9d 72 f1 4d 54 4f Aug 26 13:23:37.453707: | ikev2 g^x 5a f0 f6 0e 27 40 26 90 8c 00 0c 9c 70 48 f8 e7 Aug 26 13:23:37.453708: | ikev2 g^x 24 d7 d4 e3 8c 3f 39 7b 5e b0 a2 84 d4 eb 3c 35 Aug 26 13:23:37.453710: | ikev2 g^x fc 17 fe f5 36 8d 4f ad af 07 57 5e d7 e9 db 2a Aug 26 13:23:37.453711: | ikev2 g^x d7 ef 1c bf a1 b2 63 eb ae 1f c9 a8 88 16 2c 6f Aug 26 13:23:37.453713: | ikev2 g^x 5f 63 de 99 bf 38 ea a3 8c 85 d1 fe cd f2 74 f8 Aug 26 13:23:37.453714: | ikev2 g^x e1 d7 62 91 ad 03 3d 09 34 74 6a eb 03 57 f9 a3 Aug 26 13:23:37.453716: | ikev2 g^x 14 43 65 9f 75 3b 75 51 b1 48 5a bc 9f 97 56 28 Aug 26 13:23:37.453718: | ikev2 g^x c0 9b ff ef 6a 7c 54 06 77 f6 9e ce dd 55 49 f3 Aug 26 13:23:37.453719: | ikev2 g^x d7 b5 d1 b4 28 6b 07 41 3a 98 55 f7 4e 4f a2 82 Aug 26 13:23:37.453721: | ikev2 g^x e6 eb f8 0c 4d 6b 15 d2 cb 4c 3a ad 6a d6 d9 a0 Aug 26 13:23:37.453722: | ikev2 g^x 7c 09 1c 68 da 32 f5 91 31 14 5f 26 4e c3 f5 00 Aug 26 13:23:37.453724: | ikev2 g^x 1b 46 a5 58 08 e0 2f 00 47 63 d1 ae f4 f7 00 8d Aug 26 13:23:37.453725: | ikev2 g^x 31 1f 09 d2 e6 8a 35 f9 b7 aa 1b 9a db 83 22 79 Aug 26 13:23:37.453727: | ikev2 g^x c1 4d 12 a3 8f 9b d4 83 41 c8 81 b0 ff 8d 68 42 Aug 26 13:23:37.453728: | ikev2 g^x e6 e6 4d cf 21 52 89 4a 62 c3 a1 4e 34 53 90 48 Aug 26 13:23:37.453730: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:23:37.453732: | ***emit IKEv2 Nonce Payload: Aug 26 13:23:37.453734: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:37.453735: | flags: none (0x0) Aug 26 13:23:37.453737: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:23:37.453739: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:23:37.453741: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.453743: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:23:37.453744: | IKEv2 nonce a3 a8 c7 63 2d eb f7 45 47 72 bd 06 17 7b 11 04 Aug 26 13:23:37.453746: | IKEv2 nonce 64 bc 1f 9c f9 51 fe ce 48 65 d0 de 11 1c 69 54 Aug 26 13:23:37.453748: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:23:37.453749: | Adding a v2N Payload Aug 26 13:23:37.453751: | ***emit IKEv2 Notify Payload: Aug 26 13:23:37.453753: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.453754: | flags: none (0x0) Aug 26 13:23:37.453756: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:37.453758: | SPI size: 0 (0x0) Aug 26 13:23:37.453759: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:23:37.453761: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:23:37.453763: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.453765: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:23:37.453768: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:23:37.453777: | natd_hash: hasher=0x562135dbf800(20) Aug 26 13:23:37.453779: | natd_hash: icookie= 34 f5 76 a9 3e 8c 98 bc Aug 26 13:23:37.453780: | natd_hash: rcookie= 16 9f 01 b3 a8 98 ae 60 Aug 26 13:23:37.453782: | natd_hash: ip= c0 01 02 17 Aug 26 13:23:37.453783: | natd_hash: port=500 Aug 26 13:23:37.453785: | natd_hash: hash= da a6 8a 83 a7 02 dd 68 02 c1 da a1 09 57 ed 45 Aug 26 13:23:37.453786: | natd_hash: hash= 19 78 98 68 Aug 26 13:23:37.453788: | Adding a v2N Payload Aug 26 13:23:37.453790: | ***emit IKEv2 Notify Payload: Aug 26 13:23:37.453791: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.453793: | flags: none (0x0) Aug 26 13:23:37.453794: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:37.453796: | SPI size: 0 (0x0) Aug 26 13:23:37.453797: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:23:37.453799: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:23:37.453801: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.453803: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:23:37.453805: | Notify data da a6 8a 83 a7 02 dd 68 02 c1 da a1 09 57 ed 45 Aug 26 13:23:37.453806: | Notify data 19 78 98 68 Aug 26 13:23:37.453808: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:23:37.453812: | natd_hash: hasher=0x562135dbf800(20) Aug 26 13:23:37.453813: | natd_hash: icookie= 34 f5 76 a9 3e 8c 98 bc Aug 26 13:23:37.453815: | natd_hash: rcookie= 16 9f 01 b3 a8 98 ae 60 Aug 26 13:23:37.453816: | natd_hash: ip= c0 01 02 2d Aug 26 13:23:37.453818: | natd_hash: port=500 Aug 26 13:23:37.453819: | natd_hash: hash= f7 05 20 18 0c b8 6a 47 9a 1f 4d ba 4c 86 39 5f Aug 26 13:23:37.453821: | natd_hash: hash= ee 8f 37 41 Aug 26 13:23:37.453822: | Adding a v2N Payload Aug 26 13:23:37.453824: | ***emit IKEv2 Notify Payload: Aug 26 13:23:37.453826: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.453827: | flags: none (0x0) Aug 26 13:23:37.453829: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:37.453830: | SPI size: 0 (0x0) Aug 26 13:23:37.453832: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:23:37.453834: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:23:37.453836: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.453837: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:23:37.453839: | Notify data f7 05 20 18 0c b8 6a 47 9a 1f 4d ba 4c 86 39 5f Aug 26 13:23:37.453841: | Notify data ee 8f 37 41 Aug 26 13:23:37.453842: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:23:37.453844: | emitting length of ISAKMP Message: 432 Aug 26 13:23:37.453848: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:37.453851: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:23:37.453853: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:23:37.453855: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:23:37.453857: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:23:37.453860: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:23:37.453863: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:23:37.453866: "east" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:23:37.453871: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:23:37.453876: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:23:37.453878: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:23:37.453880: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:23:37.453881: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:23:37.453883: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:23:37.453884: | 04 00 00 0e 28 00 01 08 00 0e 00 00 a4 fb c5 7c Aug 26 13:23:37.453886: | 21 9e 70 59 4e 5a 9d 72 f1 4d 54 4f 5a f0 f6 0e Aug 26 13:23:37.453887: | 27 40 26 90 8c 00 0c 9c 70 48 f8 e7 24 d7 d4 e3 Aug 26 13:23:37.453889: | 8c 3f 39 7b 5e b0 a2 84 d4 eb 3c 35 fc 17 fe f5 Aug 26 13:23:37.453890: | 36 8d 4f ad af 07 57 5e d7 e9 db 2a d7 ef 1c bf Aug 26 13:23:37.453892: | a1 b2 63 eb ae 1f c9 a8 88 16 2c 6f 5f 63 de 99 Aug 26 13:23:37.453894: | bf 38 ea a3 8c 85 d1 fe cd f2 74 f8 e1 d7 62 91 Aug 26 13:23:37.453895: | ad 03 3d 09 34 74 6a eb 03 57 f9 a3 14 43 65 9f Aug 26 13:23:37.453897: | 75 3b 75 51 b1 48 5a bc 9f 97 56 28 c0 9b ff ef Aug 26 13:23:37.453898: | 6a 7c 54 06 77 f6 9e ce dd 55 49 f3 d7 b5 d1 b4 Aug 26 13:23:37.453900: | 28 6b 07 41 3a 98 55 f7 4e 4f a2 82 e6 eb f8 0c Aug 26 13:23:37.453901: | 4d 6b 15 d2 cb 4c 3a ad 6a d6 d9 a0 7c 09 1c 68 Aug 26 13:23:37.453903: | da 32 f5 91 31 14 5f 26 4e c3 f5 00 1b 46 a5 58 Aug 26 13:23:37.453904: | 08 e0 2f 00 47 63 d1 ae f4 f7 00 8d 31 1f 09 d2 Aug 26 13:23:37.453906: | e6 8a 35 f9 b7 aa 1b 9a db 83 22 79 c1 4d 12 a3 Aug 26 13:23:37.453907: | 8f 9b d4 83 41 c8 81 b0 ff 8d 68 42 e6 e6 4d cf Aug 26 13:23:37.453909: | 21 52 89 4a 62 c3 a1 4e 34 53 90 48 29 00 00 24 Aug 26 13:23:37.453910: | a3 a8 c7 63 2d eb f7 45 47 72 bd 06 17 7b 11 04 Aug 26 13:23:37.453912: | 64 bc 1f 9c f9 51 fe ce 48 65 d0 de 11 1c 69 54 Aug 26 13:23:37.453914: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:23:37.453915: | da a6 8a 83 a7 02 dd 68 02 c1 da a1 09 57 ed 45 Aug 26 13:23:37.453917: | 19 78 98 68 00 00 00 1c 00 00 40 05 f7 05 20 18 Aug 26 13:23:37.453918: | 0c b8 6a 47 9a 1f 4d ba 4c 86 39 5f ee 8f 37 41 Aug 26 13:23:37.453946: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:23:37.453949: | libevent_free: release ptr-libevent@0x562136106588 Aug 26 13:23:37.453952: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x562136102328 Aug 26 13:23:37.453954: | event_schedule: new EVENT_SO_DISCARD-pe@0x562136102328 Aug 26 13:23:37.453956: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:23:37.453958: | libevent_malloc: new ptr-libevent@0x562136107678 size 128 Aug 26 13:23:37.453961: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:23:37.453965: | #1 spent 0.385 milliseconds in resume sending helper answer Aug 26 13:23:37.453968: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:23:37.453970: | libevent_free: release ptr-libevent@0x7f0a2c002888 Aug 26 13:23:37.456095: | spent 0.00303 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:23:37.456119: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:23:37.456124: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:23:37.456127: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Aug 26 13:23:37.456129: | 2a 57 f9 1f 2c dc 16 39 b8 d9 54 e1 fd af 8a 22 Aug 26 13:23:37.456132: | 59 a7 07 01 d3 40 e3 26 81 43 c8 03 69 93 bb d6 Aug 26 13:23:37.456135: | 53 69 e9 10 b1 5b 77 a1 b4 d9 0e fa 67 d6 b1 37 Aug 26 13:23:37.456137: | 54 2c 30 f9 71 be 0f 89 39 1a 56 ee e4 fa ea 74 Aug 26 13:23:37.456140: | a6 d5 c5 d1 9f 07 e0 ea 1c 3a dc 29 0a ac bf f8 Aug 26 13:23:37.456143: | fc 52 d6 e9 82 f3 de 33 3e 9b ab d4 b8 b6 96 2a Aug 26 13:23:37.456148: | 09 08 6e 02 06 64 6d 7d 7d eb 95 f9 bb 19 13 2b Aug 26 13:23:37.456151: | 1d 79 ee 18 ce 35 a0 1f 6c 8d 22 d7 b1 8e 92 a0 Aug 26 13:23:37.456153: | 91 a3 c1 e3 8e 35 ac 2c 67 e7 a4 44 ec 6c 5c 74 Aug 26 13:23:37.456156: | 74 a0 ba 89 87 b1 9a ca 4b f2 8f 40 86 25 97 5b Aug 26 13:23:37.456159: | cd bd ff 9b 22 8e 11 32 4c e1 f2 f4 b3 99 d0 54 Aug 26 13:23:37.456161: | f5 38 fe b6 10 91 2c 96 48 00 6f cf 84 b0 2e 13 Aug 26 13:23:37.456164: | ab 6a 7b 66 09 61 01 bf ce 76 55 87 53 b9 bf 6d Aug 26 13:23:37.456167: | 59 ba ca 06 26 5e ce 79 8c 12 f2 58 23 9b 8c 7d Aug 26 13:23:37.456170: | 9c 6e 7b 74 54 24 af 1c 80 1a bf bd 57 47 8c 3d Aug 26 13:23:37.456172: | 75 47 62 16 c2 68 5e d9 65 77 08 91 3f 0e 0f 65 Aug 26 13:23:37.456175: | 22 19 eb df 1a a4 3a 5a 96 19 48 6a 87 43 d2 e3 Aug 26 13:23:37.456177: | 63 16 d0 4b 62 7c 9f 3f 1d 02 0a 86 4e 3a 91 16 Aug 26 13:23:37.456179: | 7b b3 fb b1 b6 d6 c8 65 2b 03 27 57 f2 7b 8f fc Aug 26 13:23:37.456182: | c5 bf f0 73 b3 ab df b4 7b 22 fa ed 80 ed 30 bf Aug 26 13:23:37.456184: | f1 c3 f3 a6 8b 82 8d 42 f4 89 df 2e 3e Aug 26 13:23:37.456188: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:23:37.456192: | **parse ISAKMP Message: Aug 26 13:23:37.456195: | initiator cookie: Aug 26 13:23:37.456197: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:23:37.456200: | responder cookie: Aug 26 13:23:37.456202: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:23:37.456205: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:23:37.456208: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:37.456210: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:23:37.456213: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:23:37.456215: | Message ID: 1 (0x1) Aug 26 13:23:37.456218: | length: 365 (0x16d) Aug 26 13:23:37.456221: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:23:37.456224: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:23:37.456228: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:23:37.456234: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:23:37.456237: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:23:37.456242: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:23:37.456246: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:23:37.456250: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:23:37.456253: | unpacking clear payload Aug 26 13:23:37.456255: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:23:37.456259: | ***parse IKEv2 Encryption Payload: Aug 26 13:23:37.456262: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:23:37.456264: | flags: none (0x0) Aug 26 13:23:37.456267: | length: 337 (0x151) Aug 26 13:23:37.456270: | processing payload: ISAKMP_NEXT_v2SK (len=333) Aug 26 13:23:37.456274: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:23:37.456277: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:23:37.456281: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:23:37.456283: | Now let's proceed with state specific processing Aug 26 13:23:37.456286: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:23:37.456295: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:23:37.456300: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:23:37.456303: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:23:37.456319: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:23:37.456326: | libevent_free: release ptr-libevent@0x562136107678 Aug 26 13:23:37.456344: | free_event_entry: release EVENT_SO_DISCARD-pe@0x562136102328 Aug 26 13:23:37.456348: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x562136102328 Aug 26 13:23:37.456352: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:23:37.456355: | libevent_malloc: new ptr-libevent@0x7f0a2c002888 size 128 Aug 26 13:23:37.456365: | #1 spent 0.0689 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:23:37.456371: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:37.456375: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:23:37.456378: | suspending state #1 and saving MD Aug 26 13:23:37.456381: | #1 is busy; has a suspended MD Aug 26 13:23:37.456385: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:23:37.456389: | "east" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:23:37.456393: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:23:37.456398: | #1 spent 0.284 milliseconds in ikev2_process_packet() Aug 26 13:23:37.456402: | crypto helper 2 resuming Aug 26 13:23:37.456403: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:23:37.456416: | crypto helper 2 starting work-order 2 for state #1 Aug 26 13:23:37.456422: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:23:37.456428: | crypto helper 2 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:23:37.456432: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:23:37.456442: | spent 0.318 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:23:37.456948: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:23:37.457209: | crypto helper 2 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000781 seconds Aug 26 13:23:37.457215: | (#1) spent 0.785 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:23:37.457217: | crypto helper 2 sending results from work-order 2 for state #1 to event queue Aug 26 13:23:37.457219: | scheduling resume sending helper answer for #1 Aug 26 13:23:37.457222: | libevent_malloc: new ptr-libevent@0x7f0a24000f48 size 128 Aug 26 13:23:37.457227: | crypto helper 2 waiting (nothing to do) Aug 26 13:23:37.457235: | processing resume sending helper answer for #1 Aug 26 13:23:37.457245: | start processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:23:37.457250: | crypto helper 2 replies to request ID 2 Aug 26 13:23:37.457253: | calling continuation function 0x562135ceab50 Aug 26 13:23:37.457257: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:23:37.457260: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:23:37.457272: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:23:37.457275: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:23:37.457279: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:23:37.457282: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:23:37.457285: | flags: none (0x0) Aug 26 13:23:37.457291: | length: 12 (0xc) Aug 26 13:23:37.457294: | ID type: ID_FQDN (0x2) Aug 26 13:23:37.457297: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:23:37.457300: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:23:37.457303: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:23:37.457323: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:23:37.457326: | flags: none (0x0) Aug 26 13:23:37.457331: | length: 12 (0xc) Aug 26 13:23:37.457337: | ID type: ID_FQDN (0x2) Aug 26 13:23:37.457340: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 13:23:37.457342: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:23:37.457345: | **parse IKEv2 Authentication Payload: Aug 26 13:23:37.457348: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:23:37.457351: | flags: none (0x0) Aug 26 13:23:37.457354: | length: 72 (0x48) Aug 26 13:23:37.457357: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:23:37.457359: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:23:37.457362: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:23:37.457378: | **parse IKEv2 Security Association Payload: Aug 26 13:23:37.457381: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:23:37.457383: | flags: none (0x0) Aug 26 13:23:37.457386: | length: 164 (0xa4) Aug 26 13:23:37.457389: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 13:23:37.457391: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:23:37.457395: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:23:37.457397: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:23:37.457400: | flags: none (0x0) Aug 26 13:23:37.457402: | length: 24 (0x18) Aug 26 13:23:37.457405: | number of TS: 1 (0x1) Aug 26 13:23:37.457408: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:23:37.457410: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:23:37.457413: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:23:37.457416: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.457418: | flags: none (0x0) Aug 26 13:23:37.457421: | length: 24 (0x18) Aug 26 13:23:37.457424: | number of TS: 1 (0x1) Aug 26 13:23:37.457427: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:23:37.457429: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:23:37.457432: | Now let's proceed with state specific processing Aug 26 13:23:37.457435: | calling processor Responder: process IKE_AUTH request Aug 26 13:23:37.457441: "east" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 13:23:37.457448: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:23:37.457452: | received IDr payload - extracting our alleged ID Aug 26 13:23:37.457456: | refine_host_connection for IKEv2: starting with "east" Aug 26 13:23:37.457460: | match_id a=@west Aug 26 13:23:37.457463: | b=@west Aug 26 13:23:37.457466: | results matched Aug 26 13:23:37.457470: | refine_host_connection: checking "east" against "east", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:23:37.457473: | Warning: not switching back to template of current instance Aug 26 13:23:37.457476: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 13:23:37.457479: | This connection's local id is @east (ID_FQDN) Aug 26 13:23:37.457483: | refine_host_connection: checked east against east, now for see if best Aug 26 13:23:37.457486: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:37.457489: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:37.457493: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:23:37.457497: | 1: compared key @east to @east / @west -> 010 Aug 26 13:23:37.457500: | 2: compared key @west to @east / @west -> 014 Aug 26 13:23:37.457502: | line 1: match=014 Aug 26 13:23:37.457506: | match 014 beats previous best_match 000 match=0x562136059b58 (line=1) Aug 26 13:23:37.457508: | concluding with best_match=014 best=0x562136059b58 (lineno=1) Aug 26 13:23:37.457511: | returning because exact peer id match Aug 26 13:23:37.457515: | offered CA: '%none' Aug 26 13:23:37.457518: "east" #1: IKEv2 mode peer ID is ID_FQDN: '@west' Aug 26 13:23:37.457542: | verifying AUTH payload Aug 26 13:23:37.457547: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:23:37.457553: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:37.457556: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:37.457559: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:23:37.457562: | 1: compared key @east to @east / @west -> 010 Aug 26 13:23:37.457565: | 2: compared key @west to @east / @west -> 014 Aug 26 13:23:37.457568: | line 1: match=014 Aug 26 13:23:37.457572: | match 014 beats previous best_match 000 match=0x562136059b58 (line=1) Aug 26 13:23:37.457575: | concluding with best_match=014 best=0x562136059b58 (lineno=1) Aug 26 13:23:37.457638: "east" #1: Authenticated using authby=secret Aug 26 13:23:37.457643: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:23:37.457648: | #1 will start re-keying in 3598 seconds with margin of 2 seconds (attempting re-key) Aug 26 13:23:37.457651: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:23:37.457655: | libevent_free: release ptr-libevent@0x7f0a2c002888 Aug 26 13:23:37.457659: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x562136102328 Aug 26 13:23:37.457662: | event_schedule: new EVENT_SA_REKEY-pe@0x562136102328 Aug 26 13:23:37.457666: | inserting event EVENT_SA_REKEY, timeout in 3598 seconds for #1 Aug 26 13:23:37.457669: | libevent_malloc: new ptr-libevent@0x562136107678 size 128 Aug 26 13:23:37.458154: | pstats #1 ikev2.ike established Aug 26 13:23:37.458164: | **emit ISAKMP Message: Aug 26 13:23:37.458167: | initiator cookie: Aug 26 13:23:37.458170: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:23:37.458173: | responder cookie: Aug 26 13:23:37.458175: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:23:37.458178: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:23:37.458181: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:37.458183: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:23:37.458186: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:23:37.458189: | Message ID: 1 (0x1) Aug 26 13:23:37.458192: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:23:37.458195: | IKEv2 CERT: send a certificate? Aug 26 13:23:37.458198: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:23:37.458201: | ***emit IKEv2 Encryption Payload: Aug 26 13:23:37.458204: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.458207: | flags: none (0x0) Aug 26 13:23:37.458233: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:23:37.458236: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.458239: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:23:37.458247: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:23:37.458260: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:23:37.458264: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.458266: | flags: none (0x0) Aug 26 13:23:37.458268: | ID type: ID_FQDN (0x2) Aug 26 13:23:37.458272: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:23:37.458275: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.458278: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:23:37.458281: | my identity 65 61 73 74 Aug 26 13:23:37.458284: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:23:37.458304: | assembled IDr payload Aug 26 13:23:37.458310: | CHILD SA proposals received Aug 26 13:23:37.458313: | going to assemble AUTH payload Aug 26 13:23:37.458315: | ****emit IKEv2 Authentication Payload: Aug 26 13:23:37.458318: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:23:37.458323: | flags: none (0x0) Aug 26 