Aug 26 13:23:50.471080: FIPS Product: YES Aug 26 13:23:50.471162: FIPS Kernel: NO Aug 26 13:23:50.471165: FIPS Mode: NO Aug 26 13:23:50.471166: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:23:50.471277: Initializing NSS Aug 26 13:23:50.471284: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:23:50.495213: NSS initialized Aug 26 13:23:50.495226: NSS crypto library initialized Aug 26 13:23:50.495228: FIPS HMAC integrity support [enabled] Aug 26 13:23:50.495229: FIPS mode disabled for pluto daemon Aug 26 13:23:50.519735: FIPS HMAC integrity verification self-test FAILED Aug 26 13:23:50.519816: libcap-ng support [enabled] Aug 26 13:23:50.519825: Linux audit support [enabled] Aug 26 13:23:50.519841: Linux audit activated Aug 26 13:23:50.519844: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:22391 Aug 26 13:23:50.519846: core dump dir: /tmp Aug 26 13:23:50.519848: secrets file: /etc/ipsec.secrets Aug 26 13:23:50.519849: leak-detective enabled Aug 26 13:23:50.519851: NSS crypto [enabled] Aug 26 13:23:50.519852: XAUTH PAM support [enabled] Aug 26 13:23:50.519907: | libevent is using pluto's memory allocator Aug 26 13:23:50.519915: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:23:50.519927: | libevent_malloc: new ptr-libevent@0x55d13d1ea488 size 40 Aug 26 13:23:50.519930: | libevent_malloc: new ptr-libevent@0x55d13d1e9cd8 size 40 Aug 26 13:23:50.519932: | libevent_malloc: new ptr-libevent@0x55d13d1e9dd8 size 40 Aug 26 13:23:50.519934: | creating event base Aug 26 13:23:50.519936: | libevent_malloc: new ptr-libevent@0x55d13d26e708 size 56 Aug 26 13:23:50.519939: | libevent_malloc: new ptr-libevent@0x55d13d212688 size 664 Aug 26 13:23:50.519947: | libevent_malloc: new ptr-libevent@0x55d13d26e778 size 24 Aug 26 13:23:50.519949: | libevent_malloc: new ptr-libevent@0x55d13d26e7c8 size 384 Aug 26 13:23:50.519957: | libevent_malloc: new ptr-libevent@0x55d13d26e6c8 size 16 Aug 26 13:23:50.519959: | libevent_malloc: new ptr-libevent@0x55d13d1e9908 size 40 Aug 26 13:23:50.519960: | libevent_malloc: new ptr-libevent@0x55d13d1e9d38 size 48 Aug 26 13:23:50.519965: | libevent_realloc: new ptr-libevent@0x55d13d214f48 size 256 Aug 26 13:23:50.519967: | libevent_malloc: new ptr-libevent@0x55d13d26e978 size 16 Aug 26 13:23:50.519971: | libevent_free: release ptr-libevent@0x55d13d26e708 Aug 26 13:23:50.519973: | libevent initialized Aug 26 13:23:50.519976: | libevent_realloc: new ptr-libevent@0x55d13d26e708 size 64 Aug 26 13:23:50.519978: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:23:50.519989: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:23:50.519991: NAT-Traversal support [enabled] Aug 26 13:23:50.519993: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:23:50.519997: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:23:50.520002: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:23:50.520028: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:23:50.520030: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:23:50.520032: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:23:50.520064: Encryption algorithms: Aug 26 13:23:50.520070: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:23:50.520073: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:23:50.520075: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:23:50.520078: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:23:50.520080: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:23:50.520085: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:23:50.520087: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:23:50.520090: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:23:50.520092: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:23:50.520094: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:23:50.520096: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:23:50.520099: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:23:50.520101: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:23:50.520103: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:23:50.520105: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:23:50.520107: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:23:50.520109: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:23:50.520114: Hash algorithms: Aug 26 13:23:50.520116: MD5 IKEv1: IKE IKEv2: Aug 26 13:23:50.520118: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:23:50.520120: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:23:50.520122: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:23:50.520124: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:23:50.520132: PRF algorithms: Aug 26 13:23:50.520134: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:23:50.520136: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:23:50.520139: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:23:50.520141: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:23:50.520143: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:23:50.520144: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:23:50.520160: Integrity algorithms: Aug 26 13:23:50.520162: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:23:50.520165: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:23:50.520167: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:23:50.520170: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:23:50.520172: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:23:50.520174: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:23:50.520176: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:23:50.520178: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:23:50.520180: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:23:50.520187: DH algorithms: Aug 26 13:23:50.520190: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:23:50.520191: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:23:50.520193: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:23:50.520196: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:23:50.520198: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:23:50.520200: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:23:50.520202: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:23:50.520204: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:23:50.520206: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:23:50.520208: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:23:50.520210: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:23:50.520211: testing CAMELLIA_CBC: Aug 26 13:23:50.520214: Camellia: 16 bytes with 128-bit key Aug 26 13:23:50.520303: Camellia: 16 bytes with 128-bit key Aug 26 13:23:50.520343: Camellia: 16 bytes with 256-bit key Aug 26 13:23:50.520377: Camellia: 16 bytes with 256-bit key Aug 26 13:23:50.520395: testing AES_GCM_16: Aug 26 13:23:50.520397: empty string Aug 26 13:23:50.520417: one block Aug 26 13:23:50.520433: two blocks Aug 26 13:23:50.520449: two blocks with associated data Aug 26 13:23:50.520465: testing AES_CTR: Aug 26 13:23:50.520467: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:23:50.520483: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:23:50.520501: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:23:50.520518: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:23:50.520534: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:23:50.520550: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:23:50.520567: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:23:50.520584: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:23:50.520601: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:23:50.520618: testing AES_CBC: Aug 26 13:23:50.520620: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:23:50.520636: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:23:50.520653: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:23:50.520670: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:23:50.520691: testing AES_XCBC: Aug 26 13:23:50.520693: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:23:50.520765: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:23:50.520846: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:23:50.520919: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:23:50.520994: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:23:50.521070: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:23:50.521147: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:23:50.521336: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:23:50.521428: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:23:50.521510: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:23:50.521652: testing HMAC_MD5: Aug 26 13:23:50.521655: RFC 2104: MD5_HMAC test 1 Aug 26 13:23:50.521758: RFC 2104: MD5_HMAC test 2 Aug 26 13:23:50.521852: RFC 2104: MD5_HMAC test 3 Aug 26 13:23:50.521969: 8 CPU cores online Aug 26 13:23:50.521973: starting up 7 crypto helpers Aug 26 13:23:50.522004: started thread for crypto helper 0 Aug 26 13:23:50.522020: started thread for crypto helper 1 Aug 26 13:23:50.522036: started thread for crypto helper 2 Aug 26 13:23:50.522037: | starting up helper thread 0 Aug 26 13:23:50.522067: | starting up helper thread 1 Aug 26 13:23:50.522088: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:23:50.522106: | crypto helper 1 waiting (nothing to do) Aug 26 13:23:50.522130: started thread for crypto helper 3 Aug 26 13:23:50.522074: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:23:50.522142: | crypto helper 0 waiting (nothing to do) Aug 26 13:23:50.522146: started thread for crypto helper 4 Aug 26 13:23:50.522151: | starting up helper thread 4 Aug 26 13:23:50.522160: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:23:50.522160: started thread for crypto helper 5 Aug 26 13:23:50.522188: | crypto helper 4 waiting (nothing to do) Aug 26 13:23:50.522163: | starting up helper thread 5 Aug 26 13:23:50.522075: | starting up helper thread 2 Aug 26 13:23:50.522208: started thread for crypto helper 6 Aug 26 13:23:50.522198: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:23:50.522170: | starting up helper thread 3 Aug 26 13:23:50.522210: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:23:50.522214: | checking IKEv1 state table Aug 26 13:23:50.522215: | crypto helper 5 waiting (nothing to do) Aug 26 13:23:50.522215: | starting up helper thread 6 Aug 26 13:23:50.522220: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:23:50.522240: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:23:50.522232: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:23:50.522233: | crypto helper 2 waiting (nothing to do) Aug 26 13:23:50.522246: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:23:50.522252: | crypto helper 3 waiting (nothing to do) Aug 26 13:23:50.522253: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:23:50.522259: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:23:50.522259: | crypto helper 6 waiting (nothing to do) Aug 26 13:23:50.522263: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:23:50.522271: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:23:50.522273: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:50.522275: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:50.522277: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:23:50.522278: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:23:50.522280: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:50.522281: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:23:50.522283: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:23:50.522284: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:23:50.522286: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:23:50.522290: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:23:50.522294: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:23:50.522295: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:23:50.522297: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:23:50.522298: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:23:50.522300: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:23:50.522302: | -> UNDEFINED EVENT_NULL Aug 26 13:23:50.522304: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:23:50.522305: | -> UNDEFINED EVENT_NULL Aug 26 13:23:50.522307: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:23:50.522308: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:23:50.522310: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:23:50.522312: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:23:50.522313: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:23:50.522315: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:23:50.522316: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:23:50.522318: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:23:50.522320: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:23:50.522321: | -> UNDEFINED EVENT_NULL Aug 26 13:23:50.522323: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:23:50.522324: | -> UNDEFINED EVENT_NULL Aug 26 13:23:50.522326: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:23:50.522328: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:23:50.522332: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:23:50.522334: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:23:50.522335: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:23:50.522337: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:23:50.522339: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:23:50.522340: | -> UNDEFINED EVENT_NULL Aug 26 13:23:50.522342: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:23:50.522343: | -> UNDEFINED EVENT_NULL Aug 26 13:23:50.522345: | INFO: category: informational flags: 0: Aug 26 13:23:50.522347: | -> UNDEFINED EVENT_NULL Aug 26 13:23:50.522348: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:23:50.522350: | -> UNDEFINED EVENT_NULL Aug 26 13:23:50.522352: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:23:50.522353: | -> XAUTH_R1 EVENT_NULL Aug 26 13:23:50.522355: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:23:50.522356: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:23:50.522358: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:23:50.522360: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:23:50.522361: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:23:50.522363: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:23:50.522365: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:23:50.522366: | -> UNDEFINED EVENT_NULL Aug 26 13:23:50.522368: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:23:50.522370: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:23:50.522371: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:23:50.522373: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:23:50.522375: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:23:50.522376: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:23:50.522381: | checking IKEv2 state table Aug 26 13:23:50.522385: | PARENT_I0: category: ignore flags: 0: Aug 26 13:23:50.522387: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:23:50.522389: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:23:50.522391: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:23:50.522393: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:23:50.522395: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:23:50.522397: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:23:50.522399: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:23:50.522401: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:23:50.522403: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:23:50.522404: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:23:50.522406: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:23:50.522408: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:23:50.522410: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:23:50.522411: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:23:50.522413: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:23:50.522415: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:23:50.522416: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:23:50.522418: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:23:50.522420: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:23:50.522422: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:23:50.522424: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:23:50.522426: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:23:50.522429: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:23:50.522431: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:23:50.522432: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:23:50.522434: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:23:50.522436: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:23:50.522438: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:23:50.522440: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:23:50.522441: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:23:50.522443: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:23:50.522445: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:23:50.522447: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:23:50.522449: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:23:50.522451: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:23:50.522452: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:23:50.522454: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:23:50.522456: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:23:50.522458: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:23:50.522460: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:23:50.522462: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:23:50.522464: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:23:50.522465: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:23:50.522467: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:23:50.522469: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:23:50.522471: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:23:50.522480: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:23:50.522955: | Hard-wiring algorithms Aug 26 13:23:50.522958: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:23:50.522962: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:23:50.522963: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:23:50.522965: | adding 3DES_CBC to kernel algorithm db Aug 26 13:23:50.522967: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:23:50.522968: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:23:50.522970: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:23:50.522972: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:23:50.522973: | adding AES_CTR to kernel algorithm db Aug 26 13:23:50.522975: | adding AES_CBC to kernel algorithm db Aug 26 13:23:50.522977: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:23:50.522978: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:23:50.522980: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:23:50.522982: | adding NULL to kernel algorithm db Aug 26 13:23:50.522983: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:23:50.522985: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:23:50.522987: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:23:50.522988: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:23:50.522990: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:23:50.522992: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:23:50.522993: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:23:50.522995: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:23:50.522997: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:23:50.522998: | adding NONE to kernel algorithm db Aug 26 13:23:50.523014: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:23:50.523018: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:23:50.523020: | setup kernel fd callback Aug 26 13:23:50.523022: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55d13d2733d8 Aug 26 13:23:50.523026: | libevent_malloc: new ptr-libevent@0x55d13d257808 size 128 Aug 26 13:23:50.523028: | libevent_malloc: new ptr-libevent@0x55d13d2734e8 size 16 Aug 26 13:23:50.523032: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55d13d273f18 Aug 26 13:23:50.523035: | libevent_malloc: new ptr-libevent@0x55d13d213c28 size 128 Aug 26 13:23:50.523037: | libevent_malloc: new ptr-libevent@0x55d13d273ed8 size 16 Aug 26 13:23:50.523189: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:23:50.523195: selinux support is enabled. Aug 26 13:23:50.523622: | unbound context created - setting debug level to 5 Aug 26 13:23:50.523645: | /etc/hosts lookups activated Aug 26 13:23:50.523656: | /etc/resolv.conf usage activated Aug 26 13:23:50.523693: | outgoing-port-avoid set 0-65535 Aug 26 13:23:50.523710: | outgoing-port-permit set 32768-60999 Aug 26 13:23:50.523712: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:23:50.523714: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:23:50.523716: | Setting up events, loop start Aug 26 13:23:50.523719: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55d13d273f88 Aug 26 13:23:50.523721: | libevent_malloc: new ptr-libevent@0x55d13d280198 size 128 Aug 26 13:23:50.523723: | libevent_malloc: new ptr-libevent@0x55d13d28b468 size 16 Aug 26 13:23:50.523728: | libevent_realloc: new ptr-libevent@0x55d13d212318 size 256 Aug 26 13:23:50.523730: | libevent_malloc: new ptr-libevent@0x55d13d28b4a8 size 8 Aug 26 13:23:50.523732: | libevent_realloc: new ptr-libevent@0x55d13d1e5918 size 144 Aug 26 13:23:50.523734: | libevent_malloc: new ptr-libevent@0x55d13d216ed8 size 152 Aug 26 13:23:50.523736: | libevent_malloc: new ptr-libevent@0x55d13d28b4e8 size 16 Aug 26 13:23:50.523739: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:23:50.523741: | libevent_malloc: new ptr-libevent@0x55d13d28b528 size 8 Aug 26 13:23:50.523743: | libevent_malloc: new ptr-libevent@0x55d13d28b568 size 152 Aug 26 13:23:50.523745: | signal event handler PLUTO_SIGTERM installed Aug 26 13:23:50.523747: | libevent_malloc: new ptr-libevent@0x55d13d28b638 size 8 Aug 26 13:23:50.523748: | libevent_malloc: new ptr-libevent@0x55d13d28b678 size 152 Aug 26 13:23:50.523750: | signal event handler PLUTO_SIGHUP installed Aug 26 13:23:50.523752: | libevent_malloc: new ptr-libevent@0x55d13d28b748 size 8 Aug 26 13:23:50.523754: | libevent_realloc: release ptr-libevent@0x55d13d1e5918 Aug 26 13:23:50.523756: | libevent_realloc: new ptr-libevent@0x55d13d28b788 size 256 Aug 26 13:23:50.523758: | libevent_malloc: new ptr-libevent@0x55d13d28b8b8 size 152 Aug 26 13:23:50.523760: | signal event handler PLUTO_SIGSYS installed Aug 26 13:23:50.524002: | created addconn helper (pid:22405) using fork+execve Aug 26 13:23:50.524017: | forked child 22405 Aug 26 13:23:50.527678: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:50.527698: listening for IKE messages Aug 26 13:23:50.527790: | Inspecting interface lo Aug 26 13:23:50.527798: | found lo with address 127.0.0.1 Aug 26 13:23:50.527802: | Inspecting interface eth0 Aug 26 13:23:50.527806: | found eth0 with address 192.0.2.254 Aug 26 13:23:50.527810: | Inspecting interface eth1 Aug 26 13:23:50.527814: | found eth1 with address 192.1.2.23 Aug 26 13:23:50.527881: Kernel supports NIC esp-hw-offload Aug 26 13:23:50.527892: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:23:50.527937: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:23:50.527942: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:23:50.527946: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:23:50.527976: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:23:50.527995: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:23:50.527999: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:23:50.528003: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:23:50.528025: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:23:50.528042: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:23:50.528046: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:23:50.528050: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:23:50.528122: | no interfaces to sort Aug 26 13:23:50.528127: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:23:50.528136: | add_fd_read_event_handler: new ethX-pe@0x55d13d28bd88 Aug 26 13:23:50.528140: | libevent_malloc: new ptr-libevent@0x55d13d2800e8 size 128 Aug 26 13:23:50.528144: | libevent_malloc: new ptr-libevent@0x55d13d28bdf8 size 16 Aug 26 13:23:50.528152: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:23:50.528155: | add_fd_read_event_handler: new ethX-pe@0x55d13d28be38 Aug 26 13:23:50.528158: | libevent_malloc: new ptr-libevent@0x55d13d214e68 size 128 Aug 26 13:23:50.528161: | libevent_malloc: new ptr-libevent@0x55d13d28bea8 size 16 Aug 26 13:23:50.528165: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:23:50.528168: | add_fd_read_event_handler: new ethX-pe@0x55d13d28bee8 Aug 26 13:23:50.528171: | libevent_malloc: new ptr-libevent@0x55d13d215f08 size 128 Aug 26 13:23:50.528174: | libevent_malloc: new ptr-libevent@0x55d13d28bf58 size 16 Aug 26 13:23:50.528178: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:23:50.528181: | add_fd_read_event_handler: new ethX-pe@0x55d13d28bf98 Aug 26 13:23:50.528185: | libevent_malloc: new ptr-libevent@0x55d13d216a48 size 128 Aug 26 13:23:50.528188: | libevent_malloc: new ptr-libevent@0x55d13d28c008 size 16 Aug 26 13:23:50.528193: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:23:50.528196: | add_fd_read_event_handler: new ethX-pe@0x55d13d28c048 Aug 26 13:23:50.528199: | libevent_malloc: new ptr-libevent@0x55d13d1ea4e8 size 128 Aug 26 13:23:50.528202: | libevent_malloc: new ptr-libevent@0x55d13d28c0b8 size 16 Aug 26 13:23:50.528207: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:23:50.528210: | add_fd_read_event_handler: new ethX-pe@0x55d13d28c0f8 Aug 26 13:23:50.528212: | libevent_malloc: new ptr-libevent@0x55d13d1ea1d8 size 128 Aug 26 13:23:50.528215: | libevent_malloc: new ptr-libevent@0x55d13d28c168 size 16 Aug 26 13:23:50.528220: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:23:50.528224: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:23:50.528227: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:23:50.528245: loading secrets from "/etc/ipsec.secrets" Aug 26 13:23:50.528254: | id type added to secret(0x55d13d1e5b58) PKK_PSK: @west Aug 26 13:23:50.528258: | id type added to secret(0x55d13d1e5b58) PKK_PSK: @east Aug 26 13:23:50.528262: | Processing PSK at line 1: passed Aug 26 13:23:50.528265: | certs and keys locked by 'process_secret' Aug 26 13:23:50.528269: | certs and keys unlocked by 'process_secret' Aug 26 13:23:50.528279: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:50.528286: | spent 0.616 milliseconds in whack Aug 26 13:23:50.541802: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:50.541820: listening for IKE messages Aug 26 13:23:50.544849: | Inspecting interface lo Aug 26 13:23:50.544862: | found lo with address 127.0.0.1 Aug 26 13:23:50.544865: | Inspecting interface eth0 Aug 26 13:23:50.544868: | found eth0 with address 192.0.2.254 Aug 26 13:23:50.544870: | Inspecting interface eth1 Aug 26 13:23:50.544873: | found eth1 with address 192.1.2.23 Aug 26 13:23:50.544912: | no interfaces to sort Aug 26 13:23:50.544923: | libevent_free: release ptr-libevent@0x55d13d2800e8 Aug 26 13:23:50.544926: | free_event_entry: release EVENT_NULL-pe@0x55d13d28bd88 Aug 26 13:23:50.544929: | add_fd_read_event_handler: new ethX-pe@0x55d13d28bd88 Aug 26 13:23:50.544931: | libevent_malloc: new ptr-libevent@0x55d13d2800e8 size 128 Aug 26 13:23:50.544936: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:23:50.544939: | libevent_free: release ptr-libevent@0x55d13d214e68 Aug 26 13:23:50.544941: | free_event_entry: release EVENT_NULL-pe@0x55d13d28be38 Aug 26 13:23:50.544943: | add_fd_read_event_handler: new ethX-pe@0x55d13d28be38 Aug 26 13:23:50.544944: | libevent_malloc: new ptr-libevent@0x55d13d214e68 size 128 Aug 26 13:23:50.544948: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:23:50.544950: | libevent_free: release ptr-libevent@0x55d13d215f08 Aug 26 13:23:50.544952: | free_event_entry: release EVENT_NULL-pe@0x55d13d28bee8 Aug 26 13:23:50.544954: | add_fd_read_event_handler: new ethX-pe@0x55d13d28bee8 Aug 26 13:23:50.544956: | libevent_malloc: new ptr-libevent@0x55d13d215f08 size 128 Aug 26 13:23:50.544959: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:23:50.544961: | libevent_free: release ptr-libevent@0x55d13d216a48 Aug 26 13:23:50.544963: | free_event_entry: release EVENT_NULL-pe@0x55d13d28bf98 Aug 26 13:23:50.544965: | add_fd_read_event_handler: new ethX-pe@0x55d13d28bf98 Aug 26 13:23:50.544967: | libevent_malloc: new ptr-libevent@0x55d13d216a48 size 128 Aug 26 13:23:50.544969: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:23:50.544972: | libevent_free: release ptr-libevent@0x55d13d1ea4e8 Aug 26 13:23:50.544974: | free_event_entry: release EVENT_NULL-pe@0x55d13d28c048 Aug 26 13:23:50.544975: | add_fd_read_event_handler: new ethX-pe@0x55d13d28c048 Aug 26 13:23:50.544977: | libevent_malloc: new ptr-libevent@0x55d13d1ea4e8 size 128 Aug 26 13:23:50.544980: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:23:50.544983: | libevent_free: release ptr-libevent@0x55d13d1ea1d8 Aug 26 13:23:50.544985: | free_event_entry: release EVENT_NULL-pe@0x55d13d28c0f8 Aug 26 13:23:50.544986: | add_fd_read_event_handler: new ethX-pe@0x55d13d28c0f8 Aug 26 13:23:50.544988: | libevent_malloc: new ptr-libevent@0x55d13d1ea1d8 size 128 Aug 26 13:23:50.544991: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:23:50.544994: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:23:50.544995: forgetting secrets Aug 26 13:23:50.545003: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:23:50.545019: loading secrets from "/etc/ipsec.secrets" Aug 26 13:23:50.545027: | id type added to secret(0x55d13d1e5b58) PKK_PSK: @west Aug 26 13:23:50.545031: | id type added to secret(0x55d13d1e5b58) PKK_PSK: @east Aug 26 13:23:50.545035: | Processing PSK at line 1: passed Aug 26 13:23:50.545036: | certs and keys locked by 'process_secret' Aug 26 13:23:50.545038: | certs and keys unlocked by 'process_secret' Aug 26 13:23:50.545046: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:50.545053: | spent 0.286 milliseconds in whack Aug 26 13:23:50.545444: | processing signal PLUTO_SIGCHLD Aug 26 13:23:50.545456: | waitpid returned pid 22405 (exited with status 0) Aug 26 13:23:50.545459: | reaped addconn helper child (status 0) Aug 26 13:23:50.545462: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:50.545465: | spent 0.0128 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:50.615881: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:50.615909: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:23:50.615913: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:23:50.615915: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:23:50.615917: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:23:50.615922: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:23:50.615929: | Added new connection east with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:23:50.615985: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:23:50.615989: | from whack: got --esp= Aug 26 13:23:50.616020: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Aug 26 13:23:50.616024: | counting wild cards for @west is 0 Aug 26 13:23:50.616027: | counting wild cards for @east is 0 Aug 26 13:23:50.616037: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Aug 26 13:23:50.616040: | new hp@0x55d13d28e5b8 Aug 26 13:23:50.616043: added connection description "east" Aug 26 13:23:50.616054: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 5s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Aug 26 13:23:50.616064: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 Aug 26 13:23:50.616071: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:50.616078: | spent 0.208 milliseconds in whack Aug 26 13:23:50.616170: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:50.616182: add keyid @west Aug 26 13:23:50.616186: | add pubkey 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 Aug 26 13:23:50.616188: | add pubkey 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e Aug 26 13:23:50.616191: | add pubkey b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 Aug 26 13:23:50.616193: | add pubkey 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 Aug 26 13:23:50.616195: | add pubkey 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 Aug 26 13:23:50.616197: | add pubkey f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c Aug 26 13:23:50.616199: | add pubkey ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a Aug 26 13:23:50.616201: | add pubkey 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 Aug 26 13:23:50.616204: | add pubkey b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 Aug 26 13:23:50.616206: | add pubkey 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a Aug 26 13:23:50.616208: | add pubkey 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 Aug 26 13:23:50.616210: | add pubkey ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc Aug 26 13:23:50.616212: | add pubkey 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e Aug 26 13:23:50.616215: | add pubkey d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 Aug 26 13:23:50.616217: | add pubkey 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d Aug 26 13:23:50.616219: | add pubkey 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f Aug 26 13:23:50.616221: | add pubkey c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 Aug 26 13:23:50.616223: | add pubkey 15 04 37 f9 Aug 26 13:23:50.616264: | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 Aug 26 13:23:50.616267: | computed rsa CKAID 7f 0f 03 50 Aug 26 13:23:50.616279: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:50.616284: | spent 0.119 milliseconds in whack Aug 26 13:23:50.616361: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:23:50.616381: add keyid @east Aug 26 13:23:50.616386: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Aug 26 13:23:50.616388: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Aug 26 13:23:50.616390: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Aug 26 13:23:50.616393: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Aug 26 13:23:50.616399: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Aug 26 13:23:50.616401: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Aug 26 13:23:50.616403: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Aug 26 13:23:50.616405: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Aug 26 13:23:50.616407: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Aug 26 13:23:50.616410: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Aug 26 13:23:50.616412: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Aug 26 13:23:50.616414: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Aug 26 13:23:50.616416: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Aug 26 13:23:50.616418: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Aug 26 13:23:50.616420: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Aug 26 13:23:50.616422: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Aug 26 13:23:50.616425: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Aug 26 13:23:50.616427: | add pubkey 51 51 48 ef Aug 26 13:23:50.616440: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Aug 26 13:23:50.616443: | computed rsa CKAID 8a 82 25 f1 Aug 26 13:23:50.616454: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:23:50.616459: | spent 0.106 milliseconds in whack Aug 26 13:23:51.828507: | spent 0.00254 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:23:51.828535: | *received 828 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:23:51.828538: | e5 90 57 9b 11 72 98 0f 00 00 00 00 00 00 00 00 Aug 26 13:23:51.828539: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:23:51.828541: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:23:51.828542: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:23:51.828544: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:23:51.828545: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:23:51.828547: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:23:51.828548: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:23:51.828550: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:23:51.828551: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:23:51.828552: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:23:51.828554: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:23:51.828555: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:23:51.828557: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:23:51.828558: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:23:51.828560: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:23:51.828561: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:23:51.828563: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:23:51.828564: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:23:51.828566: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:23:51.828567: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:23:51.828569: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:23:51.828570: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:23:51.828572: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:23:51.828573: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:23:51.828575: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:23:51.828576: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:23:51.828577: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:23:51.828579: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:23:51.828580: | 28 00 01 08 00 0e 00 00 a3 47 68 5e 63 86 3a 85 Aug 26 13:23:51.828584: | 01 cb 1e 33 33 1b 0b 23 02 63 e4 21 0c b8 3f ac Aug 26 13:23:51.828586: | 21 d3 74 fc 02 3b c4 41 8b 73 62 88 65 a6 29 4f Aug 26 13:23:51.828587: | ec bc 10 da 44 f4 fe fb 84 c0 66 80 e9 05 1c 75 Aug 26 13:23:51.828589: | a9 ec 3e af d8 ad 24 3c 05 f2 1d 5e 45 5d 9d 04 Aug 26 13:23:51.828590: | f5 3c 27 fd 32 99 36 d8 0a 32 53 ee f9 d9 a2 3f Aug 26 13:23:51.828592: | 9c cc 55 c2 35 22 7d 0d fb 06 98 10 10 01 3c 0a Aug 26 13:23:51.828593: | 03 24 a9 41 4e 55 e8 2d 98 68 de 6e d6 bd 5a 78 Aug 26 13:23:51.828595: | c5 ea 0c 4e 7d 06 94 91 4b 02 ac b8 77 d2 9a c2 Aug 26 13:23:51.828596: | dc 66 f7 d3 74 65 d5 dd 58 f1 97 60 ca 64 21 01 Aug 26 13:23:51.828598: | 86 32 2f 23 2c 55 eb d5 31 a7 2b f9 e3 c3 fe 3f Aug 26 13:23:51.828599: | 97 fb b5 fd 81 9f 01 ff d6 1e 13 69 b9 22 37 cc Aug 26 13:23:51.828600: | 89 22 d2 be 89 ad c1 43 6f a8 bc 24 c1 38 94 2c Aug 26 13:23:51.828602: | 18 3b b3 6e db 1d 88 dd d6 8e f2 65 06 6d e0 a1 Aug 26 13:23:51.828603: | 6f 59 7a a8 b7 0c 57 e4 3f aa 55 40 5f 21 35 8d Aug 26 13:23:51.828605: | e9 97 c8 66 9b c1 b0 8b 6c e9 5d 48 58 b8 63 3a Aug 26 13:23:51.828606: | c2 91 56 a1 6b ff c0 80 29 00 00 24 ba 75 b8 1a Aug 26 13:23:51.828608: | 60 8b 0a 1a 2e a0 a0 ab 4f f2 e9 c5 d9 73 66 fd Aug 26 13:23:51.828609: | 4b 79 1c 35 74 b7 98 68 fd 31 27 db 29 00 00 08 Aug 26 13:23:51.828611: | 00 00 40 2e 29 00 00 1c 00 00 40 04 43 4f 34 1e Aug 26 13:23:51.828612: | eb a7 9a 73 b9 c9 d1 ae 3f 19 d0 bd 29 c2 25 cc Aug 26 13:23:51.828614: | 00 00 00 1c 00 00 40 05 5a be 0e 8a 88 4e bb 18 Aug 26 13:23:51.828615: | 1a 57 39 a5 1a f2 53 aa 88 ee bd 80 Aug 26 13:23:51.828620: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:23:51.828623: | **parse ISAKMP Message: Aug 26 13:23:51.828625: | initiator cookie: Aug 26 13:23:51.828626: | e5 90 57 9b 11 72 98 0f Aug 26 13:23:51.828628: | responder cookie: Aug 26 13:23:51.828629: | 00 00 00 00 00 00 00 00 Aug 26 13:23:51.828631: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:23:51.828633: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:51.828635: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:23:51.828636: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:23:51.828638: | Message ID: 0 (0x0) Aug 26 13:23:51.828640: | length: 828 (0x33c) Aug 26 13:23:51.828642: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:23:51.828644: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:23:51.828646: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:23:51.828652: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:23:51.828654: | ***parse IKEv2 Security Association Payload: Aug 26 13:23:51.828656: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:23:51.828657: | flags: none (0x0) Aug 26 13:23:51.828659: | length: 436 (0x1b4) Aug 26 13:23:51.828661: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:23:51.828662: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:23:51.828664: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:23:51.828666: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:23:51.828667: | flags: none (0x0) Aug 26 13:23:51.828669: | length: 264 (0x108) Aug 26 13:23:51.828671: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:51.828672: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:23:51.828674: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:23:51.828675: | ***parse IKEv2 Nonce Payload: Aug 26 13:23:51.828677: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:51.828678: | flags: none (0x0) Aug 26 13:23:51.828680: | length: 36 (0x24) Aug 26 13:23:51.828681: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:23:51.828683: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:23:51.828685: | ***parse IKEv2 Notify Payload: Aug 26 13:23:51.828688: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:51.828689: | flags: none (0x0) Aug 26 13:23:51.828691: | length: 8 (0x8) Aug 26 13:23:51.828692: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:51.828694: | SPI size: 0 (0x0) Aug 26 13:23:51.828696: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:23:51.828698: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:23:51.828699: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:23:51.828701: | ***parse IKEv2 Notify Payload: Aug 26 13:23:51.828702: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:51.828704: | flags: none (0x0) Aug 26 13:23:51.828705: | length: 28 (0x1c) Aug 26 13:23:51.828707: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:51.828709: | SPI size: 0 (0x0) Aug 26 13:23:51.828710: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:23:51.828712: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:23:51.828713: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:23:51.828715: | ***parse IKEv2 Notify Payload: Aug 26 13:23:51.828716: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.828718: | flags: none (0x0) Aug 26 13:23:51.828719: | length: 28 (0x1c) Aug 26 13:23:51.828721: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:51.828722: | SPI size: 0 (0x0) Aug 26 13:23:51.828724: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:23:51.828726: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:23:51.828727: | DDOS disabled and no cookie sent, continuing Aug 26 13:23:51.828731: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:23:51.828734: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:51.828736: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:23:51.828739: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 13:23:51.828741: | find_next_host_connection returns empty Aug 26 13:23:51.828743: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:23:51.828745: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:23:51.828747: | find_next_host_connection returns empty Aug 26 13:23:51.828749: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:23:51.828752: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:23:51.828755: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:51.828756: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:23:51.828758: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 13:23:51.828760: | find_next_host_connection returns empty Aug 26 13:23:51.828762: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:23:51.828764: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:23:51.828766: | find_next_host_connection returns empty Aug 26 13:23:51.828768: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:23:51.828770: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:23:51.828773: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:51.828775: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:23:51.828777: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (east) Aug 26 13:23:51.828778: | find_next_host_connection returns east Aug 26 13:23:51.828780: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:23:51.828783: | find_next_host_connection returns empty Aug 26 13:23:51.828785: | found connection: east with policy PSK+IKEV2_ALLOW Aug 26 13:23:51.828800: | creating state object #1 at 0x55d13d2907d8 Aug 26 13:23:51.828802: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:23:51.828808: | pstats #1 ikev2.ike started Aug 26 13:23:51.828810: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:23:51.828813: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:23:51.828816: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:23:51.828822: | start processing: state #1 connection "east" from 192.1.2.45 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:23:51.828824: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:23:51.828827: | [RE]START processing: state #1 connection "east" from 192.1.2.45 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:23:51.828829: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:23:51.828831: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:23:51.828834: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:23:51.828836: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:23:51.828838: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:23:51.828840: | Now let's proceed with state specific processing Aug 26 13:23:51.828841: | calling processor Respond to IKE_SA_INIT Aug 26 13:23:51.828845: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:23:51.828847: | constructing local IKE proposals for east (IKE SA responder matching remote proposals) Aug 26 13:23:51.828852: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:51.828857: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:51.828860: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:51.828863: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:51.828866: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:51.828869: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:51.828871: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:23:51.828875: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:51.828880: "east": constructed local IKE proposals for east (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:23:51.828884: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:23:51.828887: | local proposal 1 type ENCR has 1 transforms Aug 26 13:23:51.828889: | local proposal 1 type PRF has 2 transforms Aug 26 13:23:51.828890: | local proposal 1 type INTEG has 1 transforms Aug 26 13:23:51.828892: | local proposal 1 type DH has 8 transforms Aug 26 13:23:51.828894: | local proposal 1 type ESN has 0 transforms Aug 26 13:23:51.828896: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:23:51.828898: | local proposal 2 type ENCR has 1 transforms Aug 26 13:23:51.828899: | local proposal 2 type PRF has 2 transforms Aug 26 13:23:51.828901: | local proposal 2 type INTEG has 1 transforms Aug 26 13:23:51.828902: | local proposal 2 type DH has 8 transforms Aug 26 13:23:51.828904: | local proposal 2 type ESN has 0 transforms Aug 26 13:23:51.828906: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:23:51.828907: | local proposal 3 type ENCR has 1 transforms Aug 26 13:23:51.828909: | local proposal 3 type PRF has 2 transforms Aug 26 13:23:51.828911: | local proposal 3 type INTEG has 2 transforms Aug 26 13:23:51.828912: | local proposal 3 type DH has 8 transforms Aug 26 13:23:51.828914: | local proposal 3 type ESN has 0 transforms Aug 26 13:23:51.828916: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:23:51.828917: | local proposal 4 type ENCR has 1 transforms Aug 26 13:23:51.828919: | local proposal 4 type PRF has 2 transforms Aug 26 13:23:51.828921: | local proposal 4 type INTEG has 2 transforms Aug 26 13:23:51.828922: | local proposal 4 type DH has 8 transforms Aug 26 13:23:51.828924: | local proposal 4 type ESN has 0 transforms Aug 26 13:23:51.828926: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:23:51.828928: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.828929: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:51.828931: | length: 100 (0x64) Aug 26 13:23:51.828933: | prop #: 1 (0x1) Aug 26 13:23:51.828934: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:51.828936: | spi size: 0 (0x0) Aug 26 13:23:51.828938: | # transforms: 11 (0xb) Aug 26 13:23:51.828940: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:23:51.828942: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.828944: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.828945: | length: 12 (0xc) Aug 26 13:23:51.828947: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.828949: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:51.828951: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.828952: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.828954: | length/value: 256 (0x100) Aug 26 13:23:51.828957: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:23:51.828959: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.828960: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.828962: | length: 8 (0x8) Aug 26 13:23:51.828963: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:51.828965: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:51.828967: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:23:51.828969: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:23:51.828971: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:23:51.828973: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:23:51.828975: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.828977: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.828979: | length: 8 (0x8) Aug 26 13:23:51.828981: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:51.828982: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:51.828984: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.828986: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.828987: | length: 8 (0x8) Aug 26 13:23:51.828989: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.828990: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:51.828993: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:23:51.828995: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:23:51.828996: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:23:51.828998: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:23:51.829000: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829002: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829003: | length: 8 (0x8) Aug 26 13:23:51.829005: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829006: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:51.829008: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829010: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829011: | length: 8 (0x8) Aug 26 13:23:51.829013: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829014: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:51.829016: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829018: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829019: | length: 8 (0x8) Aug 26 13:23:51.829021: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829022: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:51.829024: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829026: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829027: | length: 8 (0x8) Aug 26 13:23:51.829029: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829030: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:51.829032: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829034: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829035: | length: 8 (0x8) Aug 26 13:23:51.829037: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829038: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:51.829040: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829042: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829043: | length: 8 (0x8) Aug 26 13:23:51.829045: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829046: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:51.829048: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829050: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.829051: | length: 8 (0x8) Aug 26 13:23:51.829053: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829054: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:51.829057: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:23:51.829059: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:23:51.829061: | remote proposal 1 matches local proposal 1 Aug 26 13:23:51.829063: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.829065: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:51.829066: | length: 100 (0x64) Aug 26 13:23:51.829068: | prop #: 2 (0x2) Aug 26 13:23:51.829069: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:51.829073: | spi size: 0 (0x0) Aug 26 13:23:51.829075: | # transforms: 11 (0xb) Aug 26 13:23:51.829077: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:51.829078: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829080: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829082: | length: 12 (0xc) Aug 26 13:23:51.829083: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.829085: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:51.829086: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.829088: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.829090: | length/value: 128 (0x80) Aug 26 13:23:51.829091: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829093: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829095: | length: 8 (0x8) Aug 26 13:23:51.829096: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:51.829098: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:51.829099: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829101: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829102: | length: 8 (0x8) Aug 26 13:23:51.829104: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:51.829106: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:51.829107: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829109: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829110: | length: 8 (0x8) Aug 26 13:23:51.829112: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829114: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:51.829115: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829117: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829118: | length: 8 (0x8) Aug 26 13:23:51.829120: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829121: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:51.829123: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829125: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829126: | length: 8 (0x8) Aug 26 13:23:51.829128: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829129: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:51.829131: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829133: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829134: | length: 8 (0x8) Aug 26 13:23:51.829136: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829137: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:51.829139: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829141: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829142: | length: 8 (0x8) Aug 26 13:23:51.829144: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829145: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:51.829147: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829148: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829150: | length: 8 (0x8) Aug 26 13:23:51.829152: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829153: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:51.829155: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829156: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829158: | length: 8 (0x8) Aug 26 13:23:51.829159: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829161: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:51.829163: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829164: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.829166: | length: 8 (0x8) Aug 26 13:23:51.829167: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829170: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:51.829172: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:23:51.829174: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:23:51.829176: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.829177: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:51.829179: | length: 116 (0x74) Aug 26 13:23:51.829180: | prop #: 3 (0x3) Aug 26 13:23:51.829182: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:51.829183: | spi size: 0 (0x0) Aug 26 13:23:51.829185: | # transforms: 13 (0xd) Aug 26 13:23:51.829187: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:51.829189: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829190: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829192: | length: 12 (0xc) Aug 26 13:23:51.829193: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.829195: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:51.829197: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.829198: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.829200: | length/value: 256 (0x100) Aug 26 13:23:51.829202: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829203: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829205: | length: 8 (0x8) Aug 26 13:23:51.829206: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:51.829208: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:51.829210: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829211: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829213: | length: 8 (0x8) Aug 26 13:23:51.829214: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:51.829216: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:51.829217: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829219: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829220: | length: 8 (0x8) Aug 26 13:23:51.829222: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:51.829224: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:51.829225: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829227: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829228: | length: 8 (0x8) Aug 26 13:23:51.829230: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:51.829232: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:51.829233: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829235: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829236: | length: 8 (0x8) Aug 26 13:23:51.829238: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829240: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:51.829241: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829243: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829244: | length: 8 (0x8) Aug 26 13:23:51.829246: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829248: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:51.829249: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829251: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829252: | length: 8 (0x8) Aug 26 13:23:51.829254: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829256: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:51.829257: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829259: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829260: | length: 8 (0x8) Aug 26 13:23:51.829262: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829263: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:51.829266: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829267: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829269: | length: 8 (0x8) Aug 26 13:23:51.829271: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829272: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:51.829274: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829275: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829277: | length: 8 (0x8) Aug 26 13:23:51.829278: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829280: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:51.829282: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829283: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829285: | length: 8 (0x8) Aug 26 13:23:51.829286: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829297: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:51.829300: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829301: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.829303: | length: 8 (0x8) Aug 26 13:23:51.829304: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829306: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:51.829329: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:23:51.829331: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:23:51.829334: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.829336: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:51.829337: | length: 116 (0x74) Aug 26 13:23:51.829339: | prop #: 4 (0x4) Aug 26 13:23:51.829340: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:51.829342: | spi size: 0 (0x0) Aug 26 13:23:51.829343: | # transforms: 13 (0xd) Aug 26 13:23:51.829345: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:51.829347: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829349: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829350: | length: 12 (0xc) Aug 26 13:23:51.829352: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.829353: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:51.829355: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.829369: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.829371: | length/value: 128 (0x80) Aug 26 13:23:51.829373: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829374: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829376: | length: 8 (0x8) Aug 26 13:23:51.829377: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:51.829379: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:51.829381: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829382: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829384: | length: 8 (0x8) Aug 26 13:23:51.829385: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:51.829387: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:23:51.829389: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829390: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829392: | length: 8 (0x8) Aug 26 13:23:51.829393: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:51.829395: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:51.829396: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829398: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829399: | length: 8 (0x8) Aug 26 13:23:51.829401: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:51.829403: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:51.829404: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829407: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829408: | length: 8 (0x8) Aug 26 13:23:51.829410: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829412: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:51.829413: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829415: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829416: | length: 8 (0x8) Aug 26 13:23:51.829418: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829419: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:23:51.829421: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829423: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829424: | length: 8 (0x8) Aug 26 13:23:51.829426: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829427: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:23:51.829429: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829430: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829432: | length: 8 (0x8) Aug 26 13:23:51.829433: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829435: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:23:51.829437: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829438: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829440: | length: 8 (0x8) Aug 26 13:23:51.829441: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829443: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:23:51.829444: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829446: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829447: | length: 8 (0x8) Aug 26 13:23:51.829449: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829451: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:23:51.829452: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829454: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.829455: | length: 8 (0x8) Aug 26 13:23:51.829457: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829458: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:23:51.829460: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.829462: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.829463: | length: 8 (0x8) Aug 26 13:23:51.829465: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.829466: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:23:51.829468: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:23:51.829470: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:23:51.829473: "east" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:23:51.829476: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:23:51.829478: | converting proposal to internal trans attrs Aug 26 13:23:51.829480: | natd_hash: rcookie is zero Aug 26 13:23:51.829486: | natd_hash: hasher=0x55d13b6f0800(20) Aug 26 13:23:51.829488: | natd_hash: icookie= e5 90 57 9b 11 72 98 0f Aug 26 13:23:51.829491: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:23:51.829492: | natd_hash: ip= c0 01 02 17 Aug 26 13:23:51.829494: | natd_hash: port=500 Aug 26 13:23:51.829495: | natd_hash: hash= 5a be 0e 8a 88 4e bb 18 1a 57 39 a5 1a f2 53 aa Aug 26 13:23:51.829497: | natd_hash: hash= 88 ee bd 80 Aug 26 13:23:51.829498: | natd_hash: rcookie is zero Aug 26 13:23:51.829502: | natd_hash: hasher=0x55d13b6f0800(20) Aug 26 13:23:51.829504: | natd_hash: icookie= e5 90 57 9b 11 72 98 0f Aug 26 13:23:51.829505: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:23:51.829507: | natd_hash: ip= c0 01 02 2d Aug 26 13:23:51.829508: | natd_hash: port=500 Aug 26 13:23:51.829510: | natd_hash: hash= 43 4f 34 1e eb a7 9a 73 b9 c9 d1 ae 3f 19 d0 bd Aug 26 13:23:51.829511: | natd_hash: hash= 29 c2 25 cc Aug 26 13:23:51.829513: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:23:51.829514: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:23:51.829516: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:23:51.829518: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Aug 26 13:23:51.829523: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:23:51.829525: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d13d28e698 Aug 26 13:23:51.829528: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:23:51.829530: | libevent_malloc: new ptr-libevent@0x55d13d2928d8 size 128 Aug 26 13:23:51.829538: | #1 spent 0.685 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:23:51.829542: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:51.829545: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:23:51.829546: | suspending state #1 and saving MD Aug 26 13:23:51.829548: | #1 is busy; has a suspended MD Aug 26 13:23:51.829551: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:23:51.829553: | "east" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:23:51.829556: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:23:51.829559: | #1 spent 1.03 milliseconds in ikev2_process_packet() Aug 26 13:23:51.829561: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:23:51.829563: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:23:51.829565: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:23:51.829568: | spent 1.04 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:23:51.829571: | crypto helper 1 resuming Aug 26 13:23:51.829581: | crypto helper 1 starting work-order 1 for state #1 Aug 26 13:23:51.829585: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:23:51.830137: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000552 seconds Aug 26 13:23:51.830143: | (#1) spent 0.557 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:23:51.830145: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Aug 26 13:23:51.830147: | scheduling resume sending helper answer for #1 Aug 26 13:23:51.830149: | libevent_malloc: new ptr-libevent@0x7f51c4002888 size 128 Aug 26 13:23:51.830155: | crypto helper 1 waiting (nothing to do) Aug 26 13:23:51.830191: | processing resume sending helper answer for #1 Aug 26 13:23:51.830201: | start processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:23:51.830204: | crypto helper 1 replies to request ID 1 Aug 26 13:23:51.830206: | calling continuation function 0x55d13b61bb50 Aug 26 13:23:51.830208: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:23:51.830234: | **emit ISAKMP Message: Aug 26 13:23:51.830237: | initiator cookie: Aug 26 13:23:51.830238: | e5 90 57 9b 11 72 98 0f Aug 26 13:23:51.830240: | responder cookie: Aug 26 13:23:51.830241: | dd 36 51 29 02 6c db 8e Aug 26 13:23:51.830243: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:23:51.830245: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:51.830247: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:23:51.830248: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:23:51.830250: | Message ID: 0 (0x0) Aug 26 13:23:51.830252: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:23:51.830254: | Emitting ikev2_proposal ... Aug 26 13:23:51.830256: | ***emit IKEv2 Security Association Payload: Aug 26 13:23:51.830257: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.830259: | flags: none (0x0) Aug 26 13:23:51.830261: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:23:51.830263: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.830265: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.830266: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:51.830268: | prop #: 1 (0x1) Aug 26 13:23:51.830270: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:23:51.830271: | spi size: 0 (0x0) Aug 26 13:23:51.830273: | # transforms: 3 (0x3) Aug 26 13:23:51.830275: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:23:51.830277: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:23:51.830278: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.830280: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.830282: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:51.830284: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:51.830286: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.830291: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.830297: | length/value: 256 (0x100) Aug 26 13:23:51.830299: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:23:51.830301: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:23:51.830302: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.830304: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:23:51.830323: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:23:51.830325: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.830327: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:51.830329: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:23:51.830330: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:23:51.830345: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.830347: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:23:51.830348: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:51.830350: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.830352: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:51.830354: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:23:51.830355: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:23:51.830357: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:23:51.830360: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:23:51.830362: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:23:51.830364: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:23:51.830366: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.830368: | flags: none (0x0) Aug 26 13:23:51.830369: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:23:51.830371: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:23:51.830373: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.830376: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:23:51.830377: | ikev2 g^x d5 55 16 8b e5 55 7f 9e 17 83 49 77 a4 12 74 bd Aug 26 13:23:51.830379: | ikev2 g^x dc a0 62 4b 41 92 85 92 17 b4 ce ab 25 2f 17 d1 Aug 26 13:23:51.830380: | ikev2 g^x bb dd b9 02 34 5d 64 d3 f3 31 90 35 94 1c f3 85 Aug 26 13:23:51.830382: | ikev2 g^x 74 96 11 75 fb 50 bc 11 22 94 5d 2f 69 d2 73 5e Aug 26 13:23:51.830383: | ikev2 g^x 96 ea bf 2e 2e fc 2f ca c8 39 9f 82 47 a7 28 6d Aug 26 13:23:51.830385: | ikev2 g^x b7 d8 22 53 b4 4a 3e 94 87 01 84 55 6f 3e 0c c9 Aug 26 13:23:51.830386: | ikev2 g^x bc e9 90 ff 54 39 d9 84 69 1d 62 97 da 9f 39 4f Aug 26 13:23:51.830388: | ikev2 g^x 4f 8a 4f b8 95 0c 2e 39 4d fa b5 ed a8 88 80 eb Aug 26 13:23:51.830389: | ikev2 g^x a8 94 77 79 cf 04 ad d2 e9 d8 ca 01 b2 65 79 d1 Aug 26 13:23:51.830391: | ikev2 g^x 74 26 b2 7c 17 0d c3 61 a9 23 0d c4 a5 37 65 cd Aug 26 13:23:51.830392: | ikev2 g^x ba 9c 25 32 41 88 e9 35 1d 18 1c a0 60 17 0c d8 Aug 26 13:23:51.830394: | ikev2 g^x a0 ee 56 55 24 42 6f 40 8b 09 21 23 f0 d8 f6 bd Aug 26 13:23:51.830395: | ikev2 g^x 00 5d 74 59 83 0a fb aa 8e b7 01 5f 0e a4 89 4b Aug 26 13:23:51.830397: | ikev2 g^x be 7b a0 c9 bd da 4a b3 1e db a6 0f 37 67 bd 01 Aug 26 13:23:51.830398: | ikev2 g^x 00 38 82 a4 57 3a 70 36 54 95 fe 6e d6 b2 ec bf Aug 26 13:23:51.830400: | ikev2 g^x 2d f3 5e c9 72 8f 46 04 71 60 f9 cf f4 57 fc 5f Aug 26 13:23:51.830402: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:23:51.830403: | ***emit IKEv2 Nonce Payload: Aug 26 13:23:51.830405: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:23:51.830406: | flags: none (0x0) Aug 26 13:23:51.830408: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:23:51.830410: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:23:51.830412: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.830414: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:23:51.830416: | IKEv2 nonce 91 53 0e ea 74 33 89 c8 20 e6 0b 45 b5 48 68 8b Aug 26 13:23:51.830417: | IKEv2 nonce 25 17 2e 48 fd 4e d3 bf 31 ca fb b3 dc ee 73 c4 Aug 26 13:23:51.830419: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:23:51.830420: | Adding a v2N Payload Aug 26 13:23:51.830422: | ***emit IKEv2 Notify Payload: Aug 26 13:23:51.830424: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.830425: | flags: none (0x0) Aug 26 13:23:51.830427: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:51.830428: | SPI size: 0 (0x0) Aug 26 13:23:51.830430: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:23:51.830432: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:23:51.830434: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.830436: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:23:51.830439: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:23:51.830446: | natd_hash: hasher=0x55d13b6f0800(20) Aug 26 13:23:51.830448: | natd_hash: icookie= e5 90 57 9b 11 72 98 0f Aug 26 13:23:51.830450: | natd_hash: rcookie= dd 36 51 29 02 6c db 8e Aug 26 13:23:51.830451: | natd_hash: ip= c0 01 02 17 Aug 26 13:23:51.830453: | natd_hash: port=500 Aug 26 13:23:51.830455: | natd_hash: hash= ff b9 2e a7 4d 81 14 a7 d2 53 8e 4e 8a 70 15 c4 Aug 26 13:23:51.830456: | natd_hash: hash= e4 de 00 51 Aug 26 13:23:51.830458: | Adding a v2N Payload Aug 26 13:23:51.830459: | ***emit IKEv2 Notify Payload: Aug 26 13:23:51.830461: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.830462: | flags: none (0x0) Aug 26 13:23:51.830464: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:51.830465: | SPI size: 0 (0x0) Aug 26 13:23:51.830467: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:23:51.830469: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:23:51.830471: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.830473: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:23:51.830474: | Notify data ff b9 2e a7 4d 81 14 a7 d2 53 8e 4e 8a 70 15 c4 Aug 26 13:23:51.830476: | Notify data e4 de 00 51 Aug 26 13:23:51.830477: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:23:51.830481: | natd_hash: hasher=0x55d13b6f0800(20) Aug 26 13:23:51.830483: | natd_hash: icookie= e5 90 57 9b 11 72 98 0f Aug 26 13:23:51.830484: | natd_hash: rcookie= dd 36 51 29 02 6c db 8e Aug 26 13:23:51.830486: | natd_hash: ip= c0 01 02 2d Aug 26 13:23:51.830487: | natd_hash: port=500 Aug 26 13:23:51.830489: | natd_hash: hash= 3e e7 41 4c 99 91 04 18 8b 21 38 1f 35 38 dd 4b Aug 26 13:23:51.830491: | natd_hash: hash= 1e 2c bd 19 Aug 26 13:23:51.830492: | Adding a v2N Payload Aug 26 13:23:51.830494: | ***emit IKEv2 Notify Payload: Aug 26 13:23:51.830495: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.830497: | flags: none (0x0) Aug 26 13:23:51.830498: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:23:51.830500: | SPI size: 0 (0x0) Aug 26 13:23:51.830501: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:23:51.830503: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:23:51.830505: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.830507: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:23:51.830508: | Notify data 3e e7 41 4c 99 91 04 18 8b 21 38 1f 35 38 dd 4b Aug 26 13:23:51.830510: | Notify data 1e 2c bd 19 Aug 26 13:23:51.830512: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:23:51.830513: | emitting length of ISAKMP Message: 432 Aug 26 13:23:51.830518: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:51.830520: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:23:51.830522: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:23:51.830524: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:23:51.830526: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:23:51.830529: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:23:51.830532: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:23:51.830535: "east" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:23:51.830539: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:23:51.830545: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:23:51.830546: | e5 90 57 9b 11 72 98 0f dd 36 51 29 02 6c db 8e Aug 26 13:23:51.830548: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:23:51.830550: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:23:51.830551: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:23:51.830553: | 04 00 00 0e 28 00 01 08 00 0e 00 00 d5 55 16 8b Aug 26 13:23:51.830554: | e5 55 7f 9e 17 83 49 77 a4 12 74 bd dc a0 62 4b Aug 26 13:23:51.830556: | 41 92 85 92 17 b4 ce ab 25 2f 17 d1 bb dd b9 02 Aug 26 13:23:51.830557: | 34 5d 64 d3 f3 31 90 35 94 1c f3 85 74 96 11 75 Aug 26 13:23:51.830559: | fb 50 bc 11 22 94 5d 2f 69 d2 73 5e 96 ea bf 2e Aug 26 13:23:51.830560: | 2e fc 2f ca c8 39 9f 82 47 a7 28 6d b7 d8 22 53 Aug 26 13:23:51.830562: | b4 4a 3e 94 87 01 84 55 6f 3e 0c c9 bc e9 90 ff Aug 26 13:23:51.830563: | 54 39 d9 84 69 1d 62 97 da 9f 39 4f 4f 8a 4f b8 Aug 26 13:23:51.830565: | 95 0c 2e 39 4d fa b5 ed a8 88 80 eb a8 94 77 79 Aug 26 13:23:51.830566: | cf 04 ad d2 e9 d8 ca 01 b2 65 79 d1 74 26 b2 7c Aug 26 13:23:51.830568: | 17 0d c3 61 a9 23 0d c4 a5 37 65 cd ba 9c 25 32 Aug 26 13:23:51.830569: | 41 88 e9 35 1d 18 1c a0 60 17 0c d8 a0 ee 56 55 Aug 26 13:23:51.830571: | 24 42 6f 40 8b 09 21 23 f0 d8 f6 bd 00 5d 74 59 Aug 26 13:23:51.830572: | 83 0a fb aa 8e b7 01 5f 0e a4 89 4b be 7b a0 c9 Aug 26 13:23:51.830574: | bd da 4a b3 1e db a6 0f 37 67 bd 01 00 38 82 a4 Aug 26 13:23:51.830575: | 57 3a 70 36 54 95 fe 6e d6 b2 ec bf 2d f3 5e c9 Aug 26 13:23:51.830577: | 72 8f 46 04 71 60 f9 cf f4 57 fc 5f 29 00 00 24 Aug 26 13:23:51.830578: | 91 53 0e ea 74 33 89 c8 20 e6 0b 45 b5 48 68 8b Aug 26 13:23:51.830580: | 25 17 2e 48 fd 4e d3 bf 31 ca fb b3 dc ee 73 c4 Aug 26 13:23:51.830582: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:23:51.830583: | ff b9 2e a7 4d 81 14 a7 d2 53 8e 4e 8a 70 15 c4 Aug 26 13:23:51.830585: | e4 de 00 51 00 00 00 1c 00 00 40 05 3e e7 41 4c Aug 26 13:23:51.830586: | 99 91 04 18 8b 21 38 1f 35 38 dd 4b 1e 2c bd 19 Aug 26 13:23:51.830606: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:23:51.830609: | libevent_free: release ptr-libevent@0x55d13d2928d8 Aug 26 13:23:51.830612: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d13d28e698 Aug 26 13:23:51.830614: | event_schedule: new EVENT_SO_DISCARD-pe@0x55d13d28e698 Aug 26 13:23:51.830616: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:23:51.830618: | libevent_malloc: new ptr-libevent@0x55d13d2939c8 size 128 Aug 26 13:23:51.830621: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:23:51.830625: | #1 spent 0.408 milliseconds in resume sending helper answer Aug 26 13:23:51.830628: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:23:51.830630: | libevent_free: release ptr-libevent@0x7f51c4002888 Aug 26 13:23:51.832692: | spent 0.00218 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:23:51.832707: | *received 365 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:23:51.832710: | e5 90 57 9b 11 72 98 0f dd 36 51 29 02 6c db 8e Aug 26 13:23:51.832711: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Aug 26 13:23:51.832713: | db 02 b8 bd 1a 36 32 f9 1c b7 c4 78 02 10 7e 7e Aug 26 13:23:51.832714: | de 1d 7a 4e f7 c3 d4 e6 88 c9 6b 39 40 e4 90 36 Aug 26 13:23:51.832716: | d3 d9 fd b1 f8 0f 28 76 61 4d 82 35 34 75 f8 da Aug 26 13:23:51.832717: | 5d 94 25 cf d6 5c 14 ba 26 cb f3 dd d1 85 49 64 Aug 26 13:23:51.832719: | 98 aa a1 cd 51 08 9a b5 20 ab 01 21 19 ff 45 0f Aug 26 13:23:51.832720: | 1a 1b a5 c6 47 58 2c 26 8c d1 d8 e0 4b 59 8a f9 Aug 26 13:23:51.832724: | 6f 44 5c fb 6c 52 e7 c1 84 63 6e 37 ca 4a 9b 44 Aug 26 13:23:51.832726: | 74 c7 28 d4 7d 28 06 c3 01 43 20 12 32 7b a9 67 Aug 26 13:23:51.832727: | 41 f7 c6 d7 e3 b8 c0 ed d9 12 be 65 a2 3b 4f 3c Aug 26 13:23:51.832729: | c1 4f 46 a6 ab b7 76 5d f1 96 e7 e3 de d4 fe ee Aug 26 13:23:51.832730: | 06 92 b8 59 be f0 5d 52 63 22 ef d5 86 d1 e5 a2 Aug 26 13:23:51.832732: | b9 f0 de fd 24 87 20 97 49 9d fc 6c 63 18 ec 36 Aug 26 13:23:51.832733: | ea 4d 1e b3 bd 01 c7 a6 07 c4 93 0f b9 e7 f4 49 Aug 26 13:23:51.832735: | 33 92 72 a3 8b 7a 70 66 f1 e4 9a 9f f2 53 c1 2d Aug 26 13:23:51.832736: | e9 64 cc 14 31 d1 51 5c 06 f5 32 60 0b 20 94 07 Aug 26 13:23:51.832738: | b3 65 15 21 6b 37 b7 60 4b 9e c6 05 4b 57 20 b5 Aug 26 13:23:51.832739: | 2c 5a 1d a1 31 67 0c 58 ef e3 31 39 4f 79 f2 38 Aug 26 13:23:51.832741: | 8d 12 fd 83 d8 9a 98 d9 93 c8 43 d8 d3 d9 71 31 Aug 26 13:23:51.832742: | c1 0f e6 28 13 a7 4d 97 ba bc 1f a3 23 bd 1c d4 Aug 26 13:23:51.832744: | 11 8a 7c 9f 27 be df 48 ca c6 d2 09 d3 26 9a 70 Aug 26 13:23:51.832745: | 5c 02 00 6a 11 0e aa e6 25 89 41 3a df Aug 26 13:23:51.832748: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:23:51.832750: | **parse ISAKMP Message: Aug 26 13:23:51.832752: | initiator cookie: Aug 26 13:23:51.832754: | e5 90 57 9b 11 72 98 0f Aug 26 13:23:51.832755: | responder cookie: Aug 26 13:23:51.832757: | dd 36 51 29 02 6c db 8e Aug 26 13:23:51.832758: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:23:51.832760: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:51.832762: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:23:51.832764: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:23:51.832765: | Message ID: 1 (0x1) Aug 26 13:23:51.832767: | length: 365 (0x16d) Aug 26 13:23:51.832769: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:23:51.832771: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:23:51.832773: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:23:51.832777: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:23:51.832779: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:23:51.832782: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:23:51.832784: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:23:51.832786: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:23:51.832788: | unpacking clear payload Aug 26 13:23:51.832789: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:23:51.832791: | ***parse IKEv2 Encryption Payload: Aug 26 13:23:51.832793: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:23:51.832795: | flags: none (0x0) Aug 26 13:23:51.832796: | length: 337 (0x151) Aug 26 13:23:51.832798: | processing payload: ISAKMP_NEXT_v2SK (len=333) Aug 26 13:23:51.832801: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:23:51.832803: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:23:51.832805: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:23:51.832806: | Now let's proceed with state specific processing Aug 26 13:23:51.832808: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:23:51.832810: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:23:51.832812: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:23:51.832815: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:23:51.832816: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:23:51.832820: | libevent_free: release ptr-libevent@0x55d13d2939c8 Aug 26 13:23:51.832822: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55d13d28e698 Aug 26 13:23:51.832824: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d13d28e698 Aug 26 13:23:51.832826: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:23:51.832828: | libevent_malloc: new ptr-libevent@0x7f51c4002888 size 128 Aug 26 13:23:51.832835: | #1 spent 0.0242 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:23:51.832839: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:51.832841: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:23:51.832843: | suspending state #1 and saving MD Aug 26 13:23:51.832844: | #1 is busy; has a suspended MD Aug 26 13:23:51.832847: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:23:51.832849: | "east" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:23:51.832852: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:23:51.832855: | #1 spent 0.153 milliseconds in ikev2_process_packet() Aug 26 13:23:51.832857: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:23:51.832859: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:23:51.832861: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:23:51.832863: | spent 0.162 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:23:51.832869: | crypto helper 0 resuming Aug 26 13:23:51.832878: | crypto helper 0 starting work-order 2 for state #1 Aug 26 13:23:51.832881: | crypto helper 0 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:23:51.833438: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:23:51.833700: | crypto helper 0 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.000818 seconds Aug 26 13:23:51.833706: | (#1) spent 0.82 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:23:51.833708: | crypto helper 0 sending results from work-order 2 for state #1 to event queue Aug 26 13:23:51.833710: | scheduling resume sending helper answer for #1 Aug 26 13:23:51.833713: | libevent_malloc: new ptr-libevent@0x7f51bc000f48 size 128 Aug 26 13:23:51.833718: | crypto helper 0 waiting (nothing to do) Aug 26 13:23:51.833752: | processing resume sending helper answer for #1 Aug 26 13:23:51.833761: | start processing: state #1 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:23:51.833765: | crypto helper 0 replies to request ID 2 Aug 26 13:23:51.833767: | calling continuation function 0x55d13b61bb50 Aug 26 13:23:51.833769: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:23:51.833771: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:23:51.833782: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:23:51.833784: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:23:51.833786: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:23:51.833788: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Aug 26 13:23:51.833790: | flags: none (0x0) Aug 26 13:23:51.833792: | length: 12 (0xc) Aug 26 13:23:51.833793: | ID type: ID_FQDN (0x2) Aug 26 13:23:51.833795: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:23:51.833796: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Aug 26 13:23:51.833798: | **parse IKEv2 Identification - Responder - Payload: Aug 26 13:23:51.833800: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:23:51.833801: | flags: none (0x0) Aug 26 13:23:51.833803: | length: 12 (0xc) Aug 26 13:23:51.833806: | ID type: ID_FQDN (0x2) Aug 26 13:23:51.833808: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Aug 26 13:23:51.833809: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:23:51.833811: | **parse IKEv2 Authentication Payload: Aug 26 13:23:51.833813: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:23:51.833814: | flags: none (0x0) Aug 26 13:23:51.833816: | length: 72 (0x48) Aug 26 13:23:51.833817: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:23:51.833819: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:23:51.833821: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:23:51.833822: | **parse IKEv2 Security Association Payload: Aug 26 13:23:51.833824: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:23:51.833825: | flags: none (0x0) Aug 26 13:23:51.833827: | length: 164 (0xa4) Aug 26 13:23:51.833828: | processing payload: ISAKMP_NEXT_v2SA (len=160) Aug 26 13:23:51.833830: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:23:51.833832: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:23:51.833833: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:23:51.833835: | flags: none (0x0) Aug 26 13:23:51.833836: | length: 24 (0x18) Aug 26 13:23:51.833838: | number of TS: 1 (0x1) Aug 26 13:23:51.833839: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:23:51.833841: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:23:51.833843: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:23:51.833844: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.833846: | flags: none (0x0) Aug 26 13:23:51.833847: | length: 24 (0x18) Aug 26 13:23:51.833849: | number of TS: 1 (0x1) Aug 26 13:23:51.833850: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:23:51.833852: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:23:51.833853: | Now let's proceed with state specific processing Aug 26 13:23:51.833855: | calling processor Responder: process IKE_AUTH request Aug 26 13:23:51.833859: "east" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Aug 26 13:23:51.833862: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:23:51.833865: | received IDr payload - extracting our alleged ID Aug 26 13:23:51.833867: | refine_host_connection for IKEv2: starting with "east" Aug 26 13:23:51.833870: | match_id a=@west Aug 26 13:23:51.833872: | b=@west Aug 26 13:23:51.833873: | results matched Aug 26 13:23:51.833876: | refine_host_connection: checking "east" against "east", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:23:51.833877: | Warning: not switching back to template of current instance Aug 26 13:23:51.833879: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Aug 26 13:23:51.833881: | This connection's local id is @east (ID_FQDN) Aug 26 13:23:51.833883: | refine_host_connection: checked east against east, now for see if best Aug 26 13:23:51.833885: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:51.833887: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:51.833889: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:23:51.833891: | 1: compared key @east to @east / @west -> 010 Aug 26 13:23:51.833893: | 2: compared key @west to @east / @west -> 014 Aug 26 13:23:51.833895: | line 1: match=014 Aug 26 13:23:51.833897: | match 014 beats previous best_match 000 match=0x55d13d1e5b58 (line=1) Aug 26 13:23:51.833898: | concluding with best_match=014 best=0x55d13d1e5b58 (lineno=1) Aug 26 13:23:51.833900: | returning because exact peer id match Aug 26 13:23:51.833902: | offered CA: '%none' Aug 26 13:23:51.833904: "east" #1: IKEv2 mode peer ID is ID_FQDN: '@west' Aug 26 13:23:51.833918: | verifying AUTH payload Aug 26 13:23:51.833921: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:23:51.833925: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:51.833927: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:51.833929: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:23:51.833930: | 1: compared key @east to @east / @west -> 010 Aug 26 13:23:51.833932: | 2: compared key @west to @east / @west -> 014 Aug 26 13:23:51.833934: | line 1: match=014 Aug 26 13:23:51.833936: | match 014 beats previous best_match 000 match=0x55d13d1e5b58 (line=1) Aug 26 13:23:51.833937: | concluding with best_match=014 best=0x55d13d1e5b58 (lineno=1) Aug 26 13:23:51.833974: "east" #1: Authenticated using authby=secret Aug 26 13:23:51.833978: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:23:51.833981: | #1 will start re-keying in 3598 seconds with margin of 2 seconds (attempting re-key) Aug 26 13:23:51.833983: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:23:51.833985: | libevent_free: release ptr-libevent@0x7f51c4002888 Aug 26 13:23:51.833987: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d13d28e698 Aug 26 13:23:51.833989: | event_schedule: new EVENT_SA_REKEY-pe@0x55d13d28e698 Aug 26 13:23:51.833991: | inserting event EVENT_SA_REKEY, timeout in 3598 seconds for #1 Aug 26 13:23:51.833993: | libevent_malloc: new ptr-libevent@0x55d13d2939c8 size 128 Aug 26 13:23:51.834067: | pstats #1 ikev2.ike established Aug 26 13:23:51.834072: | **emit ISAKMP Message: Aug 26 13:23:51.834074: | initiator cookie: Aug 26 13:23:51.834076: | e5 90 57 9b 11 72 98 0f Aug 26 13:23:51.834077: | responder cookie: Aug 26 13:23:51.834079: | dd 36 51 29 02 6c db 8e Aug 26 13:23:51.834080: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:23:51.834082: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:23:51.834084: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:23:51.834086: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:23:51.834087: | Message ID: 1 (0x1) Aug 26 13:23:51.834089: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:23:51.834091: | IKEv2 CERT: send a certificate? Aug 26 13:23:51.834093: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:23:51.834095: | ***emit IKEv2 Encryption Payload: Aug 26 13:23:51.834096: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.834098: | flags: none (0x0) Aug 26 13:23:51.834100: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:23:51.834102: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.834104: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:23:51.834108: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:23:51.834117: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:23:51.834119: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.834121: | flags: none (0x0) Aug 26 13:23:51.834122: | ID type: ID_FQDN (0x2) Aug 26 13:23:51.834124: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:23:51.834126: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.834128: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:23:51.834130: | my identity 65 61 73 74 Aug 26 13:23:51.834132: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:23:51.834137: | assembled IDr payload Aug 26 13:23:51.834138: | CHILD SA proposals received Aug 26 13:23:51.834140: | going to assemble AUTH payload Aug 26 13:23:51.834141: | ****emit IKEv2 Authentication Payload: Aug 26 13:23:51.834143: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:23:51.834146: | flags: none (0x0) Aug 26 13:23:51.834148: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:23:51.834150: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:23:51.834152: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:23:51.834154: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.834156: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:23:51.834158: | started looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:51.834160: | actually looking for secret for @east->@west of kind PKK_PSK Aug 26 13:23:51.834162: | line 1: key type PKK_PSK(@east) to type PKK_PSK Aug 26 13:23:51.834164: | 1: compared key @east to @east / @west -> 010 Aug 26 13:23:51.834166: | 2: compared key @west to @east / @west -> 014 Aug 26 13:23:51.834167: | line 1: match=014 Aug 26 13:23:51.834169: | match 014 beats previous best_match 000 match=0x55d13d1e5b58 (line=1) Aug 26 13:23:51.834171: | concluding with best_match=014 best=0x55d13d1e5b58 (lineno=1) Aug 26 13:23:51.834204: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:23:51.834206: | PSK auth bf 5e c1 4d 9c 1a 01 15 a6 fe 60 5c 12 d1 94 98 Aug 26 13:23:51.834208: | PSK auth e1 bf 63 f0 8f 60 7e 30 70 fc 40 02 56 36 b7 6e Aug 26 13:23:51.834209: | PSK auth a5 a4 fc 6c b8 2e d7 a8 95 58 d5 6e f9 d4 38 2e Aug 26 13:23:51.834211: | PSK auth 6b 58 7a 8e 7b dc a7 74 c5 f4 1e 49 68 cb 89 47 Aug 26 13:23:51.834213: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:23:51.834217: | creating state object #2 at 0x55d13d2946e8 Aug 26 13:23:51.834219: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:23:51.834221: | pstats #2 ikev2.child started Aug 26 13:23:51.834223: | duplicating state object #1 "east" as #2 for IPSEC SA Aug 26 13:23:51.834226: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:23:51.834230: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:23:51.834233: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:23:51.834236: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:23:51.834238: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:23:51.834240: | TSi: parsing 1 traffic selectors Aug 26 13:23:51.834242: | ***parse IKEv2 Traffic Selector: Aug 26 13:23:51.834244: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:51.834245: | IP Protocol ID: 0 (0x0) Aug 26 13:23:51.834247: | length: 16 (0x10) Aug 26 13:23:51.834248: | start port: 0 (0x0) Aug 26 13:23:51.834250: | end port: 65535 (0xffff) Aug 26 13:23:51.834252: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:23:51.834254: | TS low c0 00 01 00 Aug 26 13:23:51.834255: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:23:51.834257: | TS high c0 00 01 ff Aug 26 13:23:51.834258: | TSi: parsed 1 traffic selectors Aug 26 13:23:51.834260: | TSr: parsing 1 traffic selectors Aug 26 13:23:51.834262: | ***parse IKEv2 Traffic Selector: Aug 26 13:23:51.834263: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:51.834265: | IP Protocol ID: 0 (0x0) Aug 26 13:23:51.834266: | length: 16 (0x10) Aug 26 13:23:51.834268: | start port: 0 (0x0) Aug 26 13:23:51.834269: | end port: 65535 (0xffff) Aug 26 13:23:51.834271: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:23:51.834272: | TS low c0 00 02 00 Aug 26 13:23:51.834275: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:23:51.834277: | TS high c0 00 02 ff Aug 26 13:23:51.834278: | TSr: parsed 1 traffic selectors Aug 26 13:23:51.834280: | looking for best SPD in current connection Aug 26 13:23:51.834284: | evaluating our conn="east" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:23:51.834287: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:51.834314: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:23:51.834317: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:23:51.834332: | TSi[0] port match: YES fitness 65536 Aug 26 13:23:51.834334: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:23:51.834336: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:51.834339: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:51.834342: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:23:51.834344: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:23:51.834345: | TSr[0] port match: YES fitness 65536 Aug 26 13:23:51.834347: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:23:51.834349: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:51.834350: | best fit so far: TSi[0] TSr[0] Aug 26 13:23:51.834352: | found better spd route for TSi[0],TSr[0] Aug 26 13:23:51.834354: | looking for better host pair Aug 26 13:23:51.834357: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Aug 26 13:23:51.834359: | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found Aug 26 13:23:51.834361: | investigating connection "east" as a better match Aug 26 13:23:51.834363: | match_id a=@west Aug 26 13:23:51.834364: | b=@west Aug 26 13:23:51.834366: | results matched Aug 26 13:23:51.834369: | evaluating our conn="east" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:23:51.834371: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:51.834374: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Aug 26 13:23:51.834376: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:23:51.834378: | TSi[0] port match: YES fitness 65536 Aug 26 13:23:51.834380: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:23:51.834381: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:51.834384: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:23:51.834387: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:23:51.834389: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:23:51.834390: | TSr[0] port match: YES fitness 65536 Aug 26 13:23:51.834392: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:23:51.834394: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:23:51.834395: | best fit so far: TSi[0] TSr[0] Aug 26 13:23:51.834397: | did not find a better connection using host pair Aug 26 13:23:51.834398: | printing contents struct traffic_selector Aug 26 13:23:51.834400: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:23:51.834401: | ipprotoid: 0 Aug 26 13:23:51.834403: | port range: 0-65535 Aug 26 13:23:51.834405: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:23:51.834407: | printing contents struct traffic_selector Aug 26 13:23:51.834408: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:23:51.834410: | ipprotoid: 0 Aug 26 13:23:51.834411: | port range: 0-65535 Aug 26 13:23:51.834413: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:23:51.834416: | constructing ESP/AH proposals with all DH removed for east (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:23:51.834421: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:23:51.834425: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:23:51.834427: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:23:51.834429: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:23:51.834431: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:23:51.834434: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:23:51.834436: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:23:51.834438: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:23:51.834443: "east": constructed local ESP/AH proposals for east (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:23:51.834445: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:23:51.834447: | local proposal 1 type ENCR has 1 transforms Aug 26 13:23:51.834449: | local proposal 1 type PRF has 0 transforms Aug 26 13:23:51.834451: | local proposal 1 type INTEG has 1 transforms Aug 26 13:23:51.834452: | local proposal 1 type DH has 1 transforms Aug 26 13:23:51.834454: | local proposal 1 type ESN has 1 transforms Aug 26 13:23:51.834456: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:23:51.834457: | local proposal 2 type ENCR has 1 transforms Aug 26 13:23:51.834459: | local proposal 2 type PRF has 0 transforms Aug 26 13:23:51.834461: | local proposal 2 type INTEG has 1 transforms Aug 26 13:23:51.834462: | local proposal 2 type DH has 1 transforms Aug 26 13:23:51.834464: | local proposal 2 type ESN has 1 transforms Aug 26 13:23:51.834465: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:23:51.834467: | local proposal 3 type ENCR has 1 transforms Aug 26 13:23:51.834469: | local proposal 3 type PRF has 0 transforms Aug 26 13:23:51.834470: | local proposal 3 type INTEG has 2 transforms Aug 26 13:23:51.834472: | local proposal 3 type DH has 1 transforms Aug 26 13:23:51.834473: | local proposal 3 type ESN has 1 transforms Aug 26 13:23:51.834475: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:23:51.834477: | local proposal 4 type ENCR has 1 transforms Aug 26 13:23:51.834478: | local proposal 4 type PRF has 0 transforms Aug 26 13:23:51.834480: | local proposal 4 type INTEG has 2 transforms Aug 26 13:23:51.834481: | local proposal 4 type DH has 1 transforms Aug 26 13:23:51.834483: | local proposal 4 type ESN has 1 transforms Aug 26 13:23:51.834485: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:23:51.834487: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.834488: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:51.834490: | length: 32 (0x20) Aug 26 13:23:51.834492: | prop #: 1 (0x1) Aug 26 13:23:51.834493: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:51.834495: | spi size: 4 (0x4) Aug 26 13:23:51.834496: | # transforms: 2 (0x2) Aug 26 13:23:51.834498: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:51.834500: | remote SPI b6 d9 1d 4f Aug 26 13:23:51.834502: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:23:51.834504: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834506: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834507: | length: 12 (0xc) Aug 26 13:23:51.834509: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.834512: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:51.834514: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.834515: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.834517: | length/value: 256 (0x100) Aug 26 13:23:51.834520: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:23:51.834521: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834523: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.834524: | length: 8 (0x8) Aug 26 13:23:51.834526: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:51.834528: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:51.834530: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:23:51.834532: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:23:51.834534: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:23:51.834536: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:23:51.834538: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 13:23:51.834540: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 13:23:51.834542: | remote proposal 1 matches local proposal 1 Aug 26 13:23:51.834544: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.834545: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:51.834547: | length: 32 (0x20) Aug 26 13:23:51.834548: | prop #: 2 (0x2) Aug 26 13:23:51.834550: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:51.834552: | spi size: 4 (0x4) Aug 26 13:23:51.834553: | # transforms: 2 (0x2) Aug 26 13:23:51.834555: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:51.834556: | remote SPI b6 d9 1d 4f Aug 26 13:23:51.834558: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:51.834560: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834562: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834563: | length: 12 (0xc) Aug 26 13:23:51.834565: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.834566: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:51.834568: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.834569: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.834571: | length/value: 128 (0x80) Aug 26 13:23:51.834573: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834574: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.834576: | length: 8 (0x8) Aug 26 13:23:51.834577: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:51.834579: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:51.834581: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Aug 26 13:23:51.834583: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Aug 26 13:23:51.834584: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.834586: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:23:51.834587: | length: 48 (0x30) Aug 26 13:23:51.834589: | prop #: 3 (0x3) Aug 26 13:23:51.834590: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:51.834592: | spi size: 4 (0x4) Aug 26 13:23:51.834593: | # transforms: 4 (0x4) Aug 26 13:23:51.834595: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:51.834597: | remote SPI b6 d9 1d 4f Aug 26 13:23:51.834599: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:51.834600: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834602: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834604: | length: 12 (0xc) Aug 26 13:23:51.834606: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.834607: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:51.834609: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.834610: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.834612: | length/value: 256 (0x100) Aug 26 13:23:51.834614: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834615: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834617: | length: 8 (0x8) Aug 26 13:23:51.834618: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:51.834620: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:51.834622: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834623: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834625: | length: 8 (0x8) Aug 26 13:23:51.834626: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:51.834628: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:51.834630: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834631: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.834633: | length: 8 (0x8) Aug 26 13:23:51.834634: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:51.834636: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:51.834638: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:23:51.834640: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:23:51.834641: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.834643: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:51.834644: | length: 48 (0x30) Aug 26 13:23:51.834646: | prop #: 4 (0x4) Aug 26 13:23:51.834647: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:51.834649: | spi size: 4 (0x4) Aug 26 13:23:51.834650: | # transforms: 4 (0x4) Aug 26 13:23:51.834652: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:23:51.834654: | remote SPI b6 d9 1d 4f Aug 26 13:23:51.834655: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:23:51.834657: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834659: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834660: | length: 12 (0xc) Aug 26 13:23:51.834662: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.834663: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:23:51.834665: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.834666: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.834668: | length/value: 128 (0x80) Aug 26 13:23:51.834670: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834671: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834673: | length: 8 (0x8) Aug 26 13:23:51.834674: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:51.834676: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:23:51.834677: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834679: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834680: | length: 8 (0x8) Aug 26 13:23:51.834682: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:23:51.834684: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:23:51.834685: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834687: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.834688: | length: 8 (0x8) Aug 26 13:23:51.834690: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:51.834691: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:51.834694: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Aug 26 13:23:51.834695: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Aug 26 13:23:51.834698: "east" #1: proposal 1:ESP:SPI=b6d91d4f;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 13:23:51.834702: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=b6d91d4f;ENCR=AES_GCM_C_256;ESN=DISABLED Aug 26 13:23:51.834704: | converting proposal to internal trans attrs Aug 26 13:23:51.834715: | netlink_get_spi: allocated 0x6062022f for esp.0@192.1.2.23 Aug 26 13:23:51.834718: | Emitting ikev2_proposal ... Aug 26 13:23:51.834719: | ****emit IKEv2 Security Association Payload: Aug 26 13:23:51.834721: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.834723: | flags: none (0x0) Aug 26 13:23:51.834725: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:23:51.834727: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.834729: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:23:51.834730: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:23:51.834732: | prop #: 1 (0x1) Aug 26 13:23:51.834733: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:23:51.834735: | spi size: 4 (0x4) Aug 26 13:23:51.834736: | # transforms: 2 (0x2) Aug 26 13:23:51.834738: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:23:51.834740: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:23:51.834742: | our spi 60 62 02 2f Aug 26 13:23:51.834744: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834745: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834747: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:23:51.834748: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:23:51.834750: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:51.834752: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:23:51.834754: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:23:51.834755: | length/value: 256 (0x100) Aug 26 13:23:51.834757: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:23:51.834759: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:23:51.834760: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:23:51.834762: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:23:51.834764: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:23:51.834766: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:23:51.834768: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:23:51.834769: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:23:51.834771: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:23:51.834773: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:23:51.834774: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 13:23:51.834776: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:23:51.834778: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:23:51.834780: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.834781: | flags: none (0x0) Aug 26 13:23:51.834783: | number of TS: 1 (0x1) Aug 26 13:23:51.834785: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:23:51.834788: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.834790: | *****emit IKEv2 Traffic Selector: Aug 26 13:23:51.834791: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:51.834793: | IP Protocol ID: 0 (0x0) Aug 26 13:23:51.834795: | start port: 0 (0x0) Aug 26 13:23:51.834796: | end port: 65535 (0xffff) Aug 26 13:23:51.834798: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:23:51.834800: | ipv4 start c0 00 01 00 Aug 26 13:23:51.834801: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:23:51.834803: | ipv4 end c0 00 01 ff Aug 26 13:23:51.834805: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:23:51.834806: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:23:51.834808: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:23:51.834809: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:23:51.834811: | flags: none (0x0) Aug 26 13:23:51.834812: | number of TS: 1 (0x1) Aug 26 13:23:51.834814: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:23:51.834816: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:23:51.834818: | *****emit IKEv2 Traffic Selector: Aug 26 13:23:51.834819: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:23:51.834821: | IP Protocol ID: 0 (0x0) Aug 26 13:23:51.834822: | start port: 0 (0x0) Aug 26 13:23:51.834824: | end port: 65535 (0xffff) Aug 26 13:23:51.834826: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:23:51.834827: | ipv4 start c0 00 02 00 Aug 26 13:23:51.834829: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:23:51.834830: | ipv4 end c0 00 02 ff Aug 26 13:23:51.834832: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:23:51.834834: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:23:51.834835: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:23:51.834838: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:23:51.834933: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:23:51.834938: | #1 spent 1.08 milliseconds Aug 26 13:23:51.834940: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:23:51.834942: | could_route called for east (kind=CK_PERMANENT) Aug 26 13:23:51.834944: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:23:51.834946: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:23:51.834947: | conn east mark 0/00000000, 0/00000000 Aug 26 13:23:51.834950: | route owner of "east" unrouted: NULL; eroute owner: NULL Aug 26 13:23:51.834952: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:23:51.834955: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:23:51.834957: | AES_GCM_16 requires 4 salt bytes Aug 26 13:23:51.834959: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:23:51.834961: | setting IPsec SA replay-window to 32 Aug 26 13:23:51.834963: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:23:51.834965: | netlink: enabling tunnel mode Aug 26 13:23:51.834967: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:23:51.834969: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:23:51.835019: | netlink response for Add SA esp.b6d91d4f@192.1.2.45 included non-error error Aug 26 13:23:51.835022: | set up outgoing SA, ref=0/0 Aug 26 13:23:51.835024: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:23:51.835026: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:23:51.835030: | AES_GCM_16 requires 4 salt bytes Aug 26 13:23:51.835031: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:23:51.835034: | setting IPsec SA replay-window to 32 Aug 26 13:23:51.835035: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:23:51.835037: | netlink: enabling tunnel mode Aug 26 13:23:51.835039: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:23:51.835040: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:23:51.835062: | netlink response for Add SA esp.6062022f@192.1.2.23 included non-error error Aug 26 13:23:51.835065: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:23:51.835070: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:23:51.835072: | IPsec Sa SPD priority set to 1042407 Aug 26 13:23:51.835091: | raw_eroute result=success Aug 26 13:23:51.835093: | set up incoming SA, ref=0/0 Aug 26 13:23:51.835095: | sr for #2: unrouted Aug 26 13:23:51.835097: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:23:51.835098: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:23:51.835100: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:23:51.835102: | conn east mark 0/00000000, 0/00000000 Aug 26 13:23:51.835104: | route owner of "east" unrouted: NULL; eroute owner: NULL Aug 26 13:23:51.835106: | route_and_eroute with c: east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:23:51.835108: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:23:51.835112: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) Aug 26 13:23:51.835114: | IPsec Sa SPD priority set to 1042407 Aug 26 13:23:51.835122: | raw_eroute result=success Aug 26 13:23:51.835124: | running updown command "ipsec _updown" for verb up Aug 26 13:23:51.835126: | command executing up-client Aug 26 13:23:51.835142: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xb6d91d4f SPI_OUT=0x606 Aug 26 13:23:51.835145: | popen cmd is 1020 chars long Aug 26 13:23:51.835147: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFA: Aug 26 13:23:51.835149: | cmd( 80):CE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' : Aug 26 13:23:51.835150: | cmd( 160):PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_M: Aug 26 13:23:51.835152: | cmd( 240):ASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='1638: Aug 26 13:23:51.835154: | cmd( 320):8' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_: Aug 26 13:23:51.835155: | cmd( 400):CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK=': Aug 26 13:23:51.835157: | cmd( 480):255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUT: Aug 26 13:23:51.835158: | cmd( 560):O_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKE: Aug 26 13:23:51.835163: | cmd( 640):V2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO: Aug 26 13:23:51.835165: | cmd( 720):_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_IN: Aug 26 13:23:51.835167: | cmd( 800):FO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_: Aug 26 13:23:51.835168: | cmd( 880):CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED=: Aug 26 13:23:51.835170: | cmd( 960):'no' SPI_IN=0xb6d91d4f SPI_OUT=0x6062022f ipsec _updown 2>&1: Aug 26 13:23:51.842301: | route_and_eroute: firewall_notified: true Aug 26 13:23:51.842312: | running updown command "ipsec _updown" for verb prepare Aug 26 13:23:51.842315: | command executing prepare-client Aug 26 13:23:51.842335: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xb6d91d4f SPI Aug 26 13:23:51.842337: | popen cmd is 1025 chars long Aug 26 13:23:51.842339: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_IN: Aug 26 13:23:51.842341: | cmd( 80):TERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@e: Aug 26 13:23:51.842343: | cmd( 160):ast' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLI: Aug 26 13:23:51.842345: | cmd( 240):ENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID=: Aug 26 13:23:51.842346: | cmd( 320):'16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_: Aug 26 13:23:51.842348: | cmd( 400):PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_M: Aug 26 13:23:51.842350: | cmd( 480):ASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='': Aug 26 13:23:51.842351: | cmd( 560): PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PF: Aug 26 13:23:51.842353: | cmd( 640):S+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' : Aug 26 13:23:51.842355: | cmd( 720):PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_D: Aug 26 13:23:51.842356: | cmd( 800):NS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' P: Aug 26 13:23:51.842358: | cmd( 880):LUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH: Aug 26 13:23:51.842360: | cmd( 960):ARED='no' SPI_IN=0xb6d91d4f SPI_OUT=0x6062022f ipsec _updown 2>&1: Aug 26 13:23:51.849092: | running updown command "ipsec _updown" for verb route Aug 26 13:23:51.849104: | command executing route-client Aug 26 13:23:51.849124: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xb6d91d4f SPI_OUT Aug 26 13:23:51.849130: | popen cmd is 1023 chars long Aug 26 13:23:51.849132: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='east' PLUTO_INTE: Aug 26 13:23:51.849134: | cmd( 80):RFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@eas: Aug 26 13:23:51.849136: | cmd( 160):t' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIEN: Aug 26 13:23:51.849137: | cmd( 240):T_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='1: Aug 26 13:23:51.849139: | cmd( 320):6388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PE: Aug 26 13:23:51.849141: | cmd( 400):ER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MAS: Aug 26 13:23:51.849142: | cmd( 480):K='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' P: Aug 26 13:23:51.849144: | cmd( 560):LUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+: Aug 26 13:23:51.849146: | cmd( 640):IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PL: Aug 26 13:23:51.849147: | cmd( 720):UTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS: Aug 26 13:23:51.849149: | cmd( 800):_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLU: Aug 26 13:23:51.849150: | cmd( 880):TO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR: Aug 26 13:23:51.849152: | cmd( 960):ED='no' SPI_IN=0xb6d91d4f SPI_OUT=0x6062022f ipsec _updown 2>&1: Aug 26 13:23:51.858661: | route_and_eroute: instance "east", setting eroute_owner {spd=0x55d13d28c9d8,sr=0x55d13d28c9d8} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:23:51.858718: | #1 spent 1.29 milliseconds in install_ipsec_sa() Aug 26 13:23:51.858724: | ISAKMP_v2_IKE_AUTH: instance east[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:23:51.858727: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:23:51.858730: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:23:51.858733: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:23:51.858735: | emitting length of IKEv2 Encryption Payload: 197 Aug 26 13:23:51.858737: | emitting length of ISAKMP Message: 225 Aug 26 13:23:51.858766: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:23:51.858770: | #1 spent 2.42 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:23:51.858775: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:51.858779: | start processing: state #2 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:23:51.858782: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:23:51.858784: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:23:51.858787: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:23:51.858790: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:23:51.858794: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:23:51.858797: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:23:51.858801: | pstats #2 ikev2.child established Aug 26 13:23:51.858807: "east" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:23:51.858810: | NAT-T: encaps is 'auto' Aug 26 13:23:51.858813: "east" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xb6d91d4f <0x6062022f xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Aug 26 13:23:51.858817: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:23:51.858822: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:23:51.858824: | e5 90 57 9b 11 72 98 0f dd 36 51 29 02 6c db 8e Aug 26 13:23:51.858826: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Aug 26 13:23:51.858827: | 20 bc 78 c9 c9 5c c3 db a2 e3 31 b6 64 bb 53 d7 Aug 26 13:23:51.858829: | c4 c9 a0 43 a7 75 73 8b 3a e2 b7 4c 37 21 5a e6 Aug 26 13:23:51.858830: | 89 97 75 25 63 4a a0 72 ec 3b 8d 3b e2 be 76 85 Aug 26 13:23:51.858832: | d9 24 af d8 d5 47 6c a8 e2 eb 5e cc 6f 80 a6 61 Aug 26 13:23:51.858833: | 2d ba b6 7d d4 03 80 0f f8 e3 ae 5b 76 d0 97 da Aug 26 13:23:51.858835: | 0e 09 67 53 03 27 ae 77 e4 88 e6 9d a1 c6 40 0f Aug 26 13:23:51.858836: | 47 62 58 5e f9 a4 8e 00 a7 27 2b 9c 4e 79 c6 61 Aug 26 13:23:51.858838: | 43 f2 00 c4 53 60 73 21 8f 58 da 98 6a 9a 6f d3 Aug 26 13:23:51.858839: | 9f 03 64 7c d1 b7 13 91 3d 9c 67 e4 52 7e 17 b2 Aug 26 13:23:51.858841: | 96 fb bc f0 f6 89 a2 88 c4 b3 3e 25 6e a7 26 51 Aug 26 13:23:51.858842: | 05 94 8c cb f8 a7 7a 19 ef 54 67 cf cf ee 4b 82 Aug 26 13:23:51.858844: | 18 a6 a1 4c 62 2e 70 45 9e 0b 2c 21 22 6d 95 1c Aug 26 13:23:51.858845: | 3a Aug 26 13:23:51.858878: | releasing whack for #2 (sock=fd@-1) Aug 26 13:23:51.858881: | releasing whack and unpending for parent #1 Aug 26 13:23:51.858883: | unpending state #1 connection "east" Aug 26 13:23:51.858886: | #2 will start re-keying in 28798 seconds with margin of 2 seconds (attempting re-key) Aug 26 13:23:51.858889: | event_schedule: new EVENT_SA_REKEY-pe@0x7f51c4002b78 Aug 26 13:23:51.858891: | inserting event EVENT_SA_REKEY, timeout in 28798 seconds for #2 Aug 26 13:23:51.858894: | libevent_malloc: new ptr-libevent@0x55d13d294638 size 128 Aug 26 13:23:51.858906: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:23:51.858911: | #1 spent 2.64 milliseconds in resume sending helper answer Aug 26 13:23:51.858915: | stop processing: state #2 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:23:51.858918: | libevent_free: release ptr-libevent@0x7f51bc000f48 Aug 26 13:23:51.858929: | processing signal PLUTO_SIGCHLD Aug 26 13:23:51.858933: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:51.858936: | spent 0.00382 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:51.858937: | processing signal PLUTO_SIGCHLD Aug 26 13:23:51.858940: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:51.858942: | spent 0.00238 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:23:51.858944: | processing signal PLUTO_SIGCHLD Aug 26 13:23:51.858946: | waitpid returned ECHILD (no child processes left) Aug 26 13:23:51.858948: | spent 0.00232 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:24:10.542928: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:24:10.543000: | expiring aged bare shunts from shunt table Aug 26 13:24:10.543022: | spent 0.0182 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:24:30.542364: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:24:30.542410: | expiring aged bare shunts from shunt table Aug 26 13:24:30.542425: | spent 0.012 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:24:36.873478: | spent 0.0106 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:36.873557: | *received 661 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:36.873580: | e5 90 57 9b 11 72 98 0f dd 36 51 29 02 6c db 8e Aug 26 13:24:36.873589: | 2e 20 24 08 00 00 00 02 00 00 02 95 21 00 02 79 Aug 26 13:24:36.873597: | df 27 dc ce 35 c0 5b 6b 48 ce c7 42 aa ed a7 4c Aug 26 13:24:36.873604: | ea 41 54 42 d2 18 98 48 f6 3a 92 18 c3 a4 77 8d Aug 26 13:24:36.873612: | 1f c6 13 df 4a 2c a8 93 94 a8 b5 81 41 00 a1 4b Aug 26 13:24:36.873619: | 38 8b ba 1b 2f 4e 0e ac 0f 10 35 03 a1 a1 65 1f Aug 26 13:24:36.873627: | d2 3e 67 c1 74 4e 9b 58 b9 42 65 b2 b8 b5 a0 42 Aug 26 13:24:36.873634: | b2 b4 99 41 48 7e 8b 02 c9 f4 79 63 6d de d4 5b Aug 26 13:24:36.873642: | 5c e3 3e dc 0a 81 b0 63 8a eb 11 2f 53 51 99 71 Aug 26 13:24:36.873649: | dd a7 a3 ee c0 31 c3 e8 1a 48 18 29 e0 60 03 9f Aug 26 13:24:36.873657: | 32 07 e7 66 50 32 88 cf 13 ac a8 16 90 ba c1 46 Aug 26 13:24:36.873664: | 6d 98 a5 52 e9 fb 9e 3f 89 ac d7 a7 34 6f c8 f3 Aug 26 13:24:36.873672: | e0 03 dc 5b 62 72 27 4e 70 96 ca 32 bd 3b 69 1b Aug 26 13:24:36.873679: | 72 07 dc 38 5d ea 9f c9 11 14 f4 1f 8d ae 37 aa Aug 26 13:24:36.873687: | fd c1 13 a2 c4 cd e9 06 4b 4e ac f4 93 04 07 8e Aug 26 13:24:36.873694: | ec e0 4a e4 5e 97 40 e2 d9 55 b8 71 be 5f c1 52 Aug 26 13:24:36.873702: | 5d ae bd 3c 9d 41 f5 2f 03 54 64 90 83 27 40 51 Aug 26 13:24:36.873709: | 31 44 cc d5 26 97 d6 43 88 dd 49 c3 6f d5 62 4d Aug 26 13:24:36.873716: | aa 2f 8d 9b ed 5e 29 a4 22 4b 85 03 92 73 3b 46 Aug 26 13:24:36.873724: | cd 00 92 30 7f 57 16 09 13 7b 91 33 e3 0a 62 06 Aug 26 13:24:36.873731: | 5f d9 7e a7 02 38 08 4e 71 a2 74 fb 37 67 5d 79 Aug 26 13:24:36.873739: | 12 09 1a ce d5 a8 78 80 5d 53 e0 86 8b 4a e9 28 Aug 26 13:24:36.873746: | 0e 33 7b c6 ce c3 ac 64 31 db 93 83 45 fe 38 c7 Aug 26 13:24:36.873754: | 19 4c 27 32 09 78 ed f1 0c 79 fe c3 f6 97 e9 3a Aug 26 13:24:36.873761: | 75 25 22 d0 18 81 ca 24 3f c4 a3 89 b4 30 8b a5 Aug 26 13:24:36.873769: | bc ef d7 df b9 5d 02 c5 ac 26 b3 4d b8 4c 2a 96 Aug 26 13:24:36.873776: | 02 5b ec 5e b0 c2 d0 8e e2 83 85 b6 a3 dc 53 5d Aug 26 13:24:36.873784: | 4d da eb a2 7d b8 22 db c6 6f da b5 a1 4d 53 52 Aug 26 13:24:36.873791: | 62 f4 9f 68 6a d0 78 6d 00 f6 28 bf a2 fc eb 3f Aug 26 13:24:36.873799: | 9d b7 31 83 47 d2 9f 8a 2e cc df f9 f5 b4 49 c4 Aug 26 13:24:36.873806: | 16 9c 58 92 2c 2c cd 30 7c 1c 28 b1 dc 96 be 6e Aug 26 13:24:36.873814: | ef 8d cb 51 e0 99 a3 de 1d 82 90 5c f4 4e bb b3 Aug 26 13:24:36.873821: | dd d9 cc c4 4a 0f cc f9 3a 4d 6f 32 36 3b 92 2a Aug 26 13:24:36.873829: | 87 1b 9f 8f a5 63 9a 0c b1 62 17 56 23 5c 1a 28 Aug 26 13:24:36.873836: | b3 6b d2 a1 9b 15 d7 aa d2 02 82 e8 e3 56 86 46 Aug 26 13:24:36.873843: | 24 90 40 5e 3e 27 c3 de d6 51 16 25 d7 72 b2 1d Aug 26 13:24:36.873851: | 37 eb 73 98 46 a0 0c c4 e9 d5 9f d1 18 2b 25 95 Aug 26 13:24:36.873858: | 26 84 29 99 cb fa 0f a1 7b 49 ee 74 70 8c a2 2e Aug 26 13:24:36.873866: | 95 56 6b 17 d6 05 08 8d a7 b0 15 56 64 ac 64 b6 Aug 26 13:24:36.873873: | 16 c3 8c 8e bd 41 81 aa bf 04 5c e4 7d 6b ff cb Aug 26 13:24:36.873881: | da 22 57 e8 e6 f1 6d 3f be 5c d8 6d 63 5f e1 b3 Aug 26 13:24:36.873888: | cc 1d 02 48 b4 Aug 26 13:24:36.873903: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:36.873914: | **parse ISAKMP Message: Aug 26 13:24:36.873923: | initiator cookie: Aug 26 13:24:36.873930: | e5 90 57 9b 11 72 98 0f Aug 26 13:24:36.873938: | responder cookie: Aug 26 13:24:36.873945: | dd 36 51 29 02 6c db 8e Aug 26 13:24:36.873954: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:36.873963: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:36.873972: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:36.873985: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:36.873993: | Message ID: 2 (0x2) Aug 26 13:24:36.874002: | length: 661 (0x295) Aug 26 13:24:36.874011: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Aug 26 13:24:36.874027: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Aug 26 13:24:36.874039: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:36.874058: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:36.874068: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:36.874082: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:36.874092: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:24:36.874105: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 13:24:36.874113: | unpacking clear payload Aug 26 13:24:36.874121: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:36.874130: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:36.874139: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:24:36.874147: | flags: none (0x0) Aug 26 13:24:36.874155: | length: 633 (0x279) Aug 26 13:24:36.874164: | processing payload: ISAKMP_NEXT_v2SK (len=629) Aug 26 13:24:36.874178: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 13:24:36.874187: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:36.874240: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Aug 26 13:24:36.874251: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:24:36.874259: | **parse IKEv2 Security Association Payload: Aug 26 13:24:36.874268: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:24:36.874275: | flags: none (0x0) Aug 26 13:24:36.874283: | length: 196 (0xc4) Aug 26 13:24:36.874310: | processing payload: ISAKMP_NEXT_v2SA (len=192) Aug 26 13:24:36.874327: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:24:36.874336: | **parse IKEv2 Nonce Payload: Aug 26 13:24:36.874344: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:24:36.874351: | flags: none (0x0) Aug 26 13:24:36.874359: | length: 36 (0x24) Aug 26 13:24:36.874367: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:24:36.874375: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:24:36.874383: | **parse IKEv2 Key Exchange Payload: Aug 26 13:24:36.874391: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:24:36.874399: | flags: none (0x0) Aug 26 13:24:36.874406: | length: 264 (0x108) Aug 26 13:24:36.874415: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:36.874423: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:24:36.874430: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:24:36.874438: | **parse IKEv2 Notify Payload: Aug 26 13:24:36.874446: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:24:36.874454: | flags: none (0x0) Aug 26 13:24:36.874461: | length: 12 (0xc) Aug 26 13:24:36.874469: | Protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:36.874477: | SPI size: 4 (0x4) Aug 26 13:24:36.874486: | Notify Message Type: v2N_REKEY_SA (0x4009) Aug 26 13:24:36.874494: | processing payload: ISAKMP_NEXT_v2N (len=4) Aug 26 13:24:36.874501: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:24:36.874510: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:36.874518: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:24:36.874525: | flags: none (0x0) Aug 26 13:24:36.874533: | length: 48 (0x30) Aug 26 13:24:36.874540: | number of TS: 1 (0x1) Aug 26 13:24:36.874548: | processing payload: ISAKMP_NEXT_v2TSi (len=40) Aug 26 13:24:36.874556: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:24:36.874564: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:36.874572: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:36.874579: | flags: none (0x0) Aug 26 13:24:36.874593: | length: 48 (0x30) Aug 26 13:24:36.874601: | number of TS: 1 (0x1) Aug 26 13:24:36.874609: | processing payload: ISAKMP_NEXT_v2TSr (len=40) Aug 26 13:24:36.874620: | state #1 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Aug 26 13:24:36.874629: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:36.874646: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:24:36.874660: | creating state object #3 at 0x55d13d299ef8 Aug 26 13:24:36.874670: | State DB: adding IKEv2 state #3 in UNDEFINED Aug 26 13:24:36.874702: | pstats #3 ikev2.child started Aug 26 13:24:36.874712: | duplicating state object #1 "east" as #3 for IPSEC SA Aug 26 13:24:36.874730: | #3 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:24:36.874763: | Message ID: init_child #1.#3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:24:36.874775: | child state #3: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Aug 26 13:24:36.874790: | "east" #1 received Child SA Request CREATE_CHILD_SA from 192.1.2.45:500 Child "east" #3 in STATE_V2_CREATE_R will process it further Aug 26 13:24:36.874804: | Message ID: switch-from #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Aug 26 13:24:36.874817: | Message ID: switch-to #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Aug 26 13:24:36.874826: | forcing ST #1 to CHILD #1.#3 in FSM processor Aug 26 13:24:36.874834: | Now let's proceed with state specific processing Aug 26 13:24:36.874842: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Aug 26 13:24:36.874857: | create child proposal's DH changed from no-PFS to MODP2048, flushing Aug 26 13:24:36.874869: | constructing ESP/AH proposals with default DH MODP2048 for east (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Aug 26 13:24:36.874890: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Aug 26 13:24:36.874908: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED Aug 26 13:24:36.874917: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Aug 26 13:24:36.874930: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED Aug 26 13:24:36.874940: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:24:36.874953: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:36.874962: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:24:36.874975: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:36.874997: "east": constructed local ESP/AH proposals for east (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:36.875008: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 4 local proposals Aug 26 13:24:36.875019: | local proposal 1 type ENCR has 1 transforms Aug 26 13:24:36.875027: | local proposal 1 type PRF has 0 transforms Aug 26 13:24:36.875036: | local proposal 1 type INTEG has 1 transforms Aug 26 13:24:36.875043: | local proposal 1 type DH has 1 transforms Aug 26 13:24:36.875051: | local proposal 1 type ESN has 1 transforms Aug 26 13:24:36.875061: | local proposal 1 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:36.875074: | local proposal 2 type ENCR has 1 transforms Aug 26 13:24:36.875083: | local proposal 2 type PRF has 0 transforms Aug 26 13:24:36.875091: | local proposal 2 type INTEG has 1 transforms Aug 26 13:24:36.875098: | local proposal 2 type DH has 1 transforms Aug 26 13:24:36.875106: | local proposal 2 type ESN has 1 transforms Aug 26 13:24:36.875115: | local proposal 2 transforms: required: ENCR+DH+ESN; optional: INTEG Aug 26 13:24:36.875123: | local proposal 3 type ENCR has 1 transforms Aug 26 13:24:36.875131: | local proposal 3 type PRF has 0 transforms Aug 26 13:24:36.875139: | local proposal 3 type INTEG has 2 transforms Aug 26 13:24:36.875147: | local proposal 3 type DH has 1 transforms Aug 26 13:24:36.875154: | local proposal 3 type ESN has 1 transforms Aug 26 13:24:36.875164: | local proposal 3 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:36.875172: | local proposal 4 type ENCR has 1 transforms Aug 26 13:24:36.875179: | local proposal 4 type PRF has 0 transforms Aug 26 13:24:36.875187: | local proposal 4 type INTEG has 2 transforms Aug 26 13:24:36.875195: | local proposal 4 type DH has 1 transforms Aug 26 13:24:36.875203: | local proposal 4 type ESN has 1 transforms Aug 26 13:24:36.875212: | local proposal 4 transforms: required: ENCR+INTEG+DH+ESN; optional: none Aug 26 13:24:36.875222: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:36.875230: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:36.875238: | length: 40 (0x28) Aug 26 13:24:36.875246: | prop #: 1 (0x1) Aug 26 13:24:36.875254: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:36.875262: | spi size: 4 (0x4) Aug 26 13:24:36.875269: | # transforms: 3 (0x3) Aug 26 13:24:36.875280: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:36.875300: | remote SPI 4b 2e 05 d8 Aug 26 13:24:36.875315: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:24:36.875325: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.875334: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.875346: | length: 12 (0xc) Aug 26 13:24:36.875355: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:36.875363: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:36.875372: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:36.875380: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:36.875388: | length/value: 256 (0x100) Aug 26 13:24:36.875402: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:24:36.875411: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.875419: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.875427: | length: 8 (0x8) Aug 26 13:24:36.875435: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:36.875443: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:36.875454: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:24:36.875464: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:24:36.875474: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:24:36.875483: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:24:36.875491: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.875499: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:36.875507: | length: 8 (0x8) Aug 26 13:24:36.875515: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:36.875523: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:36.875533: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:24:36.875543: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Aug 26 13:24:36.875553: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Aug 26 13:24:36.875567: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Aug 26 13:24:36.875579: | remote proposal 1 proposed transforms: ENCR+DH+ESN; matched: ENCR+DH+ESN; unmatched: none Aug 26 13:24:36.875592: | comparing remote proposal 1 containing ENCR+DH+ESN transforms to local proposal 1; required: ENCR+DH+ESN; optional: INTEG; matched: ENCR+DH+ESN Aug 26 13:24:36.875601: | remote proposal 1 matches local proposal 1 Aug 26 13:24:36.875610: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:36.875618: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:36.875625: | length: 40 (0x28) Aug 26 13:24:36.875633: | prop #: 2 (0x2) Aug 26 13:24:36.875641: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:36.875648: | spi size: 4 (0x4) Aug 26 13:24:36.875656: | # transforms: 3 (0x3) Aug 26 13:24:36.875665: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:36.875673: | remote SPI 4b 2e 05 d8 Aug 26 13:24:36.875682: | Comparing remote proposal 2 containing 3 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:36.875691: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.875698: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.875706: | length: 12 (0xc) Aug 26 13:24:36.875714: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:36.875722: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:36.875730: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:36.875738: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:36.875746: | length/value: 128 (0x80) Aug 26 13:24:36.875755: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.875763: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.875770: | length: 8 (0x8) Aug 26 13:24:36.875778: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:36.875786: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:36.875794: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.875802: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:36.875810: | length: 8 (0x8) Aug 26 13:24:36.875817: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:36.875825: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:36.875836: | remote proposal 2 proposed transforms: ENCR+DH+ESN; matched: none; unmatched: ENCR+DH+ESN Aug 26 13:24:36.875845: | remote proposal 2 does not match; unmatched remote transforms: ENCR+DH+ESN Aug 26 13:24:36.875853: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:36.875861: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:24:36.875869: | length: 56 (0x38) Aug 26 13:24:36.875876: | prop #: 3 (0x3) Aug 26 13:24:36.875884: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:36.875891: | spi size: 4 (0x4) Aug 26 13:24:36.875899: | # transforms: 5 (0x5) Aug 26 13:24:36.875907: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:36.875915: | remote SPI 4b 2e 05 d8 Aug 26 13:24:36.875924: | Comparing remote proposal 3 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:36.875932: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.875940: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.875947: | length: 12 (0xc) Aug 26 13:24:36.875955: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:36.875963: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:36.875971: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:36.875979: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:36.875986: | length/value: 256 (0x100) Aug 26 13:24:36.875995: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.876003: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.876010: | length: 8 (0x8) Aug 26 13:24:36.876018: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:36.876032: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:36.876041: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.876049: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.876057: | length: 8 (0x8) Aug 26 13:24:36.876065: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:36.876072: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:36.876081: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.876088: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.876096: | length: 8 (0x8) Aug 26 13:24:36.876104: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:36.876112: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:36.876120: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.876128: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:36.876135: | length: 8 (0x8) Aug 26 13:24:36.876143: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:36.876151: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:36.876162: | remote proposal 3 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:36.876171: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:36.876179: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:24:36.876187: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:36.876195: | length: 56 (0x38) Aug 26 13:24:36.876202: | prop #: 4 (0x4) Aug 26 13:24:36.876210: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:36.876217: | spi size: 4 (0x4) Aug 26 13:24:36.876225: | # transforms: 5 (0x5) Aug 26 13:24:36.876234: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:24:36.876241: | remote SPI 4b 2e 05 d8 Aug 26 13:24:36.876250: | Comparing remote proposal 4 containing 5 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:24:36.876258: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.876266: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.876273: | length: 12 (0xc) Aug 26 13:24:36.876281: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:36.876310: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:24:36.876327: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:24:36.876336: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:36.876347: | length/value: 128 (0x80) Aug 26 13:24:36.876357: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.876365: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.876372: | length: 8 (0x8) Aug 26 13:24:36.876380: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:36.876388: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:24:36.876397: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.876404: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.876412: | length: 8 (0x8) Aug 26 13:24:36.876420: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:24:36.876427: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:24:36.876439: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.876451: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.876463: | length: 8 (0x8) Aug 26 13:24:36.876477: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:36.876489: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:36.876504: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:24:36.876517: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:36.876529: | length: 8 (0x8) Aug 26 13:24:36.876542: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:36.876557: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:36.876570: | remote proposal 4 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Aug 26 13:24:36.876579: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Aug 26 13:24:36.876603: "east" #1: proposal 1:ESP:SPI=4b2e05d8;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Aug 26 13:24:36.876619: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=4b2e05d8;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED Aug 26 13:24:36.876628: | converting proposal to internal trans attrs Aug 26 13:24:36.876642: | updating #3's .st_oakley with preserved PRF, but why update? Aug 26 13:24:36.876652: | received v2N_REKEY_SA Aug 26 13:24:36.876663: | child state #3: V2_CREATE_R(established IKE SA) => V2_REKEY_CHILD_R(established IKE SA) Aug 26 13:24:36.876672: | CREATE_CHILD_SA IPsec SA rekey Protocol PROTO_v2_ESP Aug 26 13:24:36.876681: | parsing 4 raw bytes of IKEv2 Notify Payload into SPI Aug 26 13:24:36.876689: | SPI b6 d9 1d 4f Aug 26 13:24:36.876698: | CREATE_CHILD_S to rekey IPsec SA(0xb6d91d4f) Protocol PROTO_v2_ESP Aug 26 13:24:36.876707: | v2 CHILD SA #2 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:36.876717: | State DB: found IKEv2 state #2 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:36.876726: | #3 rekey request for "east" #2 TSi TSr Aug 26 13:24:36.876734: | printing contents struct traffic_selector Aug 26 13:24:36.876742: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:36.876749: | ipprotoid: 0 Aug 26 13:24:36.876757: | port range: 0-65535 Aug 26 13:24:36.876770: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:36.876778: | printing contents struct traffic_selector Aug 26 13:24:36.876785: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:36.876792: | ipprotoid: 0 Aug 26 13:24:36.876799: | port range: 0-65535 Aug 26 13:24:36.876810: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:36.876830: | adding Child Rekey Responder KE and nonce nr work-order 3 for state #3 Aug 26 13:24:36.876841: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d13d298138 Aug 26 13:24:36.876853: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Aug 26 13:24:36.876863: | libevent_malloc: new ptr-libevent@0x7f51bc000f48 size 128 Aug 26 13:24:36.876898: | #3 spent 2.02 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Aug 26 13:24:36.876916: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:36.876930: | start processing: state #3 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:36.876934: | crypto helper 4 resuming Aug 26 13:24:36.877013: | crypto helper 4 starting work-order 3 for state #3 Aug 26 13:24:36.876943: | #3 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:36.877048: | crypto helper 4 doing build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 3 Aug 26 13:24:36.877075: | suspending state #3 and saving MD Aug 26 13:24:36.877111: | #3 is busy; has a suspended MD Aug 26 13:24:36.877127: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:36.877139: | "east" #3 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:36.877152: | stop processing: state #3 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:36.877167: | #1 spent 3.56 milliseconds in ikev2_process_packet() Aug 26 13:24:36.877180: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:36.877189: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:36.877206: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:36.877219: | spent 3.62 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:24:36.880810: | crypto helper 4 finished build KE and nonce (Child Rekey Responder KE and nonce nr); request ID 3 time elapsed 0.003763 seconds Aug 26 13:24:36.880858: | (#3) spent 3.74 milliseconds in crypto helper computing work-order 3: Child Rekey Responder KE and nonce nr (pcr) Aug 26 13:24:36.880871: | crypto helper 4 sending results from work-order 3 for state #3 to event queue Aug 26 13:24:36.880882: | scheduling resume sending helper answer for #3 Aug 26 13:24:36.880893: | libevent_malloc: new ptr-libevent@0x7f51c0002888 size 128 Aug 26 13:24:36.880903: | libevent_realloc: release ptr-libevent@0x55d13d26e708 Aug 26 13:24:36.880913: | libevent_realloc: new ptr-libevent@0x7f51c00027d8 size 128 Aug 26 13:24:36.880936: | crypto helper 4 waiting (nothing to do) Aug 26 13:24:36.881006: | processing resume sending helper answer for #3 Aug 26 13:24:36.881050: | start processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:36.881067: | crypto helper 4 replies to request ID 3 Aug 26 13:24:36.881076: | calling continuation function 0x55d13b61bb50 Aug 26 13:24:36.881086: | ikev2_child_inIoutR_continue for #3 STATE_V2_REKEY_CHILD_R Aug 26 13:24:36.881113: | adding DHv2 for child sa work-order 4 for state #3 Aug 26 13:24:36.881124: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:36.881134: | libevent_free: release ptr-libevent@0x7f51bc000f48 Aug 26 13:24:36.881144: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d13d298138 Aug 26 13:24:36.881155: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d13d298138 Aug 26 13:24:36.881167: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Aug 26 13:24:36.881177: | libevent_malloc: new ptr-libevent@0x7f51bc000f48 size 128 Aug 26 13:24:36.881216: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:36.881231: | crypto helper 5 resuming Aug 26 13:24:36.881241: | #3 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_SUSPEND Aug 26 13:24:36.881276: | crypto helper 5 starting work-order 4 for state #3 Aug 26 13:24:36.881287: | suspending state #3 and saving MD Aug 26 13:24:36.881363: | #3 is busy; has a suspended MD Aug 26 13:24:36.881338: | crypto helper 5 doing crypto (DHv2 for child sa); request ID 4 Aug 26 13:24:36.881395: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:24:36.881414: | "east" #3 complete v2 state STATE_V2_REKEY_CHILD_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:24:36.881433: | resume sending helper answer for #3 suppresed complete_v2_state_transition() and stole MD Aug 26 13:24:36.881461: | #3 spent 0.346 milliseconds in resume sending helper answer Aug 26 13:24:36.881487: | stop processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:36.881505: | libevent_free: release ptr-libevent@0x7f51c0002888 Aug 26 13:24:36.884016: | crypto helper 5 finished crypto (DHv2 for child sa); request ID 4 time elapsed 0.002679 seconds Aug 26 13:24:36.884053: | (#3) spent 2.67 milliseconds in crypto helper computing work-order 4: DHv2 for child sa (dh) Aug 26 13:24:36.884064: | crypto helper 5 sending results from work-order 4 for state #3 to event queue Aug 26 13:24:36.884075: | scheduling resume sending helper answer for #3 Aug 26 13:24:36.884086: | libevent_malloc: new ptr-libevent@0x7f51b4001f78 size 128 Aug 26 13:24:36.884112: | crypto helper 5 waiting (nothing to do) Aug 26 13:24:36.884136: | processing resume sending helper answer for #3 Aug 26 13:24:36.884161: | start processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:797) Aug 26 13:24:36.884190: | crypto helper 5 replies to request ID 4 Aug 26 13:24:36.884200: | calling continuation function 0x55d13b61c9d0 Aug 26 13:24:36.884211: | ikev2_child_inIoutR_continue_continue for #3 STATE_V2_REKEY_CHILD_R Aug 26 13:24:36.884312: | **emit ISAKMP Message: Aug 26 13:24:36.884327: | initiator cookie: Aug 26 13:24:36.884336: | e5 90 57 9b 11 72 98 0f Aug 26 13:24:36.884351: | responder cookie: Aug 26 13:24:36.884358: | dd 36 51 29 02 6c db 8e Aug 26 13:24:36.884367: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:36.884376: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:36.884385: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Aug 26 13:24:36.884394: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:36.884402: | Message ID: 2 (0x2) Aug 26 13:24:36.884411: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:36.884422: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:36.884430: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:36.884438: | flags: none (0x0) Aug 26 13:24:36.884448: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:36.884458: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:24:36.884469: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:36.884498: | #3 inherit spd, TSi TSr, from "east" #2 Aug 26 13:24:36.884507: | printing contents struct traffic_selector Aug 26 13:24:36.884515: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:36.884522: | ipprotoid: 0 Aug 26 13:24:36.884530: | port range: 0-65535 Aug 26 13:24:36.884543: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:24:36.884550: | printing contents struct traffic_selector Aug 26 13:24:36.884557: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:24:36.884564: | ipprotoid: 0 Aug 26 13:24:36.884572: | port range: 0-65535 Aug 26 13:24:36.884583: | ip range: 192.0.1.0-192.0.1.255 Aug 26 13:24:36.884631: | netlink_get_spi: allocated 0xaa498d43 for esp.0@192.1.2.23 Aug 26 13:24:36.884642: | Emitting ikev2_proposal ... Aug 26 13:24:36.884651: | ****emit IKEv2 Security Association Payload: Aug 26 13:24:36.884659: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:36.884667: | flags: none (0x0) Aug 26 13:24:36.884678: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:24:36.884687: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:24:36.884697: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:24:36.884705: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:24:36.884713: | prop #: 1 (0x1) Aug 26 13:24:36.884721: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:24:36.884729: | spi size: 4 (0x4) Aug 26 13:24:36.884737: | # transforms: 3 (0x3) Aug 26 13:24:36.884746: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:24:36.884757: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:24:36.884765: | our spi aa 49 8d 43 Aug 26 13:24:36.884774: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:36.884782: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.884791: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:24:36.884799: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:24:36.884809: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:36.884818: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:24:36.884827: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:24:36.884835: | length/value: 256 (0x100) Aug 26 13:24:36.884845: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:24:36.884860: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:36.884869: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.884877: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:24:36.884885: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:36.884896: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.884905: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:36.884914: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:36.884922: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:24:36.884930: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:24:36.884938: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:24:36.884946: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:24:36.884955: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:24:36.884964: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:24:36.884972: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:24:36.884981: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:24:36.884990: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:24:36.884998: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:24:36.885007: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:24:36.885015: | ****emit IKEv2 Nonce Payload: Aug 26 13:24:36.885024: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:36.885031: | flags: none (0x0) Aug 26 13:24:36.885042: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:24:36.885051: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:24:36.885061: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:24:36.885069: | IKEv2 nonce 8d 9b 59 57 86 d4 2c 09 ec d5 09 fc be a0 8e 1b Aug 26 13:24:36.885077: | IKEv2 nonce c1 d0 70 f7 55 28 e3 b8 ad 83 54 d8 23 f0 52 ff Aug 26 13:24:36.885086: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:24:36.885094: | ****emit IKEv2 Key Exchange Payload: Aug 26 13:24:36.885102: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:36.885110: | flags: none (0x0) Aug 26 13:24:36.885118: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:24:36.885127: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:24:36.885136: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:24:36.885146: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:24:36.885154: | ikev2 g^x ee a5 51 3c e8 9d 41 f0 20 5f 0b 8b 44 c4 b6 c0 Aug 26 13:24:36.885162: | ikev2 g^x ec 82 4b 2d 19 a1 a0 1a db 20 b8 f8 fd 83 31 f2 Aug 26 13:24:36.885169: | ikev2 g^x d3 d5 ad a6 36 b4 1e 99 6c de c5 15 f1 72 b9 33 Aug 26 13:24:36.885177: | ikev2 g^x 22 e6 84 0f 4a 6a e0 88 09 dc cf e7 77 25 c4 e2 Aug 26 13:24:36.885184: | ikev2 g^x 44 63 6e a0 0b 88 ed 2b 20 e3 f8 f5 19 fe b2 e4 Aug 26 13:24:36.885192: | ikev2 g^x dc d4 f3 0e 3c 68 73 00 a1 42 29 6a 3f 76 e6 3f Aug 26 13:24:36.885199: | ikev2 g^x 2d 2c 47 95 b5 7e fc d8 14 84 23 26 9b 2b ec bb Aug 26 13:24:36.885207: | ikev2 g^x ab af b9 17 5f 83 9a 21 4a 64 5e 16 32 4a b9 29 Aug 26 13:24:36.885218: | ikev2 g^x 38 ae 97 96 75 ad d0 ff 03 55 46 10 7c c1 13 c1 Aug 26 13:24:36.885226: | ikev2 g^x 6d 81 3a 8e 17 45 00 79 42 ec f1 6b a5 3a a8 24 Aug 26 13:24:36.885233: | ikev2 g^x 85 56 ee 94 4d 68 b2 01 6f b5 e9 cd f3 b5 57 2a Aug 26 13:24:36.885241: | ikev2 g^x 21 ff 0b b1 0a d7 c1 c9 4f dc f7 6a b4 c7 85 90 Aug 26 13:24:36.885248: | ikev2 g^x 0b 3c bd d7 56 d5 f5 44 7f f2 24 5c 4c d6 36 f0 Aug 26 13:24:36.885256: | ikev2 g^x c8 99 c9 e3 4b fd 8e 7d 61 f3 0a 9e 0e 84 6d 7b Aug 26 13:24:36.885263: | ikev2 g^x 7a b4 30 69 66 00 56 63 54 e8 38 bf fc 95 bc da Aug 26 13:24:36.885271: | ikev2 g^x e1 1e 34 0a 0f 90 64 f6 1b 7a 52 87 c3 e7 fb 09 Aug 26 13:24:36.885279: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:24:36.885287: | received REKEY_SA already proceesd Aug 26 13:24:36.885319: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:24:36.885328: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:36.885335: | flags: none (0x0) Aug 26 13:24:36.885343: | number of TS: 1 (0x1) Aug 26 13:24:36.885354: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:24:36.885363: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:36.885372: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:36.885380: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:36.885388: | IP Protocol ID: 0 (0x0) Aug 26 13:24:36.885396: | start port: 0 (0x0) Aug 26 13:24:36.885404: | end port: 65535 (0xffff) Aug 26 13:24:36.885414: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:36.885422: | ipv4 start c0 00 01 00 Aug 26 13:24:36.885430: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:36.885438: | ipv4 end c0 00 01 ff Aug 26 13:24:36.885446: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:36.885454: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:24:36.885462: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:24:36.885470: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:36.885477: | flags: none (0x0) Aug 26 13:24:36.885485: | number of TS: 1 (0x1) Aug 26 13:24:36.885495: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:24:36.885504: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:24:36.885512: | *****emit IKEv2 Traffic Selector: Aug 26 13:24:36.885520: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:24:36.885527: | IP Protocol ID: 0 (0x0) Aug 26 13:24:36.885535: | start port: 0 (0x0) Aug 26 13:24:36.885543: | end port: 65535 (0xffff) Aug 26 13:24:36.885552: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:24:36.885559: | ipv4 start c0 00 02 00 Aug 26 13:24:36.885567: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:24:36.885575: | ipv4 end c0 00 02 ff Aug 26 13:24:36.885582: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:24:36.885590: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:24:36.885600: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:24:36.885611: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Aug 26 13:24:36.886162: | install_ipsec_sa() for #3: inbound and outbound Aug 26 13:24:36.886180: | could_route called for east (kind=CK_PERMANENT) Aug 26 13:24:36.886189: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:36.886199: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:36.886208: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:36.886219: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:36.886238: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:36.886250: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:36.886259: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:36.886268: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:36.886281: | setting IPsec SA replay-window to 32 Aug 26 13:24:36.886321: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:36.886342: | netlink: enabling tunnel mode Aug 26 13:24:36.886351: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:36.886360: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:36.886530: | netlink response for Add SA esp.4b2e05d8@192.1.2.45 included non-error error Aug 26 13:24:36.886544: | set up outgoing SA, ref=0/0 Aug 26 13:24:36.886554: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Aug 26 13:24:36.886564: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Aug 26 13:24:36.886572: | AES_GCM_16 requires 4 salt bytes Aug 26 13:24:36.886581: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Aug 26 13:24:36.886592: | setting IPsec SA replay-window to 32 Aug 26 13:24:36.886601: | NIC esp-hw-offload not for connection 'east' not available on interface eth1 Aug 26 13:24:36.886609: | netlink: enabling tunnel mode Aug 26 13:24:36.886617: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:24:36.886625: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:24:36.886746: | netlink response for Add SA esp.aa498d43@192.1.2.23 included non-error error Aug 26 13:24:36.886761: | set up incoming SA, ref=0/0 Aug 26 13:24:36.886769: | sr for #3: erouted Aug 26 13:24:36.886779: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:24:36.886787: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:24:36.886796: | conn east mark 0/00000000, 0/00000000 vs Aug 26 13:24:36.886805: | conn east mark 0/00000000, 0/00000000 Aug 26 13:24:36.886816: | route owner of "east" erouted: self; eroute owner: self Aug 26 13:24:36.886827: | route_and_eroute with c: east (next: none) ero:east esr:{(nil)} ro:east rosr:{(nil)} and state: #3 Aug 26 13:24:36.886836: | priority calculation of connection "east" is 0xfe7e7 Aug 26 13:24:36.886861: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) Aug 26 13:24:36.886871: | IPsec Sa SPD priority set to 1042407 Aug 26 13:24:36.886919: | raw_eroute result=success Aug 26 13:24:36.886930: | route_and_eroute: firewall_notified: true Aug 26 13:24:36.886942: | route_and_eroute: instance "east", setting eroute_owner {spd=0x55d13d28c9d8,sr=0x55d13d28c9d8} to #3 (was #2) (newest_ipsec_sa=#2) Aug 26 13:24:36.887146: | #1 spent 0.911 milliseconds in install_ipsec_sa() Aug 26 13:24:36.887165: | ISAKMP_v2_CREATE_CHILD_SA: instance east[0], setting IKEv2 newest_ipsec_sa to #3 (was #2) (spd.eroute=#3) cloned from #1 Aug 26 13:24:36.887175: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:36.887186: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:36.887196: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:36.887205: | emitting length of IKEv2 Encryption Payload: 421 Aug 26 13:24:36.887213: | emitting length of ISAKMP Message: 449 Aug 26 13:24:36.887260: "east" #3: negotiated new IPsec SA [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:36.887281: | [RE]START processing: state #3 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:36.887318: | #3 complete_v2_state_transition() md.from_state=V2_CREATE_R md.svm.state[from]=V2_CREATE_R V2_REKEY_CHILD_R->V2_IPSEC_R with status STF_OK Aug 26 13:24:36.887340: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Aug 26 13:24:36.887360: | child state #3: V2_REKEY_CHILD_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Aug 26 13:24:36.887370: | Message ID: updating counters for #3 to 2 after switching state Aug 26 13:24:36.887387: | Message ID: recv #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Aug 26 13:24:36.887402: | Message ID: sent #1.#3 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:24:36.887411: | pstats #3 ikev2.child established Aug 26 13:24:36.887431: "east" #3: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Aug 26 13:24:36.887442: | NAT-T: encaps is 'auto' Aug 26 13:24:36.887456: "east" #3: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x4b2e05d8 <0xaa498d43 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} Aug 26 13:24:36.887472: | sending V2 new request packet to 192.1.2.45:500 (from 192.1.2.23:500) Aug 26 13:24:36.887488: | sending 449 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:36.887497: | e5 90 57 9b 11 72 98 0f dd 36 51 29 02 6c db 8e Aug 26 13:24:36.887505: | 2e 20 24 20 00 00 00 02 00 00 01 c1 21 00 01 a5 Aug 26 13:24:36.887512: | e2 ef fb 81 ee 23 7b ef ce 57 29 97 9a c9 d8 71 Aug 26 13:24:36.887520: | f7 d4 0d 75 70 9b 00 fe cc d4 5c 37 3e c2 cf 7d Aug 26 13:24:36.887527: | ff af 8a 81 4f d2 45 8b 9b cd d4 72 32 ad 1c 60 Aug 26 13:24:36.887535: | 6c c3 c2 ba 16 b4 13 01 7d 28 ad 5f 4d 10 f1 5b Aug 26 13:24:36.887542: | ce 55 d4 22 34 7f 5b 14 c8 f7 53 b8 4b 3b 2d 7c Aug 26 13:24:36.887549: | c7 8c 01 25 0f 77 a2 b1 53 d8 69 ea bd 76 00 f9 Aug 26 13:24:36.887557: | 30 04 2a 2e 02 c4 57 ff 2f 18 4f d4 13 2e 4d c5 Aug 26 13:24:36.887564: | 8e 4d af 9d 86 74 f0 4c d2 b6 63 51 9a d1 d7 21 Aug 26 13:24:36.887572: | a9 d2 de 3a be aa 3d 0c 00 b8 bf d2 d3 9c 84 88 Aug 26 13:24:36.887579: | 2f 4f 17 37 ad 87 01 19 03 d7 a5 24 81 d7 3d ca Aug 26 13:24:36.887586: | 71 6f 7c 87 eb af 20 df a2 7c 3c 17 bc 09 9e c1 Aug 26 13:24:36.887594: | a7 46 5e 71 ae 31 3e 90 02 40 b9 72 cb 40 6a 28 Aug 26 13:24:36.887601: | a0 d9 95 8f 98 90 85 22 ba 2c e5 7b dd 1a e8 36 Aug 26 13:24:36.887608: | d7 e9 df 17 d1 bd 63 13 e7 31 0a 6f c3 94 d1 3d Aug 26 13:24:36.887616: | f7 f9 17 e2 72 a2 08 e0 93 2e f3 a6 19 98 86 d4 Aug 26 13:24:36.887623: | 09 e6 3e ff b7 89 4f 68 e7 da 5d 39 bf 93 51 d5 Aug 26 13:24:36.887631: | 97 27 9c d9 49 39 4e d1 c6 cb fd b6 9d 2d 6c 60 Aug 26 13:24:36.887638: | e2 c1 eb 52 a5 f4 fe 65 d9 75 90 a9 22 84 96 fa Aug 26 13:24:36.887645: | fd e0 f5 3b 6b 67 c9 5a aa a2 be 66 85 5d 8d d3 Aug 26 13:24:36.887653: | 8b 0a c8 ba b1 c0 a4 2f aa 60 cf da 6b 34 f5 22 Aug 26 13:24:36.887660: | 9a 72 02 46 c6 98 9c 8f 1a 2b a9 28 9e 14 25 48 Aug 26 13:24:36.887667: | 8e 6d 22 11 d8 f2 09 a9 30 a8 9c 37 b8 5e 05 09 Aug 26 13:24:36.887675: | cb 20 fd a8 2d db bc c5 c2 e8 bf d9 ea ef 19 c5 Aug 26 13:24:36.887682: | d7 6d eb 7d 63 51 61 f7 73 b0 cd 63 4a 34 15 d0 Aug 26 13:24:36.887689: | 6d c5 42 6f b4 0b c7 10 d8 c5 b0 09 cd 51 07 71 Aug 26 13:24:36.887697: | f0 c3 bb 41 9e b8 bf a3 8d a5 c9 aa e9 cb 7d 88 Aug 26 13:24:36.887704: | 7c Aug 26 13:24:36.887789: | releasing whack for #3 (sock=fd@-1) Aug 26 13:24:36.887802: | releasing whack and unpending for parent #1 Aug 26 13:24:36.887812: | unpending state #1 connection "east" Aug 26 13:24:36.887826: | #3 will start re-keying in 28798 seconds with margin of 2 seconds (attempting re-key) Aug 26 13:24:36.887835: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:24:36.887846: | libevent_free: release ptr-libevent@0x7f51bc000f48 Aug 26 13:24:36.887857: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d13d298138 Aug 26 13:24:36.887867: | event_schedule: new EVENT_SA_REKEY-pe@0x55d13d298138 Aug 26 13:24:36.887886: | inserting event EVENT_SA_REKEY, timeout in 28798 seconds for #3 Aug 26 13:24:36.887896: | libevent_malloc: new ptr-libevent@0x7f51c0002888 size 128 Aug 26 13:24:36.887915: | #3 spent 3.58 milliseconds in resume sending helper answer Aug 26 13:24:36.887931: | stop processing: state #3 connection "east" from 192.1.2.45:500 (in resume_handler() at server.c:833) Aug 26 13:24:36.887941: | libevent_free: release ptr-libevent@0x7f51b4001f78 Aug 26 13:24:37.901941: | spent 0.0111 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:24:37.902020: | *received 69 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) Aug 26 13:24:37.902033: | e5 90 57 9b 11 72 98 0f dd 36 51 29 02 6c db 8e Aug 26 13:24:37.902042: | 2e 20 25 08 00 00 00 03 00 00 00 45 2a 00 00 29 Aug 26 13:24:37.902049: | e9 c2 17 2a a4 8f 6a f4 bb 59 f5 84 1f 13 71 02 Aug 26 13:24:37.902057: | f0 71 41 49 6c 04 6d 47 32 57 82 51 e0 7d 16 1d Aug 26 13:24:37.902064: | 3e 55 eb 39 b5 Aug 26 13:24:37.902079: | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) Aug 26 13:24:37.902091: | **parse ISAKMP Message: Aug 26 13:24:37.902100: | initiator cookie: Aug 26 13:24:37.902107: | e5 90 57 9b 11 72 98 0f Aug 26 13:24:37.902115: | responder cookie: Aug 26 13:24:37.902122: | dd 36 51 29 02 6c db 8e Aug 26 13:24:37.902131: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:24:37.902140: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:37.902149: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:37.902157: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:24:37.902166: | Message ID: 3 (0x3) Aug 26 13:24:37.902174: | length: 69 (0x45) Aug 26 13:24:37.902183: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:24:37.902194: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:24:37.902206: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:24:37.902226: | start processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:24:37.902236: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:24:37.902250: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:24:37.902260: | #1 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 Aug 26 13:24:37.902274: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 Aug 26 13:24:37.902282: | unpacking clear payload Aug 26 13:24:37.902306: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:24:37.902322: | ***parse IKEv2 Encryption Payload: Aug 26 13:24:37.902331: | next payload type: ISAKMP_NEXT_v2D (0x2a) Aug 26 13:24:37.902339: | flags: none (0x0) Aug 26 13:24:37.902346: | length: 41 (0x29) Aug 26 13:24:37.902355: | processing payload: ISAKMP_NEXT_v2SK (len=37) Aug 26 13:24:37.902370: | Message ID: start-responder #1 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1->3 Aug 26 13:24:37.902379: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:37.902421: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:24:37.902432: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Aug 26 13:24:37.902441: | **parse IKEv2 Delete Payload: Aug 26 13:24:37.902450: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:37.902458: | flags: none (0x0) Aug 26 13:24:37.902465: | length: 12 (0xc) Aug 26 13:24:37.902473: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:37.902481: | SPI size: 4 (0x4) Aug 26 13:24:37.902489: | number of SPIs: 1 (0x1) Aug 26 13:24:37.902497: | processing payload: ISAKMP_NEXT_v2D (len=4) Aug 26 13:24:37.902506: | selected state microcode R2: process INFORMATIONAL Request Aug 26 13:24:37.902514: | Now let's proceed with state specific processing Aug 26 13:24:37.902532: | calling processor R2: process INFORMATIONAL Request Aug 26 13:24:37.902545: | an informational request should send a response Aug 26 13:24:37.902562: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:24:37.902574: | **emit ISAKMP Message: Aug 26 13:24:37.902583: | initiator cookie: Aug 26 13:24:37.902591: | e5 90 57 9b 11 72 98 0f Aug 26 13:24:37.902598: | responder cookie: Aug 26 13:24:37.902605: | dd 36 51 29 02 6c db 8e Aug 26 13:24:37.902614: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:24:37.902622: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:24:37.902631: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:24:37.902639: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:24:37.902646: | Message ID: 3 (0x3) Aug 26 13:24:37.902656: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:24:37.902666: | ***emit IKEv2 Encryption Payload: Aug 26 13:24:37.902674: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:37.902682: | flags: none (0x0) Aug 26 13:24:37.902708: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:24:37.902718: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:37.902729: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:24:37.902748: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Aug 26 13:24:37.902756: | SPI b6 d9 1d 4f Aug 26 13:24:37.902765: | delete PROTO_v2_ESP SA(0xb6d91d4f) Aug 26 13:24:37.902775: | v2 CHILD SA #2 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R Aug 26 13:24:37.902784: | State DB: found IKEv2 state #2 in V2_IPSEC_R (find_v2_child_sa_by_outbound_spi) Aug 26 13:24:37.902793: | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0xb6d91d4f) Aug 26 13:24:37.902803: "east" #1: received Delete SA payload: delete IPsec State #2 now Aug 26 13:24:37.902813: | pstats #2 ikev2.child deleted completed Aug 26 13:24:37.902829: | suspend processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:37.902842: | start processing: state #2 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:879) Aug 26 13:24:37.902854: "east" #2: deleting other state #2 (STATE_V2_IPSEC_R) aged 46.068s and NOT sending notification Aug 26 13:24:37.902863: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:24:37.902877: | get_sa_info esp.b6d91d4f@192.1.2.45 Aug 26 13:24:37.902919: | get_sa_info esp.6062022f@192.1.2.23 Aug 26 13:24:37.902945: "east" #2: ESP traffic information: in=336B out=336B Aug 26 13:24:37.902957: | child state #2: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) Aug 26 13:24:37.902967: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:24:37.902979: | libevent_free: release ptr-libevent@0x55d13d294638 Aug 26 13:24:37.902989: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f51c4002b78 Aug 26 13:24:37.903129: | delete esp.b6d91d4f@192.1.2.45 Aug 26 13:24:37.903184: | netlink response for Del SA esp.b6d91d4f@192.1.2.45 included non-error error Aug 26 13:24:37.903198: | delete esp.6062022f@192.1.2.23 Aug 26 13:24:37.903232: | netlink response for Del SA esp.6062022f@192.1.2.23 included non-error error Aug 26 13:24:37.903245: | in connection_discard for connection east Aug 26 13:24:37.903254: | State DB: deleting IKEv2 state #2 in CHILDSA_DEL Aug 26 13:24:37.903265: | child state #2: CHILDSA_DEL(informational) => UNDEFINED(ignore) Aug 26 13:24:37.903281: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:37.903308: | resume processing: state #1 connection "east" from 192.1.2.45:500 (in delete_state() at state.c:1143) Aug 26 13:24:37.903330: | ****emit IKEv2 Delete Payload: Aug 26 13:24:37.903340: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:24:37.903355: | flags: none (0x0) Aug 26 13:24:37.903364: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:24:37.903372: | SPI size: 4 (0x4) Aug 26 13:24:37.903380: | number of SPIs: 1 (0x1) Aug 26 13:24:37.903390: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:24:37.903400: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:24:37.903411: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Aug 26 13:24:37.903419: | local SPIs 60 62 02 2f Aug 26 13:24:37.903428: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:24:37.903437: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:24:37.903447: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:24:37.903457: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:24:37.903466: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:24:37.903473: | emitting length of ISAKMP Message: 69 Aug 26 13:24:37.903515: | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) Aug 26 13:24:37.903525: | e5 90 57 9b 11 72 98 0f dd 36 51 29 02 6c db 8e Aug 26 13:24:37.903533: | 2e 20 25 20 00 00 00 03 00 00 00 45 2a 00 00 29 Aug 26 13:24:37.903540: | 0e 05 5a 36 e8 19 04 31 40 90 42 e7 37 0b 16 eb Aug 26 13:24:37.903548: | b6 6d 7d 19 33 37 25 48 f8 50 cf 07 21 98 ff cc Aug 26 13:24:37.903555: | 52 7a e1 c2 a1 Aug 26 13:24:37.903640: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=3 Aug 26 13:24:37.903660: | Message ID: sent #1 response 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2->3 responder.recv=2 wip.initiator=-1 wip.responder=3 Aug 26 13:24:37.903679: | #1 spent 1.07 milliseconds in processing: R2: process INFORMATIONAL Request in ikev2_process_state_packet() Aug 26 13:24:37.903695: | [RE]START processing: state #1 connection "east" from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:24:37.903707: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:24:37.903716: | Message ID: updating counters for #1 to 3 after switching state Aug 26 13:24:37.903730: | Message ID: recv #1 request 3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=2->3 wip.initiator=-1 wip.responder=3->-1 Aug 26 13:24:37.903744: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=3 responder.recv=3 wip.initiator=-1 wip.responder=-1 Aug 26 13:24:37.903754: "east" #1: STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:24:37.903768: | stop processing: state #1 connection "east" from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:24:37.903782: | #1 spent 1.72 milliseconds in ikev2_process_packet() Aug 26 13:24:37.903795: | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) Aug 26 13:24:37.903806: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:24:37.903815: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:24:37.903828: | spent 1.77 milliseconds in comm_handle_cb() reading and processing packet