Aug 26 13:30:41.647754: FIPS Product: YES Aug 26 13:30:41.647795: FIPS Kernel: NO Aug 26 13:30:41.647799: FIPS Mode: NO Aug 26 13:30:41.647802: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:30:41.647959: Initializing NSS Aug 26 13:30:41.647967: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:30:41.681565: NSS initialized Aug 26 13:30:41.681587: NSS crypto library initialized Aug 26 13:30:41.681590: FIPS HMAC integrity support [enabled] Aug 26 13:30:41.681592: FIPS mode disabled for pluto daemon Aug 26 13:30:41.713036: FIPS HMAC integrity verification self-test FAILED Aug 26 13:30:41.713143: libcap-ng support [enabled] Aug 26 13:30:41.713151: Linux audit support [enabled] Aug 26 13:30:41.713176: Linux audit activated Aug 26 13:30:41.713183: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:8765 Aug 26 13:30:41.713187: core dump dir: /tmp Aug 26 13:30:41.713189: secrets file: /etc/ipsec.secrets Aug 26 13:30:41.713191: leak-detective enabled Aug 26 13:30:41.713194: NSS crypto [enabled] Aug 26 13:30:41.713196: XAUTH PAM support [enabled] Aug 26 13:30:41.713267: | libevent is using pluto's memory allocator Aug 26 13:30:41.713273: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:30:41.713301: | libevent_malloc: new ptr-libevent@0x55cd2d9d3178 size 40 Aug 26 13:30:41.713311: | libevent_malloc: new ptr-libevent@0x55cd2d9d7cd8 size 40 Aug 26 13:30:41.713314: | libevent_malloc: new ptr-libevent@0x55cd2d9d7dd8 size 40 Aug 26 13:30:41.713317: | creating event base Aug 26 13:30:41.713320: | libevent_malloc: new ptr-libevent@0x55cd2da5aa28 size 56 Aug 26 13:30:41.713326: | libevent_malloc: new ptr-libevent@0x55cd2da06e48 size 664 Aug 26 13:30:41.713336: | libevent_malloc: new ptr-libevent@0x55cd2da5aa98 size 24 Aug 26 13:30:41.713339: | libevent_malloc: new ptr-libevent@0x55cd2da5aae8 size 384 Aug 26 13:30:41.713350: | libevent_malloc: new ptr-libevent@0x55cd2da5a9e8 size 16 Aug 26 13:30:41.713353: | libevent_malloc: new ptr-libevent@0x55cd2d9d7908 size 40 Aug 26 13:30:41.713356: | libevent_malloc: new ptr-libevent@0x55cd2d9d7d38 size 48 Aug 26 13:30:41.713361: | libevent_realloc: new ptr-libevent@0x55cd2da07948 size 256 Aug 26 13:30:41.713364: | libevent_malloc: new ptr-libevent@0x55cd2da5ac98 size 16 Aug 26 13:30:41.713370: | libevent_free: release ptr-libevent@0x55cd2da5aa28 Aug 26 13:30:41.713373: | libevent initialized Aug 26 13:30:41.713377: | libevent_realloc: new ptr-libevent@0x55cd2da5aa28 size 64 Aug 26 13:30:41.713383: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:30:41.713397: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:30:41.713399: NAT-Traversal support [enabled] Aug 26 13:30:41.713402: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:30:41.713409: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:30:41.713412: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:30:41.713447: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:30:41.713450: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:30:41.713454: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:30:41.713503: Encryption algorithms: Aug 26 13:30:41.713510: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:30:41.713514: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:30:41.713518: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:30:41.713522: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:30:41.713526: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:30:41.713535: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:30:41.713540: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:30:41.713544: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:30:41.713547: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:30:41.713551: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:30:41.713555: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:30:41.713559: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:30:41.713563: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:30:41.713566: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:30:41.713570: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:30:41.713573: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:30:41.713577: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:30:41.713587: Hash algorithms: Aug 26 13:30:41.713590: MD5 IKEv1: IKE IKEv2: Aug 26 13:30:41.713593: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:30:41.713596: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:30:41.713599: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:30:41.713602: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:30:41.713616: PRF algorithms: Aug 26 13:30:41.713619: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:30:41.713622: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:30:41.713626: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:30:41.713629: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:30:41.713633: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:30:41.713636: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:30:41.713663: Integrity algorithms: Aug 26 13:30:41.713667: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:30:41.713671: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:30:41.713675: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:30:41.713679: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:30:41.713683: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:30:41.713686: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:30:41.713690: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:30:41.713693: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:30:41.713696: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:30:41.713709: DH algorithms: Aug 26 13:30:41.713712: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:30:41.713716: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:30:41.713719: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:30:41.713724: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:30:41.713727: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:30:41.713730: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:30:41.713733: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:30:41.713737: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:30:41.713740: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:30:41.713743: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:30:41.713746: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:30:41.713749: testing CAMELLIA_CBC: Aug 26 13:30:41.713752: Camellia: 16 bytes with 128-bit key Aug 26 13:30:41.713872: Camellia: 16 bytes with 128-bit key Aug 26 13:30:41.713901: Camellia: 16 bytes with 256-bit key Aug 26 13:30:41.713933: Camellia: 16 bytes with 256-bit key Aug 26 13:30:41.713961: testing AES_GCM_16: Aug 26 13:30:41.713964: empty string Aug 26 13:30:41.713993: one block Aug 26 13:30:41.714019: two blocks Aug 26 13:30:41.714044: two blocks with associated data Aug 26 13:30:41.714070: testing AES_CTR: Aug 26 