13:23:37.458338: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:23:37.458341: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:23:37.458345: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:23:37.458347: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.458351: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:23:37.458354: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:37.458357: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:37.458360: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:23:37.458364: | 1: compared key @east to @east / @west -> 010 Aug 26 13:23:37.458367: | 2: compared key @west to @east / @west -> 014 Aug 26 13:23:37.458369: | line 1: match=014 Aug 26 13:23:37.458372: | match 014 beats previous best_match 000 match=0x562136059b58 (line=1) Aug 26 13:23:37.458375: | concluding with best_match=014 best=0x562136059b58 (lineno=1) Aug 26 13:23:37.458429: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:23:37.458434: | PSK auth 2e a2 70 37 d0 78 6c 16 54 8b 2a 2f b0 c0 a0 6b Aug 26 13:23:37.458436: | PSK auth 5e 54 ef 0f 15 44 a1 ff 9c 18 e8 13 05 24 85 ef Aug 26 13:23:37.458439: | PSK auth a0 9f 38 60 81 14 e8 84 40 5a 92 5a 44 37 fd c4 Aug 26 13:23:37.458441: | PSK auth cf 9d fe ce 1d 22 ec c2 16 2d 1b bd 7e 3f f5 0f Aug 26 13:23:37.458444: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:23:37.458448: | creating state object #2 at 0x562136108398 Aug 26 13:23:37.458451: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:23:37.458455: | pstats #2 ikev2.child started Aug 26 13:23:37.458458: | duplicating state object #1 "east" as #2 for IPSEC SA Aug 26 13:23:37.458463: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:23:37.458469: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:23:37.458474: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:23:37.458479: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:23:37.458482: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:23:37.458485: | TSi: parsing 1 traffic selectors Aug 26 13:23:37.458488: | ***parse IKEv2 Traffic Selector: Aug 26 13:23:37.458491: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:37.458493: | IP Protocol ID: 0 (0x0) Aug 26 13:23:37.458496: | length: 16 (0x10) Aug 26 13:23:37.458498: | start port: 0 (0x0) Aug 26 13:23:37.458501: | end port: 65535 (0xffff) Aug 26 13:23:37.458504: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:23:37.458506: | TS low c0 00 01 00 Aug 26 13:23:37.458509: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:23:37.458512: | TS high c0 00 01 ff Aug 26 13:23:37.458514: | TSi: parsed 1 traffic selectors Aug 26 13:23:37.458517: | TSr: parsing 1 traffic selectors Aug 26 13:23:37.458519: | ***parse IKEv2 Traffic Selector: Aug 26 13:23:37.458522: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:37.458524: | IP Protocol ID: 0 (0x0) Aug 26 13:23:37.458527: | length: 16 (0x10) Aug 26 13:23:37.458529: | start port: 0 (0x0) Aug 26 13:23:37.458532: | end port: 65535 (0xffff) Aug 26 13:23:37.458534: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:23:37.458537: | TS low c0 00 02 00 Aug 26 13:23:37.458542: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:23:37.458544: | TS high c0 00 02 ff Aug 26 13:23:37.458547: | TSr: parsed 1 traffic selectors Aug 26 13:23:37.458549: | looking for best SPD in current connection Aug 26 13:23:37.458555: | evaluating our conn="east" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:23:37.458561: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:37.458568: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:23:37.458572: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:23:37.458574: | TSi[0] port match: YES fitness 65536 Aug 26 13:23:37.458577: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:23:37.458580: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:37.458585: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:37.458591: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:23:37.458594: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:23:37.458597: | TSr[0] port match: YES fitness 65536 Aug 26 13:23:37.458599: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:23:37.458602: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:37.458605: | best fit so far: TSi[0] TSr[0] Aug 26 13:23:37.458608: | found better spd route for TSi[0],TSr[0] Aug 26 13:23:37.458610: | looking for better host pair Aug 26 13:23:37.458616: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:37.458621: | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found Aug 26 13:23:37.458624: | investigating connection "east" as a better match Aug 26 13:23:37.458627: | match_id a=@west Aug 26 13:23:37.458629: | b=@west Aug 26 13:23:37.458632: | results matched Aug 26 13:23:37.458636: | evaluating our conn="east" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:23:37.458641: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:37.458647: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:23:37.458650: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:23:37.458652: | TSi[0] port match: YES fitness 65536 Aug 26 13:23:37.458655: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:23:37.458657: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:37.458661: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:37.458666: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:23:37.458669: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:23:37.458672: | TSr[0] port match: YES fitness 65536 Aug 26 13:23:37.458674: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:23:37.458677: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:37.458680: | best fit so far: TSi[0] TSr[0] Aug 26 13:23:37.458682: | did not find a better connection using host pair Aug 26 13:23:37.458685: | printing contents struct traffic_selector Aug 26 13:23:37.458687: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:23:37.458689: | ipprotoid: 0 Aug 26 13:23:37.458692: | port range: 0-65535 Aug 26 13:23:37.458696: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:23:37.458698: | printing contents struct traffic_selector Aug 26 13:23:37.458701: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:23:37.458703: | ipprotoid: 0 Aug 26 13:23:37.458706: | port range: 0-65535 Aug 26 13:23:37.458710: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:23:37.458714: | constructing ESP/AH proposals with all DH removed for east (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:23:37.458723: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:23:37.458729: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:23:37.458733: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:23:37.458737: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:23:37.458741: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:23:37.458746: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:23:37.458749: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:23:37.458754: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:23:37.458762: "east": constructed local ESP/AH proposals for east (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:23:37.458767: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:23:37.458772: | local proposal 1 type ENCR has 1 transforms Aug 26 13:23:37.458775: | local proposal 1 type PRF has 0 transforms Aug 26 13:23:37.458778: | local proposal 1 type INTEG has 1 transforms Aug 26 13:23:37.458781: | local proposal 1 type DH has 1 transforms Aug 26 13:23:37.458783: | local proposal 1 type ESN has 1 transforms Aug 26 13:23:37.458787: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:23:37.458790: | local proposal 2 type ENCR has 1 transforms Aug 26 13:23:37.458793: | local proposal 2 type PRF has 0 transforms Aug 26 13:23:37.458795: | local proposal 2 type INTEG has 1 transforms Aug 26 13:23:37.458798: | local proposal 2 type DH has 1 transforms Aug 26 13:23:37.458801: | local proposal 2 type ESN has 1 transforms Aug 26 13:23:37.458804: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:23:37.458806: | local proposal 3 type ENCR has 1 transforms Aug 26 13:23:37.458809: | local proposal 3 type PRF has 0 transforms Aug 26 13:23:37.458812: | local proposal 3 type INTEG has 2 transforms Aug 26 13:23:37.458815: | local proposal 3 type DH has 1 transforms Aug 26 13:23:37.458817: | local proposal 3 type ESN has 1 transforms Aug 26 13:23:37.458820: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:23:37.458823: | local proposal 4 type ENCR has 1 transforms Aug 26 13:23:37.458825: | local proposal 4 type PRF has 0 transforms Aug 26 13:23:37.458827: | local proposal 4 type INTEG has 2 transforms Aug 26 13:23:37.458830: | local proposal 4 type DH has 1 transforms Aug 26 13:23:37.458832: | local proposal 4 type ESN has 1 transforms Aug 26 13:23:37.458835: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:23:37.458839: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.458842: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:37.458845: | length: 32 (0x20) Aug 26 13:23:37.458848: | prop #: 1 (0x1) Aug 26 13:23:37.458851: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:37.458853: | spi size: 4 (0x4) Aug 26 13:23:37.458856: | # transforms: 2 (0x2) Aug 26 13:23:37.458859: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:37.458862: | remote SPI 60 a9 46 2c Aug 26 13:23:37.458865: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:23:37.458869: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.458872: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.458874: | length: 12 (0xc) Aug 26 13:23:37.458877: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.458882: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:37.458885: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.458888: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.458891: | length/value: 256 (0x100) Aug 26 13:23:37.458896: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:23:37.458899: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.458902: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.458905: | length: 8 (0x8) Aug 26 13:23:37.458908: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:37.458911: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:37.458914: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:23:37.458918: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:23:37.458922: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:23:37.458925: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:23:37.458929: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 13:23:37.458933: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 13:23:37.458936: | remote proposal 1 matches local proposal 1 Aug 26 13:23:37.458940: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.458942: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:37.458945: | length: 32 (0x20) Aug 26 13:23:37.458948: | prop #: 2 (0x2) Aug 26 13:23:37.458950: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:37.458953: | spi size: 4 (0x4) Aug 26 13:23:37.458955: | # transforms: 2 (0x2) Aug 26 13:23:37.458958: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:37.458961: | remote SPI 60 a9 46 2c Aug 26 13:23:37.458964: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:37.458967: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.458970: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.458972: | length: 12 (0xc) Aug 26 13:23:37.458975: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.458978: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:37.458981: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.458983: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.458986: | length/value: 128 (0x80) Aug 26 13:23:37.458989: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.458992: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.458995: | length: 8 (0x8) Aug 26 13:23:37.458997: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:37.459000: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:37.459003: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 13:23:37.459006: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 13:23:37.459009: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.459012: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:37.459014: | length: 48 (0x30) Aug 26 13:23:37.459017: | prop #: 3 (0x3) Aug 26 13:23:37.459019: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:37.459021: | spi size: 4 (0x4) Aug 26 13:23:37.459024: | # transforms: 4 (0x4) Aug 26 13:23:37.459027: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:37.459029: | remote SPI 60 a9 46 2c Aug 26 13:23:37.459032: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:37.459035: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459038: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.459042: | length: 12 (0xc) Aug 26 13:23:37.459045: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.459048: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:37.459051: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.459054: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.459056: | length/value: 256 (0x100) Aug 26 13:23:37.459060: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459062: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.459065: | length: 8 (0x8) Aug 26 13:23:37.459068: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:37.459070: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:37.459073: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459076: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.459079: | length: 8 (0x8) Aug 26 13:23:37.459081: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:37.459084: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:37.459087: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459090: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.459092: | length: 8 (0x8) Aug 26 13:23:37.459095: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:37.459098: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:37.459101: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:23:37.459104: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:23:37.459107: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.459110: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:37.459112: | length: 48 (0x30) Aug 26 13:23:37.459114: | prop #: 4 (0x4) Aug 26 13:23:37.459117: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:37.459119: | spi size: 4 (0x4) Aug 26 13:23:37.459121: | # transforms: 4 (0x4) Aug 26 13:23:37.459124: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:37.459127: | remote SPI 60 a9 46 2c Aug 26 13:23:37.459129: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:37.459132: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459135: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.459137: | length: 12 (0xc) Aug 26 13:23:37.459140: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.459142: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:37.459145: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.459147: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.459150: | length/value: 128 (0x80) Aug 26 13:23:37.459153: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459155: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.459158: | length: 8 (0x8) Aug 26 13:23:37.459160: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:37.459163: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:37.459165: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459168: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.459170: | length: 8 (0x8) Aug 26 13:23:37.459173: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:37.459175: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:37.459178: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459181: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.459183: | length: 8 (0x8) Aug 26 13:23:37.459186: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:37.459188: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:37.459192: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:23:37.459195: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:23:37.459200: "east" #1: proposal 1:ESP:SPI=60a9462c;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 13:23:37.459207: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=60a9462c;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 13:23:37.459210: | converting proposal to internal trans attrs Aug 26 13:23:37.459229: | netlink_get_spi: allocated 0xeaac726c for esp.0@192.1.2.23 Aug 26 13:23:37.459232: | Emitting ikev2_proposal ... Aug 26 13:23:37.459235: | ****emit IKEv2 Security Association Payload: Aug 26 13:23:37.459238: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.459240: | flags: none (0x0) Aug 26 13:23:37.459244: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:23:37.459247: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.459250: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:23:37.459253: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:37.459256: | prop #: 1 (0x1) Aug 26 13:23:37.459258: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:37.459261: | spi size: 4 (0x4) Aug 26 13:23:37.459263: | # transforms: 2 (0x2) Aug 26 13:23:37.459266: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:23:37.459270: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:23:37.459272: | our spi ea ac 72 6c Aug 26 13:23:37.459275: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459278: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.459281: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:37.459283: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:37.459286: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:37.459292: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:23:37.459295: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:37.459298: | length/value: 256 (0x100) Aug 26 13:23:37.459301: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:23:37.459303: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:23:37.459306: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:37.459308: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:37.459311: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:37.459334: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:37.459338: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:37.459343: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:23:37.459346: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:23:37.459349: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:23:37.459351: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 13:23:37.459354: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:23:37.459357: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:23:37.459360: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.459375: | flags: none (0x0) Aug 26 13:23:37.459378: | number of TS: 1 (0x1) Aug 26 13:23:37.459381: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:23:37.459386: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.459388: | *****emit IKEv2 Traffic Selector: Aug 26 13:23:37.459391: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:37.459394: | IP Protocol ID: 0 (0x0) Aug 26 13:23:37.459396: | start port: 0 (0x0) Aug 26 13:23:37.459399: | end port: 65535 (0xffff) Aug 26 13:23:37.459402: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:23:37.459404: | ipv4 start c0 00 01 00 Aug 26 13:23:37.459406: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:23:37.459409: | ipv4 end c0 00 01 ff Aug 26 13:23:37.459411: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:23:37.459414: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:23:37.459417: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:23:37.459419: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:37.459421: | flags: none (0x0) Aug 26 13:23:37.459424: | number of TS: 1 (0x1) Aug 26 13:23:37.459427: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:23:37.459429: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:23:37.459432: | *****emit IKEv2 Traffic Selector: Aug 26 13:23:37.459434: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:37.459436: | IP Protocol ID: 0 (0x0) Aug 26 13:23:37.459438: | start port: 0 (0x0) Aug 26 13:23:37.459441: | end port: 65535 (0xffff) Aug 26 13:23:37.459443: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:23:37.459445: | ipv4 start c0 00 02 00 Aug 26 13:23:37.459448: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:23:37.459450: | ipv4 end c0 00 02 ff Aug 26 13:23:37.459452: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:23:37.459454: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:23:37.459457: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:23:37.459459: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:23:37.459594: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:23:37.459601: | #1 spent 2.15 milliseconds Aug 26 13:23:37.459604: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:23:37.459607: | could_route called for east (kind=CK_PERMANENT) Aug 26 13:23:37.459609: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:23:37.459612: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:23:37.459615: | conn east mark 0/00000000, 0/00000000 Aug 26 13:23:37.459618: | route owner of "east" unrouted: NULL; eroute owner: NULL Aug 26 13:23:37.459622: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:23:37.459625: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:23:37.459627: | AES_GCM_16 requires 4 salt bytes Aug 26 13:23:37.459630: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:23:37.459634: | setting IPsec SA replay-window to 32 Aug 26 13:23:37.459636: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:23:37.459639: | netlink: enabling tunnel mode Aug 26 13:23:37.459642: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:23:37.459645: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:23:37.459710: | netlink response for Add SA esp.60a9462c@192.1.2.45 included non-error error Aug 26 13:23:37.459714: | set up outgoing SA, ref=0/0 Aug 26 13:23:37.459717: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:23:37.459722: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:23:37.459725: | AES_GCM_16 requires 4 salt bytes Aug 26 13:23:37.459727: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:23:37.459730: | setting IPsec SA replay-window to 32 Aug 26 13:23:37.459733: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:23:37.459735: | netlink: enabling tunnel mode Aug 26 13:23:37.459738: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:23:37.459740: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:23:37.459798: | netlink response for Add SA esp.eaac726c@192.1.2.23 included non-error error Aug 26 13:23:37.459802: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:23:37.459808: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:23:37.459812: | IPsec Sa SPD priority set to 1042407 Aug 26 13:23:37.459846: | raw_eroute result=success Aug 26 13:23:37.459850: | set up incoming SA, ref=0/0 Aug 26 13:23:37.459852: | sr for #2: unrouted Aug 26 13:23:37.459870: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:23:37.459872: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:23:37.459875: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:23:37.459878: | conn east mark 0/00000000, 0/00000000 Aug 26 13:23:37.459894: | route owner of "east" unrouted: NULL; eroute owner: NULL Aug 26 13:23:37.459897: | route_and_eroute with c: east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:23:37.459915: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:23:37.459922: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Aug 26 13:23:37.459938: | IPsec Sa SPD priority set to 1042407 Aug 26 13:23:37.459948: | raw_eroute result=success Aug 26 13:23:37.459964: | running updown command "ipsec _updown" for verb up Aug 26 13:23:37.459967: | command executing up-client Aug 26 13:23:37.460004: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x60a9462c SPI_OUT=0xeaa Aug 26 13:23:37.460008: | popen cmd is 1020 chars long Aug 26 13:23:37.460011: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFA: Aug 26 13:23:37.460014: | cmd( 80):CE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' : Aug 26 13:23:37.460017: | cmd( 160):PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_M: Aug 26 13:23:37.460019: | cmd( 240):ASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='1638: Aug 26 13:23:37.460021: | cmd( 320):8' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_: Aug 26 13:23:37.460024: | cmd( 400):CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK=': Aug 26 13:23:37.460026: | cmd( 480):255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUT: Aug 26 13:23:37.460029: | cmd( 560):O_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKE: Aug 26 13:23:37.460035: | cmd( 640):V2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO: Aug 26 13:23:37.460037: | cmd( 720):_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_IN: Aug 26 13:23:37.460040: | cmd( 800):FO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_: Aug 26 13:23:37.460043: | cmd( 880):CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED=: Aug 26 13:23:37.460045: | cmd( 960):'no' SPI_IN=0x60a9462c SPI_OUT=0xeaac726c ipsec _updown 2>&1: Aug 26 13:23:37.467558: | route_and_eroute: firewall_notified: true Aug 26 13:23:37.467570: | running updown command "ipsec _updown" for verb prepare Aug 26 13:23:37.467573: | command executing prepare-client Aug 26 13:23:37.467594: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x60a9462c SPI Aug 26 13:23:37.467597: | popen cmd is 1025 chars long Aug 26 13:23:37.467599: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_IN: Aug 26 13:23:37.467600: | cmd( 80):TERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@e: Aug 26 13:23:37.467602: | cmd( 160):ast' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLI: Aug 26 13:23:37.467604: | cmd( 240):ENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID=: Aug 26 13:23:37.467605: | cmd( 320):'16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_: Aug 26 13:23:37.467607: | cmd( 400):PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_M: Aug 26 13:23:37.467609: | cmd( 480):ASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='': Aug 26 13:23:37.467610: | cmd( 560): PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PF: Aug 26 13:23:37.467612: | cmd( 640):S+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' : Aug 26 13:23:37.467614: | cmd( 720):PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_D: Aug 26 13:23:37.467615: | cmd( 800):NS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' P: Aug 26 13:23:37.467617: | cmd( 880):LUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH: Aug 26 13:23:37.467619: | cmd( 960):ARED='no' SPI_IN=0x60a9462c SPI_OUT=0xeaac726c ipsec _updown 2>&1: Aug 26 13:23:37.474280: | running updown command "ipsec _updown" for verb route Aug 26 13:23:37.474313: | command executing route-client Aug 26 13:23:37.474347: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x60a9462c SPI_OUT Aug 26 13:23:37.474353: | popen cmd is 1023 chars long Aug 26 13:23:37.474355: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTE: Aug 26 13:23:37.474357: | cmd( 80):RFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@eas: Aug 26 13:23:37.474359: | cmd( 160):t' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIEN: Aug 26 13:23:37.474360: | cmd( 240):T_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='1: Aug 26 13:23:37.474362: | cmd( 320):6388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PE: Aug 26 13:23:37.474364: | cmd( 400):ER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MAS: Aug 26 13:23:37.474365: | cmd( 480):K='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' P: Aug 26 13:23:37.474367: | cmd( 560):LUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+: Aug 26 13:23:37.474369: | cmd( 640):IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PL: Aug 26 13:23:37.474370: | cmd( 720):UTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS: Aug 26 13:23:37.474372: | cmd( 800):_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLU: Aug 26 13:23:37.474373: | cmd( 880):TO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR: Aug 26 13:23:37.474375: | cmd( 960):ED='no' SPI_IN=0x60a9462c SPI_OUT=0xeaac726c ipsec _updown 2>&1: Aug 26 13:23:37.483427: | route_and_eroute: instance "east", setting eroute_owner {spd=0x562136100758,sr=0x562136100758} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:23:37.483486: | #1 spent 1.57 milliseconds in install_ipsec_sa() Aug 26 13:23:37.483492: | ISAKMP_v2_IKE_AUTH: instance east[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:23:37.483495: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:23:37.483497: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:23:37.483500: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:23:37.483502: | emitting length of IKEv2 Encryption Payload: 197 Aug 26 13:23:37.483504: | emitting length of ISAKMP Message: 225 Aug 26 13:23:37.483532: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:23:37.483536: | #1 spent 3.77 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:23:37.483542: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:37.483545: | start processing: state #2 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:37.483548: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:23:37.483551: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:23:37.483553: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:23:37.483556: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:23:37.483560: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:23:37.483563: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:23:37.483568: | pstats #2 ikev2.child established Aug 26 13:23:37.483575: "east" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:23:37.483577: | NAT-T: encaps is 'auto' Aug 26 13:23:37.483581: "east" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x60a9462c <0xeaac726c xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 13:23:37.483584: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:23:37.483590: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:23:37.483592: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:23:37.483594: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Aug 26 13:23:37.483595: | bb 56 51 14 27 13 2b b7 3c 1e ab 4a f6 97 ee 1d Aug 26 13:23:37.483597: | 06 5d f6 80 ae f6 b1 68 b8 4e 1d b7 01 1c 9b 0f Aug 26 13:23:37.483599: | c5 a3 30 10 c0 f2 51 75 03 1b 37 24 52 e4 1f 3e Aug 26 13:23:37.483600: | 7d fd fc 8d a1 3a 2b 05 b0 db 46 46 57 16 02 f6 Aug 26 13:23:37.483602: | 88 4d 71 0f c3 62 d1 0d 72 a4 f7 5e ad 38 93 30 Aug 26 13:23:37.483603: | c6 1e ff 4f 90 92 e0 55 1d f8 a6 b9 bd 7b 5c 0f Aug 26 13:23:37.483605: | a2 26 13 a2 2e 1e 81 e6 86 1e 5c fe b8 ca 79 c2 Aug 26 13:23:37.483606: | ba 34 4e 34 b5 2e da f9 b4 00 df ac 68 ec 52 24 Aug 26 13:23:37.483608: | 57 fb 5f 7d 88 f9 7d 61 98 4d f3 6e f9 8e d0 76 Aug 26 13:23:37.483609: | 04 5d 3a cf df 0c 2a 93 6a 6e 22 10 2a b5 51 e1 Aug 26 13:23:37.483611: | 87 38 40 8c 26 26 51 88 c1 f1 d3 fc dc 0c 80 77 Aug 26 13:23:37.483612: | d5 7b dd 8c 91 0b c7 44 43 a3 c6 d6 db d4 81 5d Aug 26 13:23:37.483614: | ce Aug 26 13:23:37.483648: | releasing whack for #2 (sock=fd@-1) Aug 26 13:23:37.483651: | releasing whack and unpending for parent #1 Aug 26 13:23:37.483653: | unpending state #1 connection "east" Aug 26 13:23:37.483656: | #2 will start re-keying in 28798 seconds with margin of 2 seconds (attempting re-key) Aug 26 13:23:37.483658: | event_schedule: new EVENT_SA_REKEY-pe@0x7f0a2c002b78 Aug 26 13:23:37.483661: | inserting event EVENT_SA_REKEY, timeout in 28798 seconds for #2 Aug 26 13:23:37.483664: | libevent_malloc: new ptr-libevent@0x5621361082e8 size 128 Aug 26 13:23:37.483700: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:23:37.483707: | #1 spent 4.11 milliseconds in resume sending helper answer Aug 26 13:23:37.483713: | stop processing: state #2 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:23:37.483718: | libevent_free: release ptr-libevent@0x7f0a24000f48 Aug 26 13:23:37.483731: | processing signal PLUTO_SIGCHLD Aug 26 13:23:37.483738: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:37.483742: | spent 0.00627 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:37.483745: | processing signal PLUTO_SIGCHLD Aug 26 13:23:37.483749: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:37.483753: | spent 0.0041 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:37.483756: | processing signal PLUTO_SIGCHLD Aug 26 13:23:37.483773: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:37.483776: | spent 0.00376 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:56.202351: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:23:56.202374: | expiring aged bare shunts from shunt table Aug 26 13:23:56.202383: | spent 0.00697 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:24:02.497805: | spent 0.0105 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:02.497892: | *received 661 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:02.497906: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:02.497914: | 2e 20 24 08 00 00 00 02 00 00 02 95 21 00 02 79 Aug 26 13:24:02.497922: | 66 6f 92 bc aa a5 4d 52 85 80 5a 6e 81 0d c6 f0 Aug 26 13:24:02.497939: | 76 ae b4 f6 6b 63 47 7e f4 26 8a f3 f4 04 aa 18 Aug 26 13:24:02.497948: | 01 5d bc 69 a4 90 f2 ef e3 1f 98 81 0c d3 92 63 Aug 26 13:24:02.497955: | 40 11 dd 98 d2 32 5f 8f 52 3a 81 65 18 1f 82 34 Aug 26 13:24:02.497963: | 4c 0c f3 1d 20 87 2b ee 1f a4 28 53 2d 3f cb 0e Aug 26 13:24:02.497971: | 07 24 88 07 c9 1f 91 9d 6b a0 ba fa 8f ee 01 03 Aug 26 13:24:02.497979: | 78 3b 4f 1d 04 1a 3f cd 91 a9 e9 1a 6e 3e 9b 0d Aug 26 13:24:02.497986: | eb e0 56 1e cd e2 d8 cc e1 d2 42 44 8f 3e bf 9c Aug 26 13:24:02.497994: | b9 fd 4a 0f 3e e1 b1 17 67 3d 69 68 e7 3a c6 66 Aug 26 13:24:02.498002: | 8c e3 31 78 57 40 ae eb 29 2b 62 9a e8 db fa 5d Aug 26 13:24:02.498009: | 3f 05 fe 1d 8d c3 9e b4 0f bc 99 06 b0 71 d3 e8 Aug 26 13:24:02.498017: | 9e 03 d3 d2 e2 4d d5 e9 58 19 e7 7e c8 39 b9 e4 Aug 26 13:24:02.498025: | dd 6f e7 f6 f8 ec d4 07 b3 40 21 63 51 92 1a fe Aug 26 13:24:02.498032: | 48 6f 57 41 44 a9 b2 48 9a dc e2 37 fd e0 01 33 Aug 26 13:24:02.498040: | f2 ab 98 e1 ba 35 46 c7 09 a8 e5 53 65 18 5b 0c Aug 26 13:24:02.498048: | d3 ce 46 d8 5d b1 98 76 44 14 56 37 92 c8 05 15 Aug 26 13:24:02.498055: | 89 27 7b 48 80 46 d7 1e f2 f9 87 6f 9e 92 73 2e Aug 26 13:24:02.498063: | d1 77 cc b0 99 37 ca 09 e2 74 cc 89 b4 74 41 43 Aug 26 13:24:02.498071: | 00 48 e9 6b e4 1c 2c 12 91 4d ea a6 ac 77 08 39 Aug 26 13:24:02.498078: | 53 ca 8a 33 b7 14 c6 cc b0 0c fc 67 b2 f3 bd cf Aug 26 13:24:02.498086: | f5 2e 4f f4 42 12 84 b8 5d 8c 50 32 ca e2 e6 41 Aug 26 13:24:02.498093: | d0 76 c7 e4 ca c1 da ac 0e 56 7b b5 02 25 92 12 Aug 26 13:24:02.498101: | 94 a9 64 5e 66 a2 b2 dd 2e 27 a8 16 7f f4 24 55 Aug 26 13:24:02.498109: | ba b0 16 07 41 0e 8d 1d db 25 2f 97 5c 38 98 06 Aug 26 13:24:02.498117: | ac 1b ce ff 73 5f 85 1d 43 c9 b6 47 d4 ed c1 a0 Aug 26 13:24:02.498124: | 01 f8 95 08 f7 d3 3e 1e cc d6 f9 6e 06 22 37 12 Aug 26 13:24:02.498132: | 9c 8c 52 01 c7 32 d2 1d 73 26 dc ca 82 ab de f9 Aug 26 13:24:02.498139: | b8 b4 b6 d3 d7 09 20 12 82 bd 48 a0 57 a6 84 57 Aug 26 13:24:02.498147: | 0e a1 ae d2 e4 39 43 c8 ab e7 09 8d d3 7f 41 9e Aug 26 13:24:02.498155: | 55 4f c4 d8 da 5d 69 14 e4 9a 64 0d 16 d9 39 1a Aug 26 13:24:02.498162: | 4e 27 75 78 d7 a8 95 5d 6d e9 21 2a b4 aa ca c0 Aug 26 13:24:02.498170: | da 3f 82 e7 5b 4e dd 92 e7 92 ae 94 4e 39 77 3d Aug 26 13:24:02.498178: | 53 a1 84 d8 a7 d3 d0 ae 5d 2c d9 0a 54 ea 42 73 Aug 26 13:24:02.498185: | 38 f1 6a b6 cb 1a 9c ce 5d 3d 77 af 43 68 b1 14 Aug 26 13:24:02.498193: | e4 30 b1 90 39 bf e3 53 d1 83 3f cf 12 8e 40 15 Aug 26 13:24:02.498201: | d7 88 07 b1 2b bf c8 b8 6f c1 30 17 60 b6 4e 0d Aug 26 13:24:02.498208: | 2c ac d7 d5 03 84 2b ac 6e 78 14 cd 65 d9 65 73 Aug 26 13:24:02.498216: | 33 5e e8 4a da 4f 69 14 e9 4e c4 52 7d ac b7 7c Aug 26 13:24:02.498224: | b6 ba ce 79 33 75 38 75 fe b3 b0 29 12 ea 9b d8 Aug 26 13:24:02.498231: | 92 c4 66 fc 41 Aug 26 13:24:02.498246: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:02.498258: | **parse ISAKMP Message: Aug 26 13:24:02.498267: | initiator cookie: Aug 26 13:24:02.498275: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:02.498283: | responder cookie: Aug 26 13:24:02.498316: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:02.498331: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:02.498340: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:02.498349: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:02.498362: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:02.498371: | Message ID: 2 (0x2) Aug 26 13:24:02.498379: | length: 661 (0x295) Aug 26 13:24:02.498389: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:24:02.498400: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:24:02.498412: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:02.498438: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:02.498448: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:02.498461: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:02.498471: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:24:02.498485: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 13:24:02.498493: | unpacking clear payload Aug 26 13:24:02.498501: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:02.498511: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:02.498520: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:24:02.498528: | flags: none (0x0) Aug 26 13:24:02.498536: | length: 633 (0x279) Aug 26 13:24:02.498544: | processing payload: ISAKMP_NEXT_v2SK (len=629) Aug 26 13:24:02.498559: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 13:24:02.498569: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:02.498622: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Aug 26 13:24:02.498632: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:24:02.498641: | **parse IKEv2 Security Association Payload: Aug 26 13:24:02.498649: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:24:02.498657: | flags: none (0x0) Aug 26 13:24:02.498665: | length: 196 (0xc4) Aug 26 13:24:02.498673: | processing payload: ISAKMP_NEXT_v2SA (len=192) Aug 26 13:24:02.498681: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:24:02.498689: | **parse IKEv2 Nonce Payload: Aug 26 13:24:02.498697: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:24:02.498704: | flags: none (0x0) Aug 26 13:24:02.498712: | length: 36 (0x24) Aug 26 13:24:02.498720: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:24:02.498727: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:24:02.498736: | **parse IKEv2 Key Exchange Payload: Aug 26 13:24:02.498744: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:24:02.498752: | flags: none (0x0) Aug 26 13:24:02.498759: | length: 264 (0x108) Aug 26 13:24:02.498767: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:02.498776: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:24:02.498783: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:24:02.498792: | **parse IKEv2 Notify Payload: Aug 26 13:24:02.498800: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:24:02.498807: | flags: none (0x0) Aug 26 13:24:02.498815: | length: 12 (0xc) Aug 26 13:24:02.498823: | Protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:02.498831: | SPI size: 4 (0x4) Aug 26 13:24:02.498840: | Notify Message Type: v2N_REKEY_SA (0x4009) Aug 26 13:24:02.498848: | processing payload: ISAKMP_NEXT_v2N (len=4) Aug 26 13:24:02.498856: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:24:02.498864: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:02.498872: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:24:02.498880: | flags: none (0x0) Aug 26 13:24:02.498888: | length: 48 (0x30) Aug 26 13:24:02.498895: | number of TS: 1 (0x1) Aug 26 13:24:02.498904: | processing payload: ISAKMP_NEXT_v2TSi (len=40) Aug 26 13:24:02.498911: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:24:02.498919: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:02.498928: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:02.498935: | flags: none (0x0) Aug 26 13:24:02.498943: | length: 48 (0x30) Aug 26 13:24:02.498950: | number of TS: 1 (0x1) Aug 26 13:24:02.498958: | processing payload: ISAKMP_NEXT_v2TSr (len=40) Aug 26 13:24:02.498969: | state #1 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Aug 26 13:24:02.498982: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:02.498999: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:24:02.499014: | creating state object #3 at 0x56213610dc88 Aug 26 13:24:02.499023: | State DB: adding IKEv2 state #3 in UNDEFINED Aug 26 13:24:02.499053: | pstats #3 ikev2.child started Aug 26 13:24:02.499063: | duplicating state object #1 "east" as #3 for IPSEC SA Aug 26 13:24:02.499081: | #3 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:24:02.499115: | Message ID: init_child #1.#3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:24:02.499127: | child state #3: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Aug 26 13:24:02.499142: | "east" #1 received Child SA Request CREATE_CHILD_SA from 192.1.2.45:500 Child "east" #3 in STATE_V2_CREATE_R will process it further Aug 26 13:24:02.499155: | Message ID: switch-from #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Aug 26 13:24:02.499169: | Message ID: switch-to #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Aug 26 13:24:02.499178: | forcing ST #1 to CHILD #1.#3 in FSM processor Aug 26 13:24:02.499185: | Now let's proceed with state specific processing Aug 26 13:24:02.499194: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:02.499209: | create child proposal's DH changed from no-PFS to MODP2048, flushing Aug 26 13:24:02.499220: | constructing ESP/AH proposals with default DH MODP2048 for east (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Aug 26 13:24:02.499241: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:24:02.499258: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED Aug 26 13:24:02.499267: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:24:02.499280: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED Aug 26 13:24:02.499303: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:24:02.499323: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:02.499333: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:24:02.499346: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:02.499369: "east": constructed local ESP/AH proposals for east (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:02.499380: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:24:02.499392: | local proposal 1 type ENCR has 1 transforms Aug 26 13:24:02.499400: | local proposal 1 type PRF has 0 transforms Aug 26 13:24:02.499409: | local proposal 1 type INTEG has 1 transforms Aug 26 13:24:02.499416: | local proposal 1 type DH has 1 transforms Aug 26 13:24:02.499424: | local proposal 1 type ESN has 1 transforms Aug 26 13:24:02.499435: | local proposal 1 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:02.499443: | local proposal 2 type ENCR has 1 transforms Aug 26 13:24:02.499451: | local proposal 2 type PRF has 0 transforms Aug 26 13:24:02.499459: | local proposal 2 type INTEG has 1 transforms Aug 26 13:24:02.499472: | local proposal 2 type DH has 1 transforms Aug 26 13:24:02.499480: | local proposal 2 type ESN has 1 transforms Aug 26 13:24:02.499490: | local proposal 2 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:02.499498: | local proposal 3 type ENCR has 1 transforms Aug 26 13:24:02.499506: | local proposal 3 type PRF has 0 transforms Aug 26 13:24:02.499514: | local proposal 3 type INTEG has 2 transforms Aug 26 13:24:02.499521: | local proposal 3 type DH has 1 transforms Aug 26 13:24:02.499529: | local proposal 3 type ESN has 1 transforms Aug 26 13:24:02.499539: | local proposal 3 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:02.499547: | local proposal 4 type ENCR has 1 transforms Aug 26 13:24:02.499555: | local proposal 4 type PRF has 0 transforms Aug 26 13:24:02.499563: | local proposal 4 type INTEG has 2 transforms Aug 26 13:24:02.499571: | local proposal 4 type DH has 1 transforms Aug 26 13:24:02.499579: | local proposal 4 type ESN has 1 transforms Aug 26 13:24:02.499588: | local proposal 4 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:02.499598: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:02.499606: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:02.499614: | length: 40 (0x28) Aug 26 13:24:02.499622: | prop #: 1 (0x1) Aug 26 13:24:02.499630: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:02.499638: | spi size: 4 (0x4) Aug 26 13:24:02.499645: | # transforms: 3 (0x3) Aug 26 13:24:02.499656: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:02.499664: | remote SPI 76 b1 c3 bf Aug 26 13:24:02.499674: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:24:02.499684: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.499693: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.499700: | length: 12 (0xc) Aug 26 13:24:02.499708: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:02.499717: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:02.499725: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:02.499734: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:02.499742: | length/value: 256 (0x100) Aug 26 13:24:02.499755: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:24:02.499765: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.499773: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.499780: | length: 8 (0x8) Aug 26 13:24:02.499789: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:02.499797: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:02.499808: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:24:02.499818: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:24:02.499828: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:24:02.499837: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:24:02.499845: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.499854: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:02.499861: | length: 8 (0x8) Aug 26 13:24:02.499869: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:02.499877: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:02.499887: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:24:02.499897: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:24:02.499907: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:24:02.499917: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:24:02.499932: | remote proposal 1 proposed transforms: ENCR+DH+ESN; matched: ENCR+DH+ESN; unmatched: none Aug 26 13:24:02.499947: | comparing remote proposal 1 containing ENCR+DH+ESN transforms to local proposal 1; required: ENCR+DH+ESN; optional: INTEG; matched: ENCR+DH+ESN Aug 26 13:24:02.499956: | remote proposal 1 matches local proposal 1 Aug 26 13:24:02.499965: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:02.499973: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:02.499980: | length: 40 (0x28) Aug 26 13:24:02.499988: | prop #: 2 (0x2) Aug 26 13:24:02.499996: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:02.500004: | spi size: 4 (0x4) Aug 26 13:24:02.500011: | # transforms: 3 (0x3) Aug 26 13:24:02.500021: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:02.500029: | remote SPI 76 b1 c3 bf Aug 26 13:24:02.500038: | Comparing remote proposal 2 containing 3 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:02.500047: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500058: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500069: | length: 12 (0xc) Aug 26 13:24:02.500082: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:02.500095: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:02.500108: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:02.500119: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:02.500127: | length/value: 128 (0x80) Aug 26 13:24:02.500137: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500146: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500153: | length: 8 (0x8) Aug 26 13:24:02.500161: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:02.500169: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:02.500178: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500186: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:02.500194: | length: 8 (0x8) Aug 26 13:24:02.500202: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:02.500209: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:02.500221: | remote proposal 2 proposed transforms: ENCR+DH+ESN; matched: none; unmatched: ENCR+DH+ESN Aug 26 13:24:02.500231: | remote proposal 2 does not match; unmatched remote transforms: ENCR+DH+ESN Aug 26 13:24:02.500239: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:02.500247: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:02.500255: | length: 56 (0x38) Aug 26 13:24:02.500262: | prop #: 3 (0x3) Aug 26 13:24:02.500270: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:02.500278: | spi size: 4 (0x4) Aug 26 13:24:02.500285: | # transforms: 5 (0x5) Aug 26 13:24:02.500311: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:02.500320: | remote SPI 76 b1 c3 bf Aug 26 13:24:02.500330: | Comparing remote proposal 3 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:02.500338: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500347: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500354: | length: 12 (0xc) Aug 26 13:24:02.500362: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:02.500370: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:02.500378: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:02.500386: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:02.500394: | length/value: 256 (0x100) Aug 26 13:24:02.500403: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500412: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500419: | length: 8 (0x8) Aug 26 13:24:02.500427: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:02.500435: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:02.500444: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500452: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500465: | length: 8 (0x8) Aug 26 13:24:02.500474: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:02.500482: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:02.500491: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500498: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500506: | length: 8 (0x8) Aug 26 13:24:02.500514: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:02.500522: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:02.500531: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500539: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:02.500546: | length: 8 (0x8) Aug 26 13:24:02.500554: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:02.500562: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:02.500574: | remote proposal 3 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:02.500584: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:02.500592: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:02.500601: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:02.500608: | length: 56 (0x38) Aug 26 13:24:02.500616: | prop #: 4 (0x4) Aug 26 13:24:02.500623: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:02.500631: | spi size: 4 (0x4) Aug 26 13:24:02.500638: | # transforms: 5 (0x5) Aug 26 13:24:02.500647: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:02.500655: | remote SPI 76 b1 c3 bf Aug 26 13:24:02.500664: | Comparing remote proposal 4 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:02.500673: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500681: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500688: | length: 12 (0xc) Aug 26 13:24:02.500696: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:02.500704: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:02.500712: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:02.500720: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:02.500728: | length/value: 128 (0x80) Aug 26 13:24:02.500737: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500745: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500752: | length: 8 (0x8) Aug 26 13:24:02.500760: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:02.500768: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:02.500777: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500785: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500792: | length: 8 (0x8) Aug 26 13:24:02.500800: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:02.500808: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:02.500817: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500825: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.500832: | length: 8 (0x8) Aug 26 13:24:02.500840: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:02.500848: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:02.500857: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:02.500865: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:02.500872: | length: 8 (0x8) Aug 26 13:24:02.500880: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:02.500888: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:02.500899: | remote proposal 4 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:02.500909: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:02.500925: "east" #1: proposal 1:ESP:SPI=76b1c3bf;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:02.500944: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=76b1c3bf;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED Aug 26 13:24:02.500953: | converting proposal to internal trans attrs Aug 26 13:24:02.500968: | updating #3's .st_oakley with preserved PRF, but why update? Aug 26 13:24:02.500978: | received v2N_REKEY_SA Aug 26 13:24:02.500989: | child state #3: V2_CREATE_R(established IKE SA) => V2_REKEY_CHILD_R(established IKE SA) Aug 26 13:24:02.500998: | CREATE_CHILD_SA IPsec SA rekey Protocol PROTO_v2_ESP Aug 26 13:24:02.501007: | parsing 4 raw bytes of IKEv2 Notify Payload into SPI Aug 26 13:24:02.501015: | SPI 60 a9 46 2c Aug 26 13:24:02.501024: | CREATE_CHILD_S to rekey IPsec SA(0x60a9462c) Protocol PROTO_v2_ESP Aug 26 13:24:02.501033: | v2 CHILD SA #2 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:02.501043: | State DB: found IKEv2 state #2 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:02.501052: | #3 rekey request for "east" #2 TSi TSr Aug 26 13:24:02.501060: | printing contents struct traffic_selector Aug 26 13:24:02.501068: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:02.501076: | ipprotoid: 0 Aug 26 13:24:02.501084: | port range: 0-65535 Aug 26 13:24:02.501097: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:02.501105: | printing contents struct traffic_selector Aug 26 13:24:02.501112: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:02.501119: | ipprotoid: 0 Aug 26 13:24:02.501127: | port range: 0-65535 Aug 26 13:24:02.501138: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:02.501166: | adding Child Rekey Responder KE and nonce nr work-order 3 for state #3 Aug 26 13:24:02.501178: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56213610bde8 Aug 26 13:24:02.501190: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Aug 26 13:24:02.501201: | libevent_malloc: new ptr-libevent@0x7f0a24000f48 size 128 Aug 26 13:24:02.501235: | #3 spent 2.01 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Aug 26 13:24:02.501253: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:02.501266: | start processing: state #3 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:02.501279: | #3 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:02.501300: | suspending state #3 and saving MD Aug 26 13:24:02.501314: | #3 is busy; has a suspended MD Aug 26 13:24:02.501319: | crypto helper 4 resuming Aug 26 13:24:02.501385: | crypto helper 4 starting work-order 3 for state #3 Aug 26 13:24:02.501327: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:02.501404: | crypto helper 4 doing build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 3 Aug 26 13:24:02.501431: | "east" #3 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:02.501469: | stop processing: state #3 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:02.501486: | #1 spent 3.56 milliseconds in ikev2_process_packet() Aug 26 13:24:02.501499: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:02.501508: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:02.501517: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:02.501530: | spent 3.6 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:24:02.504105: | crypto helper 4 finished build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 3 time elapsed 0.0027 seconds Aug 26 13:24:02.504148: | (#3) spent 2.71 milliseconds in crypto helper computing work-order 3: Child Rekey Responder KE and nonce nr (pcr) Aug 26 13:24:02.504159: | crypto helper 4 sending results from work-order 3 for state #3 to event queue Aug 26 13:24:02.504169: | scheduling resume sending helper answer for #3 Aug 26 13:24:02.504180: | libevent_malloc: new ptr-libevent@0x7f0a28002888 size 128 Aug 26 13:24:02.504190: | libevent_realloc: release ptr-libevent@0x5621360e2448 Aug 26 13:24:02.504199: | libevent_realloc: new ptr-libevent@0x7f0a280027d8 size 128 Aug 26 13:24:02.504221: | crypto helper 4 waiting (nothing to do) Aug 26 13:24:02.504315: | processing resume sending helper answer for #3 Aug 26 13:24:02.504370: | start processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:02.504386: | crypto helper 4 replies to request ID 3 Aug 26 13:24:02.504395: | calling continuation function 0x562135ceab50 Aug 26 13:24:02.504405: | ikev2_child_inIoutR_continue for #3 STATE_V2_REKEY_CHILD_R Aug 26 13:24:02.504421: | adding DHv2 for child sa work-order 4 for state #3 Aug 26 13:24:02.504430: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:02.504441: | libevent_free: release ptr-libevent@0x7f0a24000f48 Aug 26 13:24:02.504451: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56213610bde8 Aug 26 13:24:02.504462: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56213610bde8 Aug 26 13:24:02.504474: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Aug 26 13:24:02.504484: | libevent_malloc: new ptr-libevent@0x7f0a24000f48 size 128 Aug 26 13:24:02.504517: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:02.504532: | #3 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:02.504541: | suspending state #3 and saving MD Aug 26 13:24:02.504549: | #3 is busy; has a suspended MD Aug 26 13:24:02.504562: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:02.504574: | "east" #3 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:02.504586: | resume sending helper answer for #3 suppresed complete_v2_state_transition() and stole MD Aug 26 13:24:02.504577: | crypto helper 5 resuming Aug 26 13:24:02.504645: | #3 spent 0.233 milliseconds in resume sending helper answer Aug 26 13:24:02.504667: | crypto helper 5 starting work-order 4 for state #3 Aug 26 13:24:02.504694: | stop processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:02.504717: | crypto helper 5 doing crypto (DHv2 for child sa); request ID 4 Aug 26 13:24:02.504734: | libevent_free: release ptr-libevent@0x7f0a28002888 Aug 26 13:24:02.507318: | crypto helper 5 finished crypto (DHv2 for child sa); request ID 4 time elapsed 0.002601 seconds Aug 26 13:24:02.507357: | (#3) spent 2.61 milliseconds in crypto helper computing work-order 4: DHv2 for child sa (dh) Aug 26 13:24:02.507368: | crypto helper 5 sending results from work-order 4 for state #3 to event queue Aug 26 13:24:02.507379: | scheduling resume sending helper answer for #3 Aug 26 13:24:02.507390: | libevent_malloc: new ptr-libevent@0x7f0a1c001f78 size 128 Aug 26 13:24:02.507413: | crypto helper 5 waiting (nothing to do) Aug 26 13:24:02.507481: | processing resume sending helper answer for #3 Aug 26 13:24:02.507531: | start processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:02.507555: | crypto helper 5 replies to request ID 4 Aug 26 13:24:02.507565: | calling continuation function 0x562135ceb9d0 Aug 26 13:24:02.507577: | ikev2_child_inIoutR_continue_continue for #3 STATE_V2_REKEY_CHILD_R Aug 26 13:24:02.507682: | **emit ISAKMP Message: Aug 26 13:24:02.507692: | initiator cookie: Aug 26 13:24:02.507701: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:02.507709: | responder cookie: Aug 26 13:24:02.507716: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:02.507725: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:02.507735: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:02.507743: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:02.507753: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:02.507761: | Message ID: 2 (0x2) Aug 26 13:24:02.507771: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:02.507781: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:02.507790: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:02.507797: | flags: none (0x0) Aug 26 13:24:02.507808: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:02.507818: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:24:02.507828: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:02.507858: | #3 inherit spd, TSi TSr, from "east" #2 Aug 26 13:24:02.507867: | printing contents struct traffic_selector Aug 26 13:24:02.507875: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:02.507883: | ipprotoid: 0 Aug 26 13:24:02.507891: | port range: 0-65535 Aug 26 13:24:02.507904: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:02.507912: | printing contents struct traffic_selector Aug 26 13:24:02.507919: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:02.507926: | ipprotoid: 0 Aug 26 13:24:02.507934: | port range: 0-65535 Aug 26 13:24:02.507945: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:02.507992: | netlink_get_spi: allocated 0x95f4fbca for esp.0@192.1.2.23 Aug 26 13:24:02.508003: | Emitting ikev2_proposal ... Aug 26 13:24:02.508012: | ****emit IKEv2 Security Association Payload: Aug 26 13:24:02.508021: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:02.508028: | flags: none (0x0) Aug 26 13:24:02.508039: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:24:02.508048: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:24:02.508058: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:24:02.508066: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:02.508074: | prop #: 1 (0x1) Aug 26 13:24:02.508083: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:02.508091: | spi size: 4 (0x4) Aug 26 13:24:02.508099: | # transforms: 3 (0x3) Aug 26 13:24:02.508108: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:24:02.508119: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:24:02.508128: | our spi 95 f4 fb ca Aug 26 13:24:02.508136: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:02.508145: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.508153: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:02.508162: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:02.508172: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:02.508181: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:24:02.508190: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:02.508199: | length/value: 256 (0x100) Aug 26 13:24:02.508209: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:24:02.508217: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:02.508225: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.508239: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:02.508248: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:02.508259: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.508268: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:02.508277: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:02.508285: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:02.508324: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:02.508339: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:02.508360: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:02.508370: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:02.508380: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:02.508388: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:02.508397: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:24:02.508406: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:24:02.508415: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:24:02.508424: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:24:02.508433: | ****emit IKEv2 Nonce Payload: Aug 26 13:24:02.508441: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:02.508449: | flags: none (0x0) Aug 26 13:24:02.508459: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:24:02.508469: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:24:02.508479: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:24:02.508488: | IKEv2 nonce b9 ba fd 88 33 9d 08 0f 12 0d 46 d2 1b d1 77 f1 Aug 26 13:24:02.508496: | IKEv2 nonce df d5 d1 ff d9 3b dc 11 4d ce 78 66 d0 89 21 2e Aug 26 13:24:02.508504: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:24:02.508513: | ****emit IKEv2 Key Exchange Payload: Aug 26 13:24:02.508521: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:02.508529: | flags: none (0x0) Aug 26 13:24:02.508537: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:02.508547: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:24:02.508556: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:24:02.508566: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:24:02.508574: | ikev2 g^x 02 20 bb 75 21 0f b3 a8 43 6b c0 76 49 8c 7d db Aug 26 13:24:02.508582: | ikev2 g^x 2f aa 1a 94 6b 07 ea 59 6e 9d 3f 30 da e0 ca b8 Aug 26 13:24:02.508590: | ikev2 g^x 21 fb bc 58 47 82 4a b6 87 b5 b5 2e f8 f2 fa 03 Aug 26 13:24:02.508598: | ikev2 g^x 75 98 6e 21 8d 7a 4b af 1c 3b 1a 7e 35 08 5a 83 Aug 26 13:24:02.508606: | ikev2 g^x 47 8e a3 cd ff fa 9c 80 e6 22 25 73 00 d6 61 0f Aug 26 13:24:02.508614: | ikev2 g^x d0 4b df 6e 91 90 67 16 6c 99 60 ad a2 78 c1 b9 Aug 26 13:24:02.508622: | ikev2 g^x c3 88 5f 1e 99 85 09 97 2e 39 28 4d f1 83 9c 74 Aug 26 13:24:02.508630: | ikev2 g^x d5 c4 79 dc 31 9a a9 c3 14 43 ca 95 09 1b 31 74 Aug 26 13:24:02.508637: | ikev2 g^x 69 eb 9a ab c8 05 2f 4f a9 a6 45 32 d6 8c c2 ff Aug 26 13:24:02.508645: | ikev2 g^x 93 16 44 e4 76 8c a4 b8 14 c3 76 80 ad cf 58 cd Aug 26 13:24:02.508653: | ikev2 g^x 31 ae ce 13 5f b9 a7 63 05 6a e7 ca 55 fd f6 f0 Aug 26 13:24:02.508666: | ikev2 g^x d8 8d 0c 0b f9 6c a1 17 00 35 68 05 bd 72 15 b2 Aug 26 13:24:02.508674: | ikev2 g^x 27 ae 33 bf 63 79 9b 19 c0 35 0e e4 02 2b c2 6b Aug 26 13:24:02.508682: | ikev2 g^x 4b a9 d7 08 8e 7b 22 99 bf d2 25 5a 53 02 ec 1b Aug 26 13:24:02.508690: | ikev2 g^x 10 a6 b1 ef 0a e8 8d 3f 0e a4 d2 0c 01 a5 bf cf Aug 26 13:24:02.508697: | ikev2 g^x bf 99 e2 30 9b 1e bb 8c bb 8f 22 b5 de 14 fe 15 Aug 26 13:24:02.508706: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:24:02.508714: | received REKEY_SA already proceesd Aug 26 13:24:02.508723: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:02.508731: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:02.508739: | flags: none (0x0) Aug 26 13:24:02.508747: | number of TS: 1 (0x1) Aug 26 13:24:02.508757: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:24:02.508766: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:02.508775: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:02.508784: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:02.508792: | IP Protocol ID: 0 (0x0) Aug 26 13:24:02.508800: | start port: 0 (0x0) Aug 26 13:24:02.508808: | end port: 65535 (0xffff) Aug 26 13:24:02.508818: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:02.508826: | ipv4 start c0 00 01 00 Aug 26 13:24:02.508835: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:02.508842: | ipv4 end c0 00 01 ff Aug 26 13:24:02.508851: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:02.508859: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:24:02.508867: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:02.508875: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:02.508883: | flags: none (0x0) Aug 26 13:24:02.508891: | number of TS: 1 (0x1) Aug 26 13:24:02.508901: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:24:02.508910: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:02.508919: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:02.508927: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:02.508934: | IP Protocol ID: 0 (0x0) Aug 26 13:24:02.508942: | start port: 0 (0x0) Aug 26 13:24:02.508950: | end port: 65535 (0xffff) Aug 26 13:24:02.508958: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:02.508966: | ipv4 start c0 00 02 00 Aug 26 13:24:02.508975: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:02.508982: | ipv4 end c0 00 02 ff Aug 26 13:24:02.508990: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:02.508998: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:24:02.509007: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:24:02.509018: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:24:02.509887: | install_ipsec_sa() for #3: inbound and outbound Aug 26 13:24:02.509917: | could_route called for east (kind=CK_PERMANENT) Aug 26 13:24:02.509926: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:02.509937: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:02.509946: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:02.509958: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:02.509970: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:02.509980: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:02.509996: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:02.510006: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:02.510019: | setting IPsec SA replay-window to 32 Aug 26 13:24:02.510028: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:02.510038: | netlink: enabling tunnel mode Aug 26 13:24:02.510047: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:02.510056: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:02.510228: | netlink response for Add SA esp.76b1c3bf@192.1.2.45 included non-error error Aug 26 13:24:02.510243: | set up outgoing SA, ref=0/0 Aug 26 13:24:02.510252: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:02.510262: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:02.510270: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:02.510278: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:02.510311: | setting IPsec SA replay-window to 32 Aug 26 13:24:02.510321: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:02.510329: | netlink: enabling tunnel mode Aug 26 13:24:02.510338: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:02.510346: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:02.510464: | netlink response for Add SA esp.95f4fbca@192.1.2.23 included non-error error Aug 26 13:24:02.510479: | set up incoming SA, ref=0/0 Aug 26 13:24:02.510488: | sr for #3: erouted Aug 26 13:24:02.510498: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:24:02.510506: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:02.510515: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:02.510524: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:02.510535: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:02.510546: | route_and_eroute with c: east (next: none) ero:east esr:{(nil)} ro:east rosr:{(nil)} and state: #3 Aug 26 13:24:02.510556: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:02.510581: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) Aug 26 13:24:02.510591: | IPsec Sa SPD priority set to 1042407 Aug 26 13:24:02.510639: | raw_eroute result=success Aug 26 13:24:02.510651: | route_and_eroute: firewall_notified: true Aug 26 13:24:02.510663: | route_and_eroute: instance "east", setting eroute_owner {spd=0x562136100758,sr=0x562136100758} to #3 (was #2) (newest_ipsec_sa=#2) Aug 26 13:24:02.510809: | #1 spent 0.874 milliseconds in install_ipsec_sa() Aug 26 13:24:02.510828: | ISAKMP_v2_CREATE_CHILD_SA: instance east[0], setting IKEv2 newest_ipsec_sa to #3 (was #2) (spd.eroute=#3) cloned from #1 Aug 26 13:24:02.510838: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:02.510848: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:02.510859: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:02.510867: | emitting length of IKEv2 Encryption Payload: 421 Aug 26 13:24:02.510876: | emitting length of ISAKMP Message: 449 Aug 26 13:24:02.510923: "east" #3: negotiated new IPsec SA [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:02.510944: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:02.510957: | #3 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_OK Aug 26 13:24:02.510967: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Aug 26 13:24:02.510978: | child state #3: V2_REKEY_CHILD_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Aug 26 13:24:02.510988: | Message ID: updating counters for #3 to 2 after switching state Aug 26 13:24:02.511013: | Message ID: recv #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Aug 26 13:24:02.511028: | Message ID: sent #1.#3 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:24:02.511037: | pstats #3 ikev2.child established Aug 26 13:24:02.511056: "east" #3: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:02.511067: | NAT-T: encaps is 'auto' Aug 26 13:24:02.511081: "east" #3: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x76b1c3bf <0x95f4fbca xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} Aug 26 13:24:02.511096: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:24:02.511113: | sending 449 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:02.511121: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:02.511129: | 2e 20 24 20 00 00 00 02 00 00 01 c1 21 00 01 a5 Aug 26 13:24:02.511137: | 7e 8a cd 47 dd 40 05 a0 a9 d9 7c 4d 7d 65 e0 50 Aug 26 13:24:02.511145: | 28 57 83 49 c6 b5 ce 13 11 ce 40 42 ee c9 3a 4d Aug 26 13:24:02.511152: | 78 fc 93 4b 78 49 33 e9 34 67 dd a1 a7 8d d0 c4 Aug 26 13:24:02.511160: | 62 85 a5 25 ae f4 43 27 e6 ae 5a be 89 0b 3f c9 Aug 26 13:24:02.511167: | 3b ed dc 9c f7 f6 4c f5 e0 74 f2 6d 7d fe d8 0c Aug 26 13:24:02.511175: | 3e 6f 6e 9c 55 57 12 25 6d ab a5 d3 0f f4 c3 1f Aug 26 13:24:02.511183: | a6 00 5f f5 31 4b 20 b2 18 b3 48 f0 c3 42 18 62 Aug 26 13:24:02.511190: | 12 26 7b b9 87 ce 0b f5 7f e5 21 3c c6 c7 00 34 Aug 26 13:24:02.511198: | 21 19 c1 16 10 cd 4e 63 83 a0 c3 3d 52 c4 24 c9 Aug 26 13:24:02.511205: | c5 c1 fa db bf 0a 5e e0 41 60 67 f6 34 1f 29 79 Aug 26 13:24:02.511213: | aa 98 ab b5 d4 59 d1 1d 19 f8 d8 f3 a3 12 ef a0 Aug 26 13:24:02.511221: | f6 79 ce 0b 2a 3a 3d da 40 6e 83 58 12 02 19 04 Aug 26 13:24:02.511228: | 73 e1 28 54 89 20 d0 75 ce 21 a3 4a 8d ca 9f 19 Aug 26 13:24:02.511236: | 48 cf 01 e3 2a 40 5e f1 b2 f4 54 33 a3 b3 a8 3f Aug 26 13:24:02.511243: | 90 33 cd 36 ac 8c 14 8c ec 75 87 1b 4c 70 45 9e Aug 26 13:24:02.511251: | 9e 62 a8 6f b4 88 fe a6 b2 55 b6 a1 ae 83 ec c4 Aug 26 13:24:02.511258: | 27 a2 c4 5d b2 7e 70 46 cf af 9a 7c f5 2f 29 da Aug 26 13:24:02.511266: | e2 c9 24 ca e5 a6 79 8a 38 23 67 ec 5d 5a 80 cc Aug 26 13:24:02.511273: | 3c e1 22 13 90 aa 18 db f3 71 0b fd ae 7b 0e 0c Aug 26 13:24:02.511281: | 2b 1e b9 c9 b3 5c 54 d7 91 0f 74 24 45 f9 cf 57 Aug 26 13:24:02.511304: | 01 f9 72 e4 45 9e 55 79 90 96 be f2 bd d8 dd cf Aug 26 13:24:02.511326: | e0 88 04 aa b8 36 1a 2c e6 9e cc 30 b0 cd 69 ff Aug 26 13:24:02.511339: | d0 a6 6a a0 a1 b9 d9 2c b8 5d 3d 99 4a 83 4b 6a Aug 26 13:24:02.511351: | 09 95 be 0c 2a 7e a9 49 9f f8 4b 7f cf 29 80 d1 Aug 26 13:24:02.511361: | 85 8d 86 9a 9a 09 48 87 8d f9 9a 92 3c 1c 83 28 Aug 26 13:24:02.511369: | 86 0f bd e3 df 48 a8 93 0d bf c1 37 7c cf 0d 93 Aug 26 13:24:02.511376: | 32 Aug 26 13:24:02.511459: | releasing whack for #3 (sock=fd@-1) Aug 26 13:24:02.511474: | releasing whack and unpending for parent #1 Aug 26 13:24:02.511483: | unpending state #1 connection "east" Aug 26 13:24:02.511498: | #3 will start re-keying in 28798 seconds with margin of 2 seconds (attempting re-key) Aug 26 13:24:02.511507: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:02.511519: | libevent_free: release ptr-libevent@0x7f0a24000f48 Aug 26 13:24:02.511529: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56213610bde8 Aug 26 13:24:02.511539: | event_schedule: new EVENT_SA_REKEY-pe@0x56213610bde8 Aug 26 13:24:02.511551: | inserting event EVENT_SA_REKEY, timeout in 28798 seconds for #3 Aug 26 13:24:02.511561: | libevent_malloc: new ptr-libevent@0x7f0a28002888 size 128 Aug 26 13:24:02.511581: | #3 spent 3.67 milliseconds in resume sending helper answer Aug 26 13:24:02.511604: | stop processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:02.511614: | libevent_free: release ptr-libevent@0x7f0a1c001f78 Aug 26 13:24:03.522158: | spent 0.00886 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:03.522235: | *received 69 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:03.522252: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:03.522263: | 2e 20 25 08 00 00 00 03 00 00 00 45 2a 00 00 29 Aug 26 13:24:03.522271: | d3 62 ae 30 a3 eb 58 2a c6 2c 14 b4 af 28 39 4c Aug 26 13:24:03.522280: | a7 b4 9f 97 64 0d 76 97 0d 61 94 82 e0 60 0f 2a Aug 26 13:24:03.522304: | 5e 0f 0c 0f 40 Aug 26 13:24:03.522334: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:03.522350: | **parse ISAKMP Message: Aug 26 13:24:03.522363: | initiator cookie: Aug 26 13:24:03.522374: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:03.522385: | responder cookie: Aug 26 13:24:03.522395: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:03.522407: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:03.522420: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:03.522433: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:03.522445: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:03.522456: | Message ID: 3 (0x3) Aug 26 13:24:03.522467: | length: 69 (0x45) Aug 26 13:24:03.522481: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:24:03.522496: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:24:03.522513: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:03.522541: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:03.522556: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:03.522575: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:03.522587: | #1 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 Aug 26 13:24:03.522604: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 Aug 26 13:24:03.522613: | unpacking clear payload Aug 26 13:24:03.522625: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:03.522637: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:03.522648: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:24:03.522659: | flags: none (0x0) Aug 26 13:24:03.522669: | length: 41 (0x29) Aug 26 13:24:03.522680: | processing payload: ISAKMP_NEXT_v2SK (len=37) Aug 26 13:24:03.522696: | Message ID: start-responder #1 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1->3 Aug 26 13:24:03.522708: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:03.522753: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:24:03.522767: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:24:03.522778: | **parse IKEv2 Delete Payload: Aug 26 13:24:03.522789: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.522799: | flags: none (0x0) Aug 26 13:24:03.522809: | length: 12 (0xc) Aug 26 13:24:03.522819: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:03.522829: | SPI size: 4 (0x4) Aug 26 13:24:03.522838: | number of SPIs: 1 (0x1) Aug 26 13:24:03.522848: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:24:03.522859: | selected state microcode R2: process INFORMATIONAL Request Aug 26 13:24:03.522868: | Now let's proceed with state specific processing Aug 26 13:24:03.522878: | calling processor R2: process INFORMATIONAL Request Aug 26 13:24:03.522891: | an informational request should send a response Aug 26 13:24:03.522913: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:24:03.522950: | **emit ISAKMP Message: Aug 26 13:24:03.522964: | initiator cookie: Aug 26 13:24:03.522974: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:03.522983: | responder cookie: Aug 26 13:24:03.522992: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:03.523003: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:03.523014: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:03.523025: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:03.523036: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:03.523046: | Message ID: 3 (0x3) Aug 26 13:24:03.523057: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:03.523070: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:03.523081: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.523091: | flags: none (0x0) Aug 26 13:24:03.523107: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:03.523121: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:03.523137: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:03.523163: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:24:03.523175: | SPI 60 a9 46 2c Aug 26 13:24:03.523187: | delete PROTO_v2_ESP SA(0x60a9462c) Aug 26 13:24:03.523202: | v2 CHILD SA #2 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:03.523216: | State DB: found IKEv2 state #2 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:03.523229: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x60a9462c) Aug 26 13:24:03.523242: "east" #1: received Delete SA payload: delete IPsec State #2 now Aug 26 13:24:03.523257: | pstats #2 ikev2.child deleted completed Aug 26 13:24:03.523281: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:03.523324: | start processing: state #2 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:03.523349: "east" #2: deleting other state #2 (STATE_V2_IPSEC_R) aged 26.064s and NOT sending notification Aug 26 13:24:03.523362: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:24:03.523380: | get_sa_info esp.60a9462c@192.1.2.45 Aug 26 13:24:03.523431: | get_sa_info esp.eaac726c@192.1.2.23 Aug 26 13:24:03.523476: "east" #2: ESP traffic information: in=336B out=336B Aug 26 13:24:03.523496: | child state #2: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:24:03.523511: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:24:03.523529: | libevent_free: release ptr-libevent@0x5621361082e8 Aug 26 13:24:03.523544: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f0a2c002b78 Aug 26 13:24:03.523719: | delete esp.60a9462c@192.1.2.45 Aug 26 13:24:03.523814: | netlink response for Del SA esp.60a9462c@192.1.2.45 included non-error error Aug 26 13:24:03.523837: | delete esp.eaac726c@192.1.2.23 Aug 26 13:24:03.523887: | netlink response for Del SA esp.eaac726c@192.1.2.23 included non-error error Aug 26 13:24:03.523903: | in connection_discard for connection east Aug 26 13:24:03.523915: | State DB: deleting IKEv2 state #2 in CHILDSA_DEL Aug 26 13:24:03.523929: | child state #2: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:24:03.523958: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:03.523978: | resume processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:03.523996: | ****emit IKEv2 Delete Payload: Aug 26 13:24:03.524008: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:03.524019: | flags: none (0x0) Aug 26 13:24:03.524045: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:03.524059: | SPI size: 4 (0x4) Aug 26 13:24:03.524072: | number of SPIs: 1 (0x1) Aug 26 13:24:03.524099: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:24:03.524115: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:03.524132: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:24:03.524144: | local SPIs ea ac 72 6c Aug 26 13:24:03.524156: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:24:03.524170: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:03.524187: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:03.524202: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:03.524215: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:24:03.524227: | emitting length of ISAKMP Message: 69 Aug 26 13:24:03.524281: | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:03.524316: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:03.524343: | 2e 20 25 20 00 00 00 03 00 00 00 45 2a 00 00 29 Aug 26 13:24:03.524352: | c7 fe fa 60 88 3d cd c4 7c 3e 44 9b 33 36 73 57 Aug 26 13:24:03.524363: | e6 5f c6 9f 8d f5 7b 84 9f 38 9d 85 bf 6b de 41 Aug 26 13:24:03.524373: | b6 16 f5 13 ab Aug 26 13:24:03.524494: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=3 Aug 26 13:24:03.524524: | Message ID: sent #1 response 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2->3 responder.recv=2 wip.initiator=-1 wip.responder=3 Aug 26 13:24:03.524552: | #1 spent 1.56 milliseconds in processing: R2: process INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:24:03.524574: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:03.524588: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:24:03.524600: | Message ID: updating counters for #1 to 3 after switching state Aug 26 13:24:03.524620: | Message ID: recv #1 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=2->3 wip.initiator=-1 wip.responder=3->-1 Aug 26 13:24:03.524637: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=-1 Aug 26 13:24:03.524650: "east" #1: STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:03.524673: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:03.524698: | #1 spent 2.39 milliseconds in ikev2_process_packet() Aug 26 13:24:03.524718: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:03.524735: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:03.524749: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:03.524768: | spent 2.46 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:24:16.198431: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:24:16.198483: | expiring aged bare shunts from shunt table Aug 26 13:24:16.198501: | spent 0.0151 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:24:27.533689: | spent 0.0101 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:27.533767: | *received 661 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:27.533780: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:27.533789: | 2e 20 24 08 00 00 00 04 00 00 02 95 21 00 02 79 Aug 26 13:24:27.533797: | 9c 53 ea 7c 43 af 6b cb b4 e7 c3 28 e7 ab 11 af Aug 26 13:24:27.533814: | 1b 78 65 7c e2 85 e1 36 49 41 cf fc db 87 c4 37 Aug 26 13:24:27.533822: | 8c d7 11 24 f0 54 93 3e c0 bd 28 af fb 63 08 b8 Aug 26 13:24:27.533830: | 9f 01 88 11 d6 ab 53 2b 93 8a 29 a3 bf 5b e2 3f Aug 26 13:24:27.533838: | 65 50 df 43 21 d5 4b 8e 7c 9c 3b 5d d4 b6 5d 8d Aug 26 13:24:27.533846: | 65 1f df 64 ef 17 18 ae 2f 60 c0 59 57 aa 0a 0e Aug 26 13:24:27.533853: | fd c7 1a 50 20 82 d2 18 1d c9 de 13 e8 04 b2 64 Aug 26 13:24:27.533861: | aa 06 44 ff 1a 63 ee e8 2a 9e bf a9 69 00 d8 3c Aug 26 13:24:27.533869: | 51 07 4e 46 fe 39 14 d4 d6 9d b7 f1 3e 61 a9 59 Aug 26 13:24:27.533877: | d7 eb 2b 50 25 03 9e 5b b8 5e c6 aa 4d f6 2b e4 Aug 26 13:24:27.533884: | ec 9c 47 1c 4e 7c 53 eb 66 31 35 d2 93 36 be 0f Aug 26 13:24:27.533892: | 43 85 7b 80 bf c0 05 0c 5c b8 64 e8 e1 75 57 47 Aug 26 13:24:27.533900: | 62 23 96 a7 0e 78 69 7b ac dd ff 44 ca 8f 00 49 Aug 26 13:24:27.533907: | 4c e2 59 95 b5 7a 03 06 99 37 cc fd 4f 6b 47 9c Aug 26 13:24:27.533915: | b1 61 44 a1 70 66 bd 88 7a 9f c3 e1 3b 6e e2 ab Aug 26 13:24:27.533923: | f9 c8 af 94 ac 2b 57 ed 9c e7 eb dd 35 54 a5 6c Aug 26 13:24:27.533931: | 05 79 28 70 11 cd be 71 f9 25 99 f3 09 2d 8e f2 Aug 26 13:24:27.533938: | 72 7a 4f 3e 88 73 8d 52 a6 a6 d4 ff 77 ee a8 90 Aug 26 13:24:27.533946: | 3e c4 af 54 7e 9f c9 f7 f0 18 bb f2 63 8b bb 35 Aug 26 13:24:27.533954: | aa 38 b0 88 95 58 74 0e 5f 9d 19 3a fa b9 fc ab Aug 26 13:24:27.533961: | e8 6c f0 73 06 41 d0 10 d8 ff ff 4b fe 6b b1 68 Aug 26 13:24:27.533969: | 79 1b 9d 96 1e 03 fb 36 1d ff 18 71 18 4f 25 af Aug 26 13:24:27.533977: | ba 9f 1d e8 a0 79 82 50 5a 22 ec d9 21 c5 78 34 Aug 26 13:24:27.533985: | 0e 4b c8 44 25 66 cf ca 4b 46 dd 26 10 c1 34 68 Aug 26 13:24:27.533992: | 73 ab a3 ee 4e 1e c6 3b 4a c8 42 cf ac 8a c5 a8 Aug 26 13:24:27.534000: | 75 79 d7 d0 ce ba ee 7a be 9f 6d c4 6f df 31 3b Aug 26 13:24:27.534008: | 0a 29 40 9b 2a e4 cc 00 98 8e d1 43 f3 e8 19 bd Aug 26 13:24:27.534016: | 7b c9 45 7d eb 36 83 98 ea 7f 64 53 f3 52 59 6f Aug 26 13:24:27.534023: | e1 05 ad e0 4c 35 fd 19 7b 5e 1e 65 fa 90 dd 21 Aug 26 13:24:27.534031: | 12 56 01 56 b7 be 36 48 32 b1 ff a8 2d a7 c2 4f Aug 26 13:24:27.534039: | e8 fe ba 2f 85 67 81 3a e4 ed b5 73 b6 e4 9b 73 Aug 26 13:24:27.534047: | 8f 0a 67 2c 25 76 5f 6b 66 be 26 14 d3 86 8d ef Aug 26 13:24:27.534054: | c8 ee 94 f0 cb f5 ca 6d 84 ee 98 c0 88 fb 84 72 Aug 26 13:24:27.534062: | 6a 6c a4 a0 92 d1 6a ad 00 b1 1e dd 1f 69 52 26 Aug 26 13:24:27.534070: | 51 3a 1a 6f 5d 76 24 46 c6 64 f7 64 19 79 1c d6 Aug 26 13:24:27.534077: | d9 8d 6c 0a 3a 92 c5 12 df 91 f4 19 f6 c0 a5 3d Aug 26 13:24:27.534085: | 7d 51 35 db 92 4c bc 8e ad b9 d2 b8 93 05 c2 78 Aug 26 13:24:27.534093: | 37 67 6f 63 b5 ad 52 ee a6 c0 53 2f 5c 90 a5 fb Aug 26 13:24:27.534101: | 49 58 61 8b 17 e4 c7 0f 7f a1 ce 43 2c a8 73 88 Aug 26 13:24:27.534108: | b4 95 a7 6a 4d Aug 26 13:24:27.534123: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:27.534135: | **parse ISAKMP Message: Aug 26 13:24:27.534144: | initiator cookie: Aug 26 13:24:27.534152: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:27.534160: | responder cookie: Aug 26 13:24:27.534167: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:27.534176: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:27.534185: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:27.534194: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:27.534203: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:27.534211: | Message ID: 4 (0x4) Aug 26 13:24:27.534220: | length: 661 (0x295) Aug 26 13:24:27.534230: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:24:27.534241: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:24:27.534253: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:27.534278: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:27.534311: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:27.534336: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:27.534347: | #1 st.st_msgid_lastrecv 3 md.hdr.isa_msgid 00000004 Aug 26 13:24:27.534361: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 Aug 26 13:24:27.534369: | unpacking clear payload Aug 26 13:24:27.534377: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:27.534387: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:27.534396: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:24:27.534404: | flags: none (0x0) Aug 26 13:24:27.534412: | length: 633 (0x279) Aug 26 13:24:27.534421: | processing payload: ISAKMP_NEXT_v2SK (len=629) Aug 26 13:24:27.534435: | Message ID: start-responder #1 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=-1->4 Aug 26 13:24:27.534445: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:27.534485: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Aug 26 13:24:27.534495: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:24:27.534504: | **parse IKEv2 Security Association Payload: Aug 26 13:24:27.534513: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:24:27.534520: | flags: none (0x0) Aug 26 13:24:27.534528: | length: 196 (0xc4) Aug 26 13:24:27.534536: | processing payload: ISAKMP_NEXT_v2SA (len=192) Aug 26 13:24:27.534544: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:24:27.534552: | **parse IKEv2 Nonce Payload: Aug 26 13:24:27.534560: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:24:27.534567: | flags: none (0x0) Aug 26 13:24:27.534575: | length: 36 (0x24) Aug 26 13:24:27.534583: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:24:27.534590: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:24:27.534599: | **parse IKEv2 Key Exchange Payload: Aug 26 13:24:27.534607: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:24:27.534615: | flags: none (0x0) Aug 26 13:24:27.534622: | length: 264 (0x108) Aug 26 13:24:27.534630: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:27.534639: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:24:27.534646: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:24:27.534654: | **parse IKEv2 Notify Payload: Aug 26 13:24:27.534663: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:24:27.534670: | flags: none (0x0) Aug 26 13:24:27.534678: | length: 12 (0xc) Aug 26 13:24:27.534686: | Protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:27.534694: | SPI size: 4 (0x4) Aug 26 13:24:27.534702: | Notify Message Type: v2N_REKEY_SA (0x4009) Aug 26 13:24:27.534710: | processing payload: ISAKMP_NEXT_v2N (len=4) Aug 26 13:24:27.534718: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:24:27.534727: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:27.534735: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:24:27.534742: | flags: none (0x0) Aug 26 13:24:27.534750: | length: 48 (0x30) Aug 26 13:24:27.534757: | number of TS: 1 (0x1) Aug 26 13:24:27.534766: | processing payload: ISAKMP_NEXT_v2TSi (len=40) Aug 26 13:24:27.534773: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:24:27.534781: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:27.534789: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:27.534797: | flags: none (0x0) Aug 26 13:24:27.534804: | length: 48 (0x30) Aug 26 13:24:27.534812: | number of TS: 1 (0x1) Aug 26 13:24:27.534820: | processing payload: ISAKMP_NEXT_v2TSr (len=40) Aug 26 13:24:27.534830: | state #1 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Aug 26 13:24:27.534847: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:27.534864: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:24:27.534880: | creating state object #4 at 0x5621361082e8 Aug 26 13:24:27.534889: | State DB: adding IKEv2 state #4 in UNDEFINED Aug 26 13:24:27.534900: | pstats #4 ikev2.child started Aug 26 13:24:27.534909: | duplicating state object #1 "east" as #4 for IPSEC SA Aug 26 13:24:27.534924: | #4 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:24:27.534942: | Message ID: init_child #1.#4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:24:27.534953: | child state #4: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Aug 26 13:24:27.534968: | "east" #1 received Child SA Request CREATE_CHILD_SA from 192.1.2.45:500 Child "east" #4 in STATE_V2_CREATE_R will process it further Aug 26 13:24:27.534982: | Message ID: switch-from #1 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=4->-1 Aug 26 13:24:27.534996: | Message ID: switch-to #1.#4 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3; child: wip.initiator=-1 wip.responder=-1->4 Aug 26 13:24:27.535004: | forcing ST #1 to CHILD #1.#4 in FSM processor Aug 26 13:24:27.535012: | Now let's proceed with state specific processing Aug 26 13:24:27.535021: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:27.535060: | using existing local ESP/AH proposals for east (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:27.535071: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:24:27.535082: | local proposal 1 type ENCR has 1 transforms Aug 26 13:24:27.535091: | local proposal 1 type PRF has 0 transforms Aug 26 13:24:27.535099: | local proposal 1 type INTEG has 1 transforms Aug 26 13:24:27.535107: | local proposal 1 type DH has 1 transforms Aug 26 13:24:27.535115: | local proposal 1 type ESN has 1 transforms Aug 26 13:24:27.535126: | local proposal 1 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:27.535135: | local proposal 2 type ENCR has 1 transforms Aug 26 13:24:27.535143: | local proposal 2 type PRF has 0 transforms Aug 26 13:24:27.535151: | local proposal 2 type INTEG has 1 transforms Aug 26 13:24:27.535158: | local proposal 2 type DH has 1 transforms Aug 26 13:24:27.535166: | local proposal 2 type ESN has 1 transforms Aug 26 13:24:27.535176: | local proposal 2 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:27.535184: | local proposal 3 type ENCR has 1 transforms Aug 26 13:24:27.535192: | local proposal 3 type PRF has 0 transforms Aug 26 13:24:27.535200: | local proposal 3 type INTEG has 2 transforms Aug 26 13:24:27.535207: | local proposal 3 type DH has 1 transforms Aug 26 13:24:27.535215: | local proposal 3 type ESN has 1 transforms Aug 26 13:24:27.535225: | local proposal 3 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:27.535233: | local proposal 4 type ENCR has 1 transforms Aug 26 13:24:27.535241: | local proposal 4 type PRF has 0 transforms Aug 26 13:24:27.535249: | local proposal 4 type INTEG has 2 transforms Aug 26 13:24:27.535256: | local proposal 4 type DH has 1 transforms Aug 26 13:24:27.535264: | local proposal 4 type ESN has 1 transforms Aug 26 13:24:27.535273: | local proposal 4 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:27.535283: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:27.535327: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:27.535345: | length: 40 (0x28) Aug 26 13:24:27.535353: | prop #: 1 (0x1) Aug 26 13:24:27.535361: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:27.535369: | spi size: 4 (0x4) Aug 26 13:24:27.535377: | # transforms: 3 (0x3) Aug 26 13:24:27.535388: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:27.535397: | remote SPI 82 e7 6b 78 Aug 26 13:24:27.535407: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:24:27.535417: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.535425: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.535433: | length: 12 (0xc) Aug 26 13:24:27.535441: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:27.535450: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:27.535458: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:27.535467: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:27.535475: | length/value: 256 (0x100) Aug 26 13:24:27.535489: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:24:27.535498: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.535507: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.535514: | length: 8 (0x8) Aug 26 13:24:27.535523: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:27.535531: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:27.535542: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:24:27.535553: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:24:27.535562: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:24:27.535572: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:24:27.535581: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.535589: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:27.535597: | length: 8 (0x8) Aug 26 13:24:27.535605: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:27.535613: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:27.535623: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:24:27.535634: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:24:27.535643: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:24:27.535653: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:24:27.535665: | remote proposal 1 proposed transforms: ENCR+DH+ESN; matched: ENCR+DH+ESN; unmatched: none Aug 26 13:24:27.535679: | comparing remote proposal 1 containing ENCR+DH+ESN transforms to local proposal 1; required: ENCR+DH+ESN; optional: INTEG; matched: ENCR+DH+ESN Aug 26 13:24:27.535688: | remote proposal 1 matches local proposal 1 Aug 26 13:24:27.535697: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:27.535705: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:27.535713: | length: 40 (0x28) Aug 26 13:24:27.535721: | prop #: 2 (0x2) Aug 26 13:24:27.535729: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:27.535737: | spi size: 4 (0x4) Aug 26 13:24:27.535744: | # transforms: 3 (0x3) Aug 26 13:24:27.535754: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:27.535762: | remote SPI 82 e7 6b 78 Aug 26 13:24:27.535771: | Comparing remote proposal 2 containing 3 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:27.535780: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.535788: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.535800: | length: 12 (0xc) Aug 26 13:24:27.535808: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:27.535816: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:27.535825: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:27.535833: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:27.535841: | length/value: 128 (0x80) Aug 26 13:24:27.535851: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.535859: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.535866: | length: 8 (0x8) Aug 26 13:24:27.535874: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:27.535882: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:27.535891: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.535899: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:27.535907: | length: 8 (0x8) Aug 26 13:24:27.535915: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:27.535923: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:27.535934: | remote proposal 2 proposed transforms: ENCR+DH+ESN; matched: none; unmatched: ENCR+DH+ESN Aug 26 13:24:27.535944: | remote proposal 2 does not match; unmatched remote transforms: ENCR+DH+ESN Aug 26 13:24:27.535953: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:27.535961: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:27.535969: | length: 56 (0x38) Aug 26 13:24:27.535976: | prop #: 3 (0x3) Aug 26 13:24:27.535984: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:27.535992: | spi size: 4 (0x4) Aug 26 13:24:27.535999: | # transforms: 5 (0x5) Aug 26 13:24:27.536009: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:27.536017: | remote SPI 82 e7 6b 78 Aug 26 13:24:27.536026: | Comparing remote proposal 3 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:27.536034: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536042: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.536050: | length: 12 (0xc) Aug 26 13:24:27.536058: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:27.536066: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:27.536074: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:27.536082: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:27.536090: | length/value: 256 (0x100) Aug 26 13:24:27.536099: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536107: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.536115: | length: 8 (0x8) Aug 26 13:24:27.536123: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:27.536131: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:27.536140: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536148: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.536156: | length: 8 (0x8) Aug 26 13:24:27.536164: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:27.536172: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:27.536180: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536188: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.536196: | length: 8 (0x8) Aug 26 13:24:27.536204: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:27.536212: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:27.536221: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536229: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:27.536237: | length: 8 (0x8) Aug 26 13:24:27.536245: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:27.536252: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:27.536264: | remote proposal 3 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:27.536274: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:27.536286: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:27.536315: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:27.536324: | length: 56 (0x38) Aug 26 13:24:27.536332: | prop #: 4 (0x4) Aug 26 13:24:27.536340: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:27.536347: | spi size: 4 (0x4) Aug 26 13:24:27.536355: | # transforms: 5 (0x5) Aug 26 13:24:27.536364: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:27.536372: | remote SPI 82 e7 6b 78 Aug 26 13:24:27.536381: | Comparing remote proposal 4 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:27.536390: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536398: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.536405: | length: 12 (0xc) Aug 26 13:24:27.536413: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:27.536421: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:27.536429: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:27.536437: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:27.536444: | length/value: 128 (0x80) Aug 26 13:24:27.536454: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536462: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.536469: | length: 8 (0x8) Aug 26 13:24:27.536477: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:27.536485: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:27.536493: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536501: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.536509: | length: 8 (0x8) Aug 26 13:24:27.536516: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:27.536524: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:27.536533: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536541: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.536548: | length: 8 (0x8) Aug 26 13:24:27.536556: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:27.536564: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:27.536573: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:27.536581: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:27.536588: | length: 8 (0x8) Aug 26 13:24:27.536596: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:27.536604: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:27.536615: | remote proposal 4 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:27.536624: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:27.536641: "east" #1: proposal 1:ESP:SPI=82e76b78;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:27.536657: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=82e76b78;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED Aug 26 13:24:27.536666: | converting proposal to internal trans attrs Aug 26 13:24:27.536681: | updating #4's .st_oakley with preserved PRF, but why update? Aug 26 13:24:27.536690: | received v2N_REKEY_SA Aug 26 13:24:27.536701: | child state #4: V2_CREATE_R(established IKE SA) => V2_REKEY_CHILD_R(established IKE SA) Aug 26 13:24:27.536710: | CREATE_CHILD_SA IPsec SA rekey Protocol PROTO_v2_ESP Aug 26 13:24:27.536719: | parsing 4 raw bytes of IKEv2 Notify Payload into SPI Aug 26 13:24:27.536727: | SPI 76 b1 c3 bf Aug 26 13:24:27.536736: | CREATE_CHILD_S to rekey IPsec SA(0x76b1c3bf) Protocol PROTO_v2_ESP Aug 26 13:24:27.536745: | v2 CHILD SA #3 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:27.536760: | State DB: found IKEv2 state #3 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:27.536769: | #4 rekey request for "east" #3 TSi TSr Aug 26 13:24:27.536777: | printing contents struct traffic_selector Aug 26 13:24:27.536785: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:27.536793: | ipprotoid: 0 Aug 26 13:24:27.536800: | port range: 0-65535 Aug 26 13:24:27.536813: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:27.536821: | printing contents struct traffic_selector Aug 26 13:24:27.536829: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:27.536836: | ipprotoid: 0 Aug 26 13:24:27.536843: | port range: 0-65535 Aug 26 13:24:27.536854: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:27.536866: | adding Child Rekey Responder KE and nonce nr work-order 5 for state #4 Aug 26 13:24:27.536877: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f0a2c002b78 Aug 26 13:24:27.536889: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Aug 26 13:24:27.536899: | libevent_malloc: new ptr-libevent@0x7f0a1c001f78 size 128 Aug 26 13:24:27.536938: | #4 spent 1.86 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Aug 26 13:24:27.536957: | crypto helper 1 resuming Aug 26 13:24:27.537000: | crypto helper 1 starting work-order 5 for state #4 Aug 26 13:24:27.536966: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:27.537030: | crypto helper 1 doing build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 5 Aug 26 13:24:27.537049: | start processing: state #4 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:27.537070: | #4 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:27.537084: | suspending state #4 and saving MD Aug 26 13:24:27.537097: | #4 is busy; has a suspended MD Aug 26 13:24:27.537119: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:27.537135: | "east" #4 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:27.537156: | stop processing: state #4 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:27.537179: | #1 spent 3.37 milliseconds in ikev2_process_packet() Aug 26 13:24:27.537201: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:27.537217: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:27.537232: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:27.537253: | spent 3.44 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:24:27.539751: | crypto helper 1 finished build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 5 time elapsed 0.002722 seconds Aug 26 13:24:27.539790: | (#4) spent 2.72 milliseconds in crypto helper computing work-order 5: Child Rekey Responder KE and nonce nr (pcr) Aug 26 13:24:27.539801: | crypto helper 1 sending results from work-order 5 for state #4 to event queue Aug 26 13:24:27.539811: | scheduling resume sending helper answer for #4 Aug 26 13:24:27.539822: | libevent_malloc: new ptr-libevent@0x7f0a20002888 size 128 Aug 26 13:24:27.539849: | crypto helper 1 waiting (nothing to do) Aug 26 13:24:27.539881: | processing resume sending helper answer for #4 Aug 26 13:24:27.539908: | start processing: state #4 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:27.539921: | crypto helper 1 replies to request ID 5 Aug 26 13:24:27.539930: | calling continuation function 0x562135ceab50 Aug 26 13:24:27.539939: | ikev2_child_inIoutR_continue for #4 STATE_V2_REKEY_CHILD_R Aug 26 13:24:27.539964: | adding DHv2 for child sa work-order 6 for state #4 Aug 26 13:24:27.539974: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:27.539991: | libevent_free: release ptr-libevent@0x7f0a1c001f78 Aug 26 13:24:27.540001: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f0a2c002b78 Aug 26 13:24:27.540011: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f0a2c002b78 Aug 26 13:24:27.540023: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Aug 26 13:24:27.540032: | libevent_malloc: new ptr-libevent@0x7f0a1c001f78 size 128 Aug 26 13:24:27.540060: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:27.540074: | #4 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:27.540083: | suspending state #4 and saving MD Aug 26 13:24:27.540091: | #4 is busy; has a suspended MD Aug 26 13:24:27.540104: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:27.540115: | "east" #4 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:27.540123: | crypto helper 0 resuming Aug 26 13:24:27.540127: | resume sending helper answer for #4 suppresed complete_v2_state_transition() and stole MD Aug 26 13:24:27.540183: | crypto helper 0 starting work-order 6 for state #4 Aug 26 13:24:27.540214: | #4 spent 0.261 milliseconds in resume sending helper answer Aug 26 13:24:27.540229: | crypto helper 0 doing crypto (DHv2 for child sa); request ID 6 Aug 26 13:24:27.540233: | stop processing: state #4 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:27.540261: | libevent_free: release ptr-libevent@0x7f0a20002888 Aug 26 13:24:27.542799: | crypto helper 0 finished crypto (DHv2 for child sa); request ID 6 time elapsed 0.002571 seconds Aug 26 13:24:27.542839: | (#4) spent 2.56 milliseconds in crypto helper computing work-order 6: DHv2 for child sa (dh) Aug 26 13:24:27.542850: | crypto helper 0 sending results from work-order 6 for state #4 to event queue Aug 26 13:24:27.542861: | scheduling resume sending helper answer for #4 Aug 26 13:24:27.542872: | libevent_malloc: new ptr-libevent@0x7f0a14001f78 size 128 Aug 26 13:24:27.542896: | crypto helper 0 waiting (nothing to do) Aug 26 13:24:27.542963: | processing resume sending helper answer for #4 Aug 26 13:24:27.543006: | start processing: state #4 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:27.543024: | crypto helper 0 replies to request ID 6 Aug 26 13:24:27.543033: | calling continuation function 0x562135ceb9d0 Aug 26 13:24:27.543045: | ikev2_child_inIoutR_continue_continue for #4 STATE_V2_REKEY_CHILD_R Aug 26 13:24:27.543066: | **emit ISAKMP Message: Aug 26 13:24:27.543075: | initiator cookie: Aug 26 13:24:27.543084: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:27.543092: | responder cookie: Aug 26 13:24:27.543099: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:27.543109: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:27.543118: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:27.543127: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:27.543136: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:27.543145: | Message ID: 4 (0x4) Aug 26 13:24:27.543154: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:27.543164: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:27.543174: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:27.543181: | flags: none (0x0) Aug 26 13:24:27.543192: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:27.543202: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:24:27.543213: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:27.543237: | #4 inherit spd, TSi TSr, from "east" #3 Aug 26 13:24:27.543259: | printing contents struct traffic_selector Aug 26 13:24:27.543268: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:27.543276: | ipprotoid: 0 Aug 26 13:24:27.543284: | port range: 0-65535 Aug 26 13:24:27.543314: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:27.543333: | printing contents struct traffic_selector Aug 26 13:24:27.543342: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:27.543349: | ipprotoid: 0 Aug 26 13:24:27.543357: | port range: 0-65535 Aug 26 13:24:27.543369: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:27.543418: | netlink_get_spi: allocated 0x4f2a821 for esp.0@192.1.2.23 Aug 26 13:24:27.543429: | Emitting ikev2_proposal ... Aug 26 13:24:27.543438: | ****emit IKEv2 Security Association Payload: Aug 26 13:24:27.543447: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:27.543455: | flags: none (0x0) Aug 26 13:24:27.543466: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:24:27.543476: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:24:27.543486: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:24:27.543494: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:27.543502: | prop #: 1 (0x1) Aug 26 13:24:27.543511: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:27.543519: | spi size: 4 (0x4) Aug 26 13:24:27.543526: | # transforms: 3 (0x3) Aug 26 13:24:27.543536: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:24:27.543547: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:24:27.543555: | our spi 04 f2 a8 21 Aug 26 13:24:27.543564: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:27.543573: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.543581: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:27.543590: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:27.543599: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:27.543609: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:24:27.543618: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:27.543627: | length/value: 256 (0x100) Aug 26 13:24:27.543636: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:24:27.543645: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:27.543653: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.543661: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:27.543670: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:27.543680: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.543690: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:27.543699: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:27.543707: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:27.543716: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:27.543724: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:27.543732: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:27.543742: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:27.543751: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:27.543760: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:27.543768: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:24:27.543784: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:24:27.543793: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:24:27.543802: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:24:27.543811: | ****emit IKEv2 Nonce Payload: Aug 26 13:24:27.543819: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:27.543827: | flags: none (0x0) Aug 26 13:24:27.543838: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:24:27.543847: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:24:27.543857: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:24:27.543866: | IKEv2 nonce d5 7b 8b 3d fc 60 27 09 74 94 28 bd e4 e9 a4 fc Aug 26 13:24:27.543874: | IKEv2 nonce da 29 9d c8 3f ef 0e e6 67 b8 b7 74 1d 54 58 e4 Aug 26 13:24:27.543883: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:24:27.543891: | ****emit IKEv2 Key Exchange Payload: Aug 26 13:24:27.543899: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:27.543907: | flags: none (0x0) Aug 26 13:24:27.543915: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:27.543925: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:24:27.543935: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:24:27.543945: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:24:27.543953: | ikev2 g^x e1 1e be ba 7e b5 b9 b6 21 8f ae 3c 25 05 67 1f Aug 26 13:24:27.543961: | ikev2 g^x 35 23 58 6e ba 5a c2 dd 0e 7a 88 1e 36 67 f0 a7 Aug 26 13:24:27.543969: | ikev2 g^x 3d b5 05 73 17 38 fa 40 48 47 7b 89 4e 18 b4 a3 Aug 26 13:24:27.543977: | ikev2 g^x 2a 8a bf 5a 98 b4 eb b9 2b dd 3b 47 87 97 9c 10 Aug 26 13:24:27.543985: | ikev2 g^x 4c 97 60 f2 bb 80 5e 30 ad ae dc e2 dd 21 01 1c Aug 26 13:24:27.543992: | ikev2 g^x 82 f5 4e 5e fe 25 a9 ef ea 4e 06 23 b2 9e 93 0b Aug 26 13:24:27.544000: | ikev2 g^x a5 42 97 87 36 31 79 73 8f 34 da ed 1e f1 7a 59 Aug 26 13:24:27.544008: | ikev2 g^x 58 b6 ab 88 ff 0c 0d 0f aa 9e d9 37 0a f5 80 43 Aug 26 13:24:27.544016: | ikev2 g^x d9 c7 63 3c cf 7e f7 24 29 3c ec 5d de 39 73 57 Aug 26 13:24:27.544024: | ikev2 g^x b9 ba e1 10 77 e7 7d 99 b3 8b 53 44 36 50 b3 bd Aug 26 13:24:27.544032: | ikev2 g^x 60 e2 1f 2f dc cd 2d bf 4b 1d e5 f8 df ad b5 7e Aug 26 13:24:27.544040: | ikev2 g^x 2c e3 d0 ae 60 96 96 4f 0f 24 dd b3 4f 35 42 18 Aug 26 13:24:27.544048: | ikev2 g^x 83 9e eb f9 12 82 60 3f da 33 90 b0 16 ac 10 66 Aug 26 13:24:27.544055: | ikev2 g^x 87 90 f5 b4 fd 46 54 23 6c 3f bb 8a 9a fd 8b 8c Aug 26 13:24:27.544063: | ikev2 g^x 0d 8b dd a8 7f 07 c9 95 75 76 c2 f3 d3 68 7c 1b Aug 26 13:24:27.544071: | ikev2 g^x 92 98 86 a7 c5 96 df a1 95 85 fd 51 b6 a4 f5 84 Aug 26 13:24:27.544079: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:24:27.544087: | received REKEY_SA already proceesd Aug 26 13:24:27.544096: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:27.544104: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:27.544112: | flags: none (0x0) Aug 26 13:24:27.544120: | number of TS: 1 (0x1) Aug 26 13:24:27.544130: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:24:27.544139: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:27.544148: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:27.544156: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:27.544169: | IP Protocol ID: 0 (0x0) Aug 26 13:24:27.544177: | start port: 0 (0x0) Aug 26 13:24:27.544185: | end port: 65535 (0xffff) Aug 26 13:24:27.544195: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:27.544203: | ipv4 start c0 00 01 00 Aug 26 13:24:27.544212: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:27.544220: | ipv4 end c0 00 01 ff Aug 26 13:24:27.544228: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:27.544236: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:24:27.544245: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:27.544253: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:27.544260: | flags: none (0x0) Aug 26 13:24:27.544268: | number of TS: 1 (0x1) Aug 26 13:24:27.544278: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:24:27.544307: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:27.544323: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:27.544332: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:27.544339: | IP Protocol ID: 0 (0x0) Aug 26 13:24:27.544347: | start port: 0 (0x0) Aug 26 13:24:27.544355: | end port: 65535 (0xffff) Aug 26 13:24:27.544364: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:27.544372: | ipv4 start c0 00 02 00 Aug 26 13:24:27.544380: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:27.544388: | ipv4 end c0 00 02 ff Aug 26 13:24:27.544396: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:27.544404: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:24:27.544413: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:24:27.544425: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:24:27.544925: | install_ipsec_sa() for #4: inbound and outbound Aug 26 13:24:27.544945: | could_route called for east (kind=CK_PERMANENT) Aug 26 13:24:27.544954: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:27.544964: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:27.544973: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:27.544986: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:27.544998: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:27.545008: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:27.545017: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:27.545026: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:27.545039: | setting IPsec SA replay-window to 32 Aug 26 13:24:27.545048: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:27.545057: | netlink: enabling tunnel mode Aug 26 13:24:27.545066: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:27.545076: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:27.545254: | netlink response for Add SA esp.82e76b78@192.1.2.45 included non-error error Aug 26 13:24:27.545269: | set up outgoing SA, ref=0/0 Aug 26 13:24:27.545278: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:27.545302: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:27.545319: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:27.545328: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:27.545340: | setting IPsec SA replay-window to 32 Aug 26 13:24:27.545349: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:27.545357: | netlink: enabling tunnel mode Aug 26 13:24:27.545366: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:27.545382: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:27.545511: | netlink response for Add SA esp.4f2a821@192.1.2.23 included non-error error Aug 26 13:24:27.545526: | set up incoming SA, ref=0/0 Aug 26 13:24:27.545535: | sr for #4: erouted Aug 26 13:24:27.545544: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:24:27.545553: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:27.545562: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:27.545571: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:27.545582: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:27.545594: | route_and_eroute with c: east (next: none) ero:east esr:{(nil)} ro:east rosr:{(nil)} and state: #4 Aug 26 13:24:27.545604: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:27.545629: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) Aug 26 13:24:27.545639: | IPsec Sa SPD priority set to 1042407 Aug 26 13:24:27.545687: | raw_eroute result=success Aug 26 13:24:27.545698: | route_and_eroute: firewall_notified: true Aug 26 13:24:27.545710: | route_and_eroute: instance "east", setting eroute_owner {spd=0x562136100758,sr=0x562136100758} to #4 (was #3) (newest_ipsec_sa=#3) Aug 26 13:24:27.545895: | #1 spent 0.923 milliseconds in install_ipsec_sa() Aug 26 13:24:27.545915: | ISAKMP_v2_CREATE_CHILD_SA: instance east[0], setting IKEv2 newest_ipsec_sa to #4 (was #3) (spd.eroute=#4) cloned from #1 Aug 26 13:24:27.545925: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:27.545936: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:27.545946: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:27.545955: | emitting length of IKEv2 Encryption Payload: 421 Aug 26 13:24:27.545964: | emitting length of ISAKMP Message: 449 Aug 26 13:24:27.546009: "east" #4: negotiated new IPsec SA [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:27.546030: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:27.546044: | #4 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_OK Aug 26 13:24:27.546054: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Aug 26 13:24:27.546064: | child state #4: V2_REKEY_CHILD_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Aug 26 13:24:27.546074: | Message ID: updating counters for #4 to 4 after switching state Aug 26 13:24:27.546091: | Message ID: recv #1.#4 request 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3->4; child: wip.initiator=-1 wip.responder=4->-1 Aug 26 13:24:27.546107: | Message ID: sent #1.#4 response 4; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3->4 responder.recv=4; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:24:27.546115: | pstats #4 ikev2.child established Aug 26 13:24:27.546134: "east" #4: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:27.546146: | NAT-T: encaps is 'auto' Aug 26 13:24:27.546160: "east" #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x82e76b78 <0x04f2a821 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} Aug 26 13:24:27.546175: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:24:27.546192: | sending 449 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:27.546201: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:27.546209: | 2e 20 24 20 00 00 00 04 00 00 01 c1 21 00 01 a5 Aug 26 13:24:27.546217: | c6 3f e5 30 27 2d fa 38 1f 30 5a 7f ec 59 23 1d Aug 26 13:24:27.546224: | 0a 25 48 87 26 05 ec ad dc a8 0e c8 1d b7 59 06 Aug 26 13:24:27.546240: | 6d 65 1d 1a 72 d2 2e ba d2 f7 75 3c df 81 79 2a Aug 26 13:24:27.546248: | e4 cb 14 f4 ab 01 da 8d 22 c8 9b e1 01 c1 37 af Aug 26 13:24:27.546256: | f9 d5 3b 96 a4 66 d3 13 1a 7b 27 7b 0c 49 b8 ef Aug 26 13:24:27.546264: | 2f d4 11 36 12 f5 cf 4a 95 4c 4f 81 62 10 26 b2 Aug 26 13:24:27.546271: | 10 f9 35 f4 07 80 06 c1 20 73 98 3a d8 a0 a1 b7 Aug 26 13:24:27.546279: | 5d 1a fa b3 d2 60 1e 12 24 b5 6c 03 1f dd d2 63 Aug 26 13:24:27.546287: | de b2 c3 be 3c 72 42 1c 73 a4 87 e5 44 36 82 c2 Aug 26 13:24:27.546330: | ef ed ed b0 26 7f d9 55 4f 85 f7 3e c7 86 5c f4 Aug 26 13:24:27.546338: | 4f b2 f4 a7 98 72 63 09 65 6c 17 39 2c 09 6c 54 Aug 26 13:24:27.546346: | ea 01 0d 9f 00 6c ed c9 a7 b3 48 06 19 ff e0 71 Aug 26 13:24:27.546354: | 17 a4 5a 09 dd 63 7f 7f f0 fd b6 3b a6 de fd 93 Aug 26 13:24:27.546362: | a5 20 77 86 8f d1 69 6a d9 37 9a 3e b1 c5 c2 3b Aug 26 13:24:27.546369: | 6d cf 47 26 58 ce 5d 6a e8 a6 79 8c 0d fa e7 b5 Aug 26 13:24:27.546377: | b1 c5 dd e7 41 c2 f4 70 ec a6 95 7c 9b 58 4f 5a Aug 26 13:24:27.546385: | 75 d3 5f d1 e9 d5 9e 38 85 93 63 67 60 99 63 49 Aug 26 13:24:27.546392: | 64 2b 23 37 aa 8a 6e 6a c9 53 42 65 7f 8a b9 34 Aug 26 13:24:27.546400: | a2 87 b2 4a a7 fc fb ca 85 eb f4 66 d2 e6 98 01 Aug 26 13:24:27.546408: | 69 5d 25 2f 21 7d aa 6f 08 80 f5 e0 fc 69 10 f6 Aug 26 13:24:27.546416: | b8 ff ac 8a d5 20 e8 a3 3e b6 88 b2 3d 01 88 e5 Aug 26 13:24:27.546423: | bf f5 9d 5d f4 15 6e f3 30 50 91 e6 f0 96 49 8e Aug 26 13:24:27.546431: | f4 b2 65 6e ec eb 07 51 6d 60 f2 54 ac f7 2b c1 Aug 26 13:24:27.546439: | d2 75 e4 24 e2 1f f3 cf ce 78 07 07 7b 94 b1 9b Aug 26 13:24:27.546446: | 30 f2 e8 6f c6 37 e7 e9 e7 ea 91 62 a2 d0 77 e7 Aug 26 13:24:27.546454: | f4 1a e3 ef 5a ae 1a de 6f ed 1a 62 65 d7 10 1b Aug 26 13:24:27.546461: | 44 Aug 26 13:24:27.546548: | releasing whack for #4 (sock=fd@-1) Aug 26 13:24:27.546561: | releasing whack and unpending for parent #1 Aug 26 13:24:27.546571: | unpending state #1 connection "east" Aug 26 13:24:27.546585: | #4 will start re-keying in 28798 seconds with margin of 2 seconds (attempting re-key) Aug 26 13:24:27.546595: | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:27.546606: | libevent_free: release ptr-libevent@0x7f0a1c001f78 Aug 26 13:24:27.546617: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f0a2c002b78 Aug 26 13:24:27.546627: | event_schedule: new EVENT_SA_REKEY-pe@0x7f0a2c002b78 Aug 26 13:24:27.546639: | inserting event EVENT_SA_REKEY, timeout in 28798 seconds for #4 Aug 26 13:24:27.546649: | libevent_malloc: new ptr-libevent@0x7f0a20002888 size 128 Aug 26 13:24:27.546669: | #4 spent 3.52 milliseconds in resume sending helper answer Aug 26 13:24:27.546685: | stop processing: state #4 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:27.546695: | libevent_free: release ptr-libevent@0x7f0a14001f78 Aug 26 13:24:28.554169: | spent 0.00305 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:28.554193: | *received 69 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:28.554198: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:28.554201: | 2e 20 25 08 00 00 00 05 00 00 00 45 2a 00 00 29 Aug 26 13:24:28.554202: | c2 ca 95 f5 42 ce 8e 02 d8 66 9e 32 dd 53 77 00 Aug 26 13:24:28.554204: | d8 6a 02 ca cb b2 fc 7c 88 bc 70 fc c7 97 4e ea Aug 26 13:24:28.554205: | 9a df 40 f1 2e Aug 26 13:24:28.554209: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:28.554211: | **parse ISAKMP Message: Aug 26 13:24:28.554213: | initiator cookie: Aug 26 13:24:28.554215: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:28.554216: | responder cookie: Aug 26 13:24:28.554218: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:28.554220: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:28.554222: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:28.554227: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:28.554229: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:28.554230: | Message ID: 5 (0x5) Aug 26 13:24:28.554232: | length: 69 (0x45) Aug 26 13:24:28.554234: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:24:28.554237: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:24:28.554240: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:28.554245: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:28.554247: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:28.554250: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:28.554252: | #1 st.st_msgid_lastrecv 4 md.hdr.isa_msgid 00000005 Aug 26 13:24:28.554255: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 Aug 26 13:24:28.554257: | unpacking clear payload Aug 26 13:24:28.554259: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:28.554261: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:28.554263: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:24:28.554264: | flags: none (0x0) Aug 26 13:24:28.554266: | length: 41 (0x29) Aug 26 13:24:28.554268: | processing payload: ISAKMP_NEXT_v2SK (len=37) Aug 26 13:24:28.554271: | Message ID: start-responder #1 request 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=-1->5 Aug 26 13:24:28.554274: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:28.554297: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:24:28.554302: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:24:28.554305: | **parse IKEv2 Delete Payload: Aug 26 13:24:28.554308: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:28.554311: | flags: none (0x0) Aug 26 13:24:28.554313: | length: 12 (0xc) Aug 26 13:24:28.554316: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:28.554334: | SPI size: 4 (0x4) Aug 26 13:24:28.554336: | number of SPIs: 1 (0x1) Aug 26 13:24:28.554339: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:24:28.554342: | selected state microcode R2: process INFORMATIONAL Request Aug 26 13:24:28.554344: | Now let's proceed with state specific processing Aug 26 13:24:28.554347: | calling processor R2: process INFORMATIONAL Request Aug 26 13:24:28.554350: | an informational request should send a response Aug 26 13:24:28.554355: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:24:28.554358: | **emit ISAKMP Message: Aug 26 13:24:28.554361: | initiator cookie: Aug 26 13:24:28.554363: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:28.554366: | responder cookie: Aug 26 13:24:28.554368: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:28.554371: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:28.554373: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:28.554376: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:28.554379: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:28.554381: | Message ID: 5 (0x5) Aug 26 13:24:28.554384: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:28.554387: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:28.554390: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:28.554393: | flags: none (0x0) Aug 26 13:24:28.554396: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:28.554399: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:28.554403: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:28.554411: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:24:28.554414: | SPI 76 b1 c3 bf Aug 26 13:24:28.554417: | delete PROTO_v2_ESP SA(0x76b1c3bf) Aug 26 13:24:28.554420: | v2 CHILD SA #3 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:28.554422: | State DB: found IKEv2 state #3 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:28.554424: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x76b1c3bf) Aug 26 13:24:28.554426: "east" #1: received Delete SA payload: delete IPsec State #3 now Aug 26 13:24:28.554428: | pstats #3 ikev2.child deleted completed Aug 26 13:24:28.554431: | #3 spent 11.2 milliseconds in total Aug 26 13:24:28.554434: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:28.554437: | start processing: state #3 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:28.554439: "east" #3: deleting other state #3 (STATE_V2_IPSEC_R) aged 26.055s and NOT sending notification Aug 26 13:24:28.554441: | child state #3: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:24:28.554444: | get_sa_info esp.76b1c3bf@192.1.2.45 Aug 26 13:24:28.554454: | get_sa_info esp.95f4fbca@192.1.2.23 Aug 26 13:24:28.554460: "east" #3: ESP traffic information: in=336B out=336B Aug 26 13:24:28.554463: | child state #3: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:24:28.554465: | state #3 requesting EVENT_SA_REKEY to be deleted Aug 26 13:24:28.554467: | libevent_free: release ptr-libevent@0x7f0a28002888 Aug 26 13:24:28.554470: | free_event_entry: release EVENT_SA_REKEY-pe@0x56213610bde8 Aug 26 13:24:28.554513: | delete esp.76b1c3bf@192.1.2.45 Aug 26 13:24:28.554527: | netlink response for Del SA esp.76b1c3bf@192.1.2.45 included non-error error Aug 26 13:24:28.554553: | delete esp.95f4fbca@192.1.2.23 Aug 26 13:24:28.554560: | netlink response for Del SA esp.95f4fbca@192.1.2.23 included non-error error Aug 26 13:24:28.554564: | in connection_discard for connection east Aug 26 13:24:28.554567: | State DB: deleting IKEv2 state #3 in CHILDSA_DEL Aug 26 13:24:28.554570: | child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:24:28.554603: | stop processing: state #3 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:28.554608: | resume processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:28.554615: | ****emit IKEv2 Delete Payload: Aug 26 13:24:28.554618: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:28.554620: | flags: none (0x0) Aug 26 13:24:28.554622: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:28.554625: | SPI size: 4 (0x4) Aug 26 13:24:28.554627: | number of SPIs: 1 (0x1) Aug 26 13:24:28.554630: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:24:28.554633: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:28.554636: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:24:28.554638: | local SPIs 95 f4 fb ca Aug 26 13:24:28.554640: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:24:28.554643: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:28.554646: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:28.554649: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:28.554651: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:24:28.554654: | emitting length of ISAKMP Message: 69 Aug 26 13:24:28.554667: | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:28.554671: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:28.554673: | 2e 20 25 20 00 00 00 05 00 00 00 45 2a 00 00 29 Aug 26 13:24:28.554678: | 4d c7 c5 6e ab 2c 5c 0f 22 0e cb e3 d3 44 d7 6d Aug 26 13:24:28.554680: | 91 16 34 29 d3 08 c5 2c 7f 1b fe 62 4d f9 96 de Aug 26 13:24:28.554683: | b0 82 16 ca cf Aug 26 13:24:28.554712: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=4 responder.recv=4 wip.initiator=-1 wip.responder=5 Aug 26 13:24:28.554718: | Message ID: sent #1 response 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=4->5 responder.recv=4 wip.initiator=-1 wip.responder=5 Aug 26 13:24:28.554724: | #1 spent 0.355 milliseconds in processing: R2: process INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:24:28.554729: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:28.554733: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:24:28.554736: | Message ID: updating counters for #1 to 5 after switching state Aug 26 13:24:28.554740: | Message ID: recv #1 request 5; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=5 responder.recv=4->5 wip.initiator=-1 wip.responder=5->-1 Aug 26 13:24:28.554744: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=5 responder.recv=5 wip.initiator=-1 wip.responder=-1 Aug 26 13:24:28.554748: "east" #1: STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:28.554753: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:28.554758: | #1 spent 0.555 milliseconds in ikev2_process_packet() Aug 26 13:24:28.554762: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:28.554766: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:28.554769: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:28.554773: | spent 0.571 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:24:36.188337: | processing global timer EVENT_PENDING_DDNS Aug 26 13:24:36.188371: | FOR_EACH_CONNECTION_... in connection_check_ddns Aug 26 13:24:36.188374: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:24:36.188378: | elapsed time in connection_check_ddns for hostname lookup 0.000007 Aug 26 13:24:36.188386: | spent 0.0116 milliseconds in global timer EVENT_PENDING_DDNS Aug 26 13:24:36.188389: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:24:36.188393: | expiring aged bare shunts from shunt table Aug 26 13:24:36.188398: | spent 0.0039 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:24:38.543027: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:24:38.543102: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:24:38.543116: | FOR_EACH_STATE_... in sort_states Aug 26 13:24:38.543138: | get_sa_info esp.4f2a821@192.1.2.23 Aug 26 13:24:38.543185: | get_sa_info esp.82e76b78@192.1.2.45 Aug 26 13:24:38.543250: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:24:38.543272: | spent 0.273 milliseconds in whack Aug 26 13:24:38.680641: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:24:38.681061: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:24:38.681075: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:24:38.681205: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:24:38.681213: | FOR_EACH_STATE_... in sort_states Aug 26 13:24:38.681240: | get_sa_info esp.4f2a821@192.1.2.23 Aug 26 13:24:38.681273: | get_sa_info esp.82e76b78@192.1.2.45 Aug 26 13:24:38.681335: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:24:38.681354: | spent 0.721 milliseconds in whack Aug 26 13:24:39.393133: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:24:39.393152: shutting down Aug 26 13:24:39.393159: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:24:39.393161: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:24:39.393163: forgetting secrets Aug 26 13:24:39.393167: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:24:39.393170: | unreference key: 0x562136102688 @east cnt 1-- Aug 26 13:24:39.393174: | unreference key: 0x562136059c48 @west cnt 1-- Aug 26 13:24:39.393178: | start processing: connection "east" (in delete_connection() at connections.c:189) Aug 26 13:24:39.393180: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:24:39.393182: | pass 0 Aug 26 13:24:39.393183: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:24:39.393185: | state #4 Aug 26 13:24:39.393188: | suspend processing: connection "east" (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:24:39.393207: | start processing: state #4 connection "east" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:24:39.393209: | pstats #4 ikev2.child deleted completed Aug 26 13:24:39.393214: | #4 spent 10.9 milliseconds in total Aug 26 13:24:39.393217: | [RE]START processing: state #4 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:39.393221: "east" #4: deleting state (STATE_V2_IPSEC_R) aged 11.858s and sending notification Aug 26 13:24:39.393223: | child state #4: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:24:39.393227: | get_sa_info esp.82e76b78@192.1.2.45 Aug 26 13:24:39.393240: | get_sa_info esp.4f2a821@192.1.2.23 Aug 26 13:24:39.393246: "east" #4: ESP traffic information: in=336B out=336B Aug 26 13:24:39.393248: | #4 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:24:39.393251: | Opening output PBS informational exchange delete request Aug 26 13:24:39.393253: | **emit ISAKMP Message: Aug 26 13:24:39.393255: | initiator cookie: Aug 26 13:24:39.393257: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:39.393259: | responder cookie: Aug 26 13:24:39.393260: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:39.393262: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:39.393264: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:39.393266: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:39.393268: | flags: none (0x0) Aug 26 13:24:39.393270: | Message ID: 0 (0x0) Aug 26 13:24:39.393272: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:39.393274: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:39.393276: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:39.393278: | flags: none (0x0) Aug 26 13:24:39.393280: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:39.393282: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:24:39.393284: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:39.393297: | ****emit IKEv2 Delete Payload: Aug 26 13:24:39.393302: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:39.393304: | flags: none (0x0) Aug 26 13:24:39.393306: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:39.393308: | SPI size: 4 (0x4) Aug 26 13:24:39.393309: | number of SPIs: 1 (0x1) Aug 26 13:24:39.393312: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:24:39.393314: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:24:39.393329: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:24:39.393330: | local spis 04 f2 a8 21 Aug 26 13:24:39.393335: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:24:39.393337: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:39.393340: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:39.393342: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:39.393343: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:24:39.393345: | emitting length of ISAKMP Message: 69 Aug 26 13:24:39.393365: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #4) Aug 26 13:24:39.393367: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:39.393369: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:24:39.393370: | e5 bf 3e c3 53 c1 b2 74 85 59 88 d5 3e df fe cd Aug 26 13:24:39.393372: | 32 4d 73 6c 08 6c 66 0a 22 e4 04 cf fd 98 90 96 Aug 26 13:24:39.393373: | d3 12 76 4a 07 Aug 26 13:24:39.393409: | Message ID: IKE #1 sender #4 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 13:24:39.393426: | Message ID: IKE #1 sender #4 in send_delete hacking around record ' send Aug 26 13:24:39.393430: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=5 responder.recv=5 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:24:39.393432: | state #4 requesting EVENT_SA_REKEY to be deleted Aug 26 13:24:39.393435: | libevent_free: release ptr-libevent@0x7f0a20002888 Aug 26 13:24:39.393438: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f0a2c002b78 Aug 26 13:24:39.393486: | running updown command "ipsec _updown" for verb down Aug 26 13:24:39.393504: | command executing down-client Aug 26 13:24:39.393536: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825867' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x82e76b78 Aug 26 13:24:39.393539: | popen cmd is 1030 chars long Aug 26 13:24:39.393541: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTER: Aug 26 13:24:39.393543: | cmd( 80):FACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east: Aug 26 13:24:39.393545: | cmd( 160):' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT: Aug 26 13:24:39.393546: | cmd( 240):_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16: Aug 26 13:24:39.393548: | cmd( 320):388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEE: Aug 26 13:24:39.393550: | cmd( 400):R_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK: Aug 26 13:24:39.393551: | cmd( 480):='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PL: Aug 26 13:24:39.393553: | cmd( 560):UTO_STACK='netkey' PLUTO_ADDTIME='1566825867' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUN: Aug 26 13:24:39.393555: | cmd( 640):NEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMA: Aug 26 13:24:39.393556: | cmd( 720):NENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_: Aug 26 13:24:39.393560: | cmd( 800):PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER: Aug 26 13:24:39.393562: | cmd( 880):='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' : Aug 26 13:24:39.393563: | cmd( 960):VTI_SHARED='no' SPI_IN=0x82e76b78 SPI_OUT=0x4f2a821 ipsec _updown 2>&1: Aug 26 13:24:39.404190: | shunt_eroute() called for connection 'east' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:24:39.404201: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:24:39.404204: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:39.404208: | IPsec Sa SPD priority set to 1042407 Aug 26 13:24:39.404229: | delete esp.82e76b78@192.1.2.45 Aug 26 13:24:39.404247: | netlink response for Del SA esp.82e76b78@192.1.2.45 included non-error error Aug 26 13:24:39.404252: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:39.404260: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:24:39.404281: | raw_eroute result=success Aug 26 13:24:39.404287: | delete esp.4f2a821@192.1.2.23 Aug 26 13:24:39.404323: | netlink response for Del SA esp.4f2a821@192.1.2.23 included non-error error Aug 26 13:24:39.404336: | stop processing: connection "east" (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:24:39.404342: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:24:39.404345: | in connection_discard for connection east Aug 26 13:24:39.404362: | State DB: deleting IKEv2 state #4 in V2_IPSEC_R Aug 26 13:24:39.404370: | child state #4: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:24:39.404410: | stop processing: state #4 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:39.404438: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:24:39.404442: | state #1 Aug 26 13:24:39.404445: | pass 1 Aug 26 13:24:39.404448: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:24:39.404451: | state #1 Aug 26 13:24:39.404458: | start processing: state #1 connection "east" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:24:39.404461: | pstats #1 ikev2.ike deleted completed Aug 26 13:24:39.404468: | #1 spent 19.5 milliseconds in total Aug 26 13:24:39.404475: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:39.404479: "east" #1: deleting state (STATE_PARENT_R2) aged 61.952s and sending notification Aug 26 13:24:39.404483: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 13:24:39.404519: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 13:24:39.404523: | Opening output PBS informational exchange delete request Aug 26 13:24:39.404525: | **emit ISAKMP Message: Aug 26 13:24:39.404527: | initiator cookie: Aug 26 13:24:39.404529: | 34 f5 76 a9 3e 8c 98 bc Aug 26 13:24:39.404530: | responder cookie: Aug 26 13:24:39.404532: | 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:39.404534: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:39.404536: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:39.404538: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:39.404540: | flags: none (0x0) Aug 26 13:24:39.404542: | Message ID: 1 (0x1) Aug 26 13:24:39.404544: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:39.404546: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:39.404549: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:39.404552: | flags: none (0x0) Aug 26 13:24:39.404557: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:39.404561: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:24:39.404567: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:39.404578: | ****emit IKEv2 Delete Payload: Aug 26 13:24:39.404582: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:39.404585: | flags: none (0x0) Aug 26 13:24:39.404588: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:24:39.404591: | SPI size: 0 (0x0) Aug 26 13:24:39.404594: | number of SPIs: 0 (0x0) Aug 26 13:24:39.404599: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:24:39.404603: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:24:39.404606: | emitting length of IKEv2 Delete Payload: 8 Aug 26 13:24:39.404610: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:39.404614: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:39.404618: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:39.404621: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 13:24:39.404623: | emitting length of ISAKMP Message: 65 Aug 26 13:24:39.404642: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:39.404645: | 34 f5 76 a9 3e 8c 98 bc 16 9f 01 b3 a8 98 ae 60 Aug 26 13:24:39.404646: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 13:24:39.404648: | be f2 c7 2b 33 09 59 1f 72 46 18 fa 5e 77 14 2d Aug 26 13:24:39.404649: | 83 f5 75 08 28 13 5f 0f d0 11 d7 58 a4 de 85 9e Aug 26 13:24:39.404651: | c9 Aug 26 13:24:39.404712: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 13:24:39.404718: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 13:24:39.404725: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=5 responder.recv=5 wip.initiator=1 wip.responder=-1 Aug 26 13:24:39.404731: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=5 responder.recv=5 wip.initiator=0->1 wip.responder=-1 Aug 26 13:24:39.404735: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:24:39.404744: | libevent_free: release ptr-libevent@0x562136107678 Aug 26 13:24:39.404748: | free_event_entry: release EVENT_SA_REKEY-pe@0x562136102328 Aug 26 13:24:39.404754: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:24:39.404758: | in connection_discard for connection east Aug 26 13:24:39.404761: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 13:24:39.404765: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 13:24:39.404788: | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:39.404819: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:24:39.404825: | shunt_eroute() called for connection 'east' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:24:39.404830: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:24:39.404833: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:39.404851: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:39.404863: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:39.404867: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:39.404871: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:39.404874: | route owner of "east" unrouted: NULL Aug 26 13:24:39.404878: | running updown command "ipsec _updown" for verb unroute Aug 26 13:24:39.404881: | command executing unroute-client Aug 26 13:24:39.404917: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0 Aug 26 13:24:39.404924: | popen cmd is 1012 chars long Aug 26 13:24:39.404929: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_IN: Aug 26 13:24:39.404933: | cmd( 80):TERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@e: Aug 26 13:24:39.404937: | cmd( 160):ast' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLI: Aug 26 13:24:39.404941: | cmd( 240):ENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID=: Aug 26 13:24:39.404944: | cmd( 320):'16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO: Aug 26 13:24:39.404948: | cmd( 400):_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_: Aug 26 13:24:39.404951: | cmd( 480):MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=': Aug 26 13:24:39.404953: | cmd( 560):' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+P: Aug 26 13:24:39.404954: | cmd( 640):FS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT': Aug 26 13:24:39.404956: | cmd( 720): PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_: Aug 26 13:24:39.404958: | cmd( 800):DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' : Aug 26 13:24:39.404960: | cmd( 880):PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_S: Aug 26 13:24:39.404961: | cmd( 960):HARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Aug 26 13:24:39.416900: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416921: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416924: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416926: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416928: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416930: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416981: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416987: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416989: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416991: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.416993: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417037: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417041: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417042: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417044: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417055: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417066: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417079: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417092: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417105: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417118: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417131: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417144: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417156: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417272: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417285: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417319: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.417334: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:24:39.421628: | free hp@0x562136102248 Aug 26 13:24:39.421643: | flush revival: connection 'east' wasn't on the list Aug 26 13:24:39.421646: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:24:39.421665: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:24:39.421667: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:24:39.421677: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:24:39.421680: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:24:39.421682: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 13:24:39.421684: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 13:24:39.421686: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 13:24:39.421688: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 13:24:39.421691: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:24:39.421701: | libevent_free: release ptr-libevent@0x5621360f3de8 Aug 26 13:24:39.421704: | free_event_entry: release EVENT_NULL-pe@0x5621360ffae8 Aug 26 13:24:39.421712: | libevent_free: release ptr-libevent@0x562136088e68 Aug 26 13:24:39.421714: | free_event_entry: release EVENT_NULL-pe@0x5621360ffb98 Aug 26 13:24:39.421720: | libevent_free: release ptr-libevent@0x562136089f08 Aug 26 13:24:39.421722: | free_event_entry: release EVENT_NULL-pe@0x5621360ffc48 Aug 26 13:24:39.421728: | libevent_free: release ptr-libevent@0x56213608aa28 Aug 26 13:24:39.421730: | free_event_entry: release EVENT_NULL-pe@0x5621360ffcf8 Aug 26 13:24:39.421735: | libevent_free: release ptr-libevent@0x56213605e4e8 Aug 26 13:24:39.421737: | free_event_entry: release EVENT_NULL-pe@0x5621360ffda8 Aug 26 13:24:39.421741: | libevent_free: release ptr-libevent@0x56213605e1d8 Aug 26 13:24:39.421743: | free_event_entry: release EVENT_NULL-pe@0x5621360ffe58 Aug 26 13:24:39.421747: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:24:39.422170: | libevent_free: release ptr-libevent@0x5621360f3e98 Aug 26 13:24:39.422177: | free_event_entry: release EVENT_NULL-pe@0x5621360e7c08 Aug 26 13:24:39.422182: | libevent_free: release ptr-libevent@0x562136089688 Aug 26 13:24:39.422184: | free_event_entry: release EVENT_NULL-pe@0x5621360e7b98 Aug 26 13:24:39.422188: | libevent_free: release ptr-libevent@0x5621360cb5b8 Aug 26 13:24:39.422189: | free_event_entry: release EVENT_NULL-pe@0x5621360e7058 Aug 26 13:24:39.422192: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:24:39.422194: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:24:39.422196: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:24:39.422198: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:24:39.422199: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:24:39.422201: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:24:39.422203: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:24:39.422204: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:24:39.422206: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:24:39.422210: | libevent_free: release ptr-libevent@0x5621360871e8 Aug 26 13:24:39.422211: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:24:39.422214: | libevent_free: release ptr-libevent@0x56213608aeb8 Aug 26 13:24:39.422217: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:24:39.422220: | libevent_free: release ptr-libevent@0x5621360ff3d8 Aug 26 13:24:39.422221: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:24:39.422224: | libevent_free: release ptr-libevent@0x5621360ff618 Aug 26 13:24:39.422225: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:24:39.422227: | releasing event base Aug 26 13:24:39.422236: | libevent_free: release ptr-libevent@0x5621360ff4e8 Aug 26 13:24:39.422238: | libevent_free: release ptr-libevent@0x5621360e2508 Aug 26 13:24:39.422241: | libevent_free: release ptr-libevent@0x5621360e24b8 Aug 26 13:24:39.422243: | libevent_free: release ptr-libevent@0x7f0a280027d8 Aug 26 13:24:39.422246: | libevent_free: release ptr-libevent@0x5621360e2408 Aug 26 13:24:39.422248: | libevent_free: release ptr-libevent@0x5621360ff168 Aug 26 13:24:39.422249: | libevent_free: release ptr-libevent@0x5621360ff318 Aug 26 13:24:39.422251: | libevent_free: release ptr-libevent@0x5621360e26b8 Aug 26 13:24:39.422253: | libevent_free: release ptr-libevent@0x5621360e7168 Aug 26 13:24:39.422254: | libevent_free: release ptr-libevent@0x5621360e7b58 Aug 26 13:24:39.422256: | libevent_free: release ptr-libevent@0x5621360ffec8 Aug 26 13:24:39.422257: | libevent_free: release ptr-libevent@0x5621360ffe18 Aug 26 13:24:39.422259: | libevent_free: release ptr-libevent@0x5621360ffd68 Aug 26 13:24:39.422261: | libevent_free: release ptr-libevent@0x5621360ffcb8 Aug 26 13:24:39.422262: | libevent_free: release ptr-libevent@0x5621360ffc08 Aug 26 13:24:39.422264: | libevent_free: release ptr-libevent@0x5621360ffb58 Aug 26 13:24:39.422266: | libevent_free: release ptr-libevent@0x562136086318 Aug 26 13:24:39.422267: | libevent_free: release ptr-libevent@0x5621360ff398 Aug 26 13:24:39.422269: | libevent_free: release ptr-libevent@0x5621360ff358 Aug 26 13:24:39.422271: | libevent_free: release ptr-libevent@0x5621360ff2d8 Aug 26 13:24:39.422272: | libevent_free: release ptr-libevent@0x5621360ff4a8 Aug 26 13:24:39.422274: | libevent_free: release ptr-libevent@0x5621360ff1a8 Aug 26 13:24:39.422276: | libevent_free: release ptr-libevent@0x56213605d908 Aug 26 13:24:39.422278: | libevent_free: release ptr-libevent@0x56213605dd38 Aug 26 13:24:39.422279: | libevent_free: release ptr-libevent@0x562136086688 Aug 26 13:24:39.422281: | releasing global libevent data Aug 26 13:24:39.422283: | libevent_free: release ptr-libevent@0x562136062f78 Aug 26 13:24:39.422285: | libevent_free: release ptr-libevent@0x56213605dcd8 Aug 26 13:24:39.422287: | libevent_free: release ptr-libevent@0x56213605ddd8 Aug 26 13:24:39.422357: leak detective found no leaks