13:30:41.714073: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:30:41.714100: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:30:41.714129: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:30:41.714157: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:30:41.714184: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:30:41.714213: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:30:41.714241: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:30:41.714268: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:30:41.714301: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:30:41.714333: testing AES_CBC: Aug 26 13:30:41.714336: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:30:41.714362: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:30:41.714391: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:30:41.714420: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:30:41.714454: testing AES_XCBC: Aug 26 13:30:41.714457: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:30:41.714573: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:30:41.714703: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:30:41.714829: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:30:41.714958: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:30:41.715086: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:30:41.715217: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:30:41.715523: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:30:41.715655: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:30:41.715795: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:30:41.716035: testing HMAC_MD5: Aug 26 13:30:41.716038: RFC 2104: MD5_HMAC test 1 Aug 26 13:30:41.716214: RFC 2104: MD5_HMAC test 2 Aug 26 13:30:41.716372: RFC 2104: MD5_HMAC test 3 Aug 26 13:30:41.716560: 8 CPU cores online Aug 26 13:30:41.716565: starting up 7 crypto helpers Aug 26 13:30:41.716597: started thread for crypto helper 0 Aug 26 13:30:41.716602: | starting up helper thread 0 Aug 26 13:30:41.716618: started thread for crypto helper 1 Aug 26 13:30:41.716620: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:30:41.716623: | crypto helper 0 waiting (nothing to do) Aug 26 13:30:41.716639: started thread for crypto helper 2 Aug 26 13:30:41.716623: | starting up helper thread 1 Aug 26 13:30:41.716655: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:30:41.716660: started thread for crypto helper 3 Aug 26 13:30:41.716661: | crypto helper 1 waiting (nothing to do) Aug 26 13:30:41.716664: | starting up helper thread 3 Aug 26 13:30:41.716682: started thread for crypto helper 4 Aug 26 13:30:41.716674: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:30:41.716689: | crypto helper 3 waiting (nothing to do) Aug 26 13:30:41.716695: | starting up helper thread 4 Aug 26 13:30:41.716665: | starting up helper thread 2 Aug 26 13:30:41.716703: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:30:41.716710: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:30:41.716714: | crypto helper 4 waiting (nothing to do) Aug 26 13:30:41.716718: | crypto helper 2 waiting (nothing to do) Aug 26 13:30:41.716711: started thread for crypto helper 5 Aug 26 13:30:41.716726: | starting up helper thread 5 Aug 26 13:30:41.716734: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:30:41.716737: | crypto helper 5 waiting (nothing to do) Aug 26 13:30:41.716750: started thread for crypto helper 6 Aug 26 13:30:41.716758: | checking IKEv1 state table Aug 26 13:30:41.716765: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:30:41.716768: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:30:41.716771: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:30:41.716773: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:30:41.716776: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:30:41.716779: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:30:41.716781: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:41.716784: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:41.716786: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:30:41.716789: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:30:41.716791: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:41.716794: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:41.716796: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:30:41.716799: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:30:41.716801: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:30:41.716804: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:30:41.716807: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:30:41.716809: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:30:41.716812: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:30:41.716814: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:30:41.716817: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:30:41.716819: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.716822: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:30:41.716825: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.716828: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:30:41.716830: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:30:41.716833: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:30:41.716835: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:30:41.716838: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:30:41.716840: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:30:41.716843: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:30:41.716845: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:30:41.716848: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:30:41.716850: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.716853: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:30:41.716856: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.716859: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:30:41.716861: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:30:41.716864: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:30:41.716866: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:30:41.716869: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:30:41.716875: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:30:41.716878: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:30:41.716880: | starting up helper thread 6 Aug 26 13:30:41.716881: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.716899: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:30:41.716903: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.716891: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:30:41.716908: | INFO: category: informational flags: 0: Aug 26 13:30:41.716913: | crypto helper 6 waiting (nothing to do) Aug 26 13:30:41.716916: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.716924: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:30:41.716926: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.716929: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:30:41.716931: | -> XAUTH_R1 EVENT_NULL Aug 26 13:30:41.716934: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:30:41.716937: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:30:41.716940: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:30:41.716942: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:30:41.716945: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:30:41.716947: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:30:41.716950: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:30:41.716953: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.716956: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:30:41.716958: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:30:41.716961: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:30:41.716963: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:30:41.716966: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:30:41.716968: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:30:41.716974: | checking IKEv2 state table Aug 26 13:30:41.716980: | PARENT_I0: category: ignore flags: 0: Aug 26 13:30:41.716983: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:30:41.716986: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:30:41.716989: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:30:41.716992: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:30:41.716995: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:30:41.716998: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:30:41.717001: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:30:41.717004: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:30:41.717006: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:30:41.717009: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:30:41.717012: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:30:41.717015: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:30:41.717017: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:30:41.717020: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:30:41.717023: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:30:41.717025: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:30:41.717028: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:30:41.717031: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:30:41.717034: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:30:41.717037: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:30:41.717040: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:30:41.717042: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:30:41.717047: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:30:41.717050: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:30:41.717052: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:30:41.717055: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:30:41.717058: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:30:41.717061: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:30:41.717064: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:30:41.717067: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:30:41.717070: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:30:41.717073: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:30:41.717076: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:30:41.717079: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:30:41.717082: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:30:41.717085: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:30:41.717088: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:30:41.717091: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:30:41.717094: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:30:41.717096: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:30:41.717099: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:30:41.717102: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:30:41.717105: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:30:41.717108: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:30:41.717111: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:30:41.717114: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:30:41.717127: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:30:41.717592: | Hard-wiring algorithms Aug 26 13:30:41.717599: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:30:41.717604: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:30:41.717606: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:30:41.717609: | adding 3DES_CBC to kernel algorithm db Aug 26 13:30:41.717612: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:30:41.717614: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:30:41.717617: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:30:41.717619: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:30:41.717622: | adding AES_CTR to kernel algorithm db Aug 26 13:30:41.717625: | adding AES_CBC to kernel algorithm db Aug 26 13:30:41.717628: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:30:41.717630: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:30:41.717633: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:30:41.717636: | adding NULL to kernel algorithm db Aug 26 13:30:41.717639: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:30:41.717642: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:30:41.717644: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:30:41.717647: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:30:41.717649: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:30:41.717652: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:30:41.717654: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:30:41.717657: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:30:41.717659: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:30:41.717662: | adding NONE to kernel algorithm db Aug 26 13:30:41.717685: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:30:41.717692: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:30:41.717695: | setup kernel fd callback Aug 26 13:30:41.717698: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55cd2da602a8 Aug 26 13:30:41.717703: | libevent_malloc: new ptr-libevent@0x55cd2da43af8 size 128 Aug 26 13:30:41.717706: | libevent_malloc: new ptr-libevent@0x55cd2da5f808 size 16 Aug 26 13:30:41.717713: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55cd2da5f6f8 Aug 26 13:30:41.717717: | libevent_malloc: new ptr-libevent@0x55cd2da0a038 size 128 Aug 26 13:30:41.717720: | libevent_malloc: new ptr-libevent@0x55cd2da601f8 size 16 Aug 26 13:30:41.717964: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:30:41.717971: selinux support is enabled. Aug 26 13:30:41.718515: | unbound context created - setting debug level to 5 Aug 26 13:30:41.718545: | /etc/hosts lookups activated Aug 26 13:30:41.718559: | /etc/resolv.conf usage activated Aug 26 13:30:41.718622: | outgoing-port-avoid set 0-65535 Aug 26 13:30:41.718654: | outgoing-port-permit set 32768-60999 Aug 26 13:30:41.718657: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:30:41.718660: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:30:41.718663: | Setting up events, loop start Aug 26 13:30:41.718666: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55cd2da60238 Aug 26 13:30:41.718669: | libevent_malloc: new ptr-libevent@0x55cd2da6c4f8 size 128 Aug 26 13:30:41.718673: | libevent_malloc: new ptr-libevent@0x55cd2da77808 size 16 Aug 26 13:30:41.718679: | libevent_realloc: new ptr-libevent@0x55cd2da06ad8 size 256 Aug 26 13:30:41.718682: | libevent_malloc: new ptr-libevent@0x55cd2da77848 size 8 Aug 26 13:30:41.718686: | libevent_realloc: new ptr-libevent@0x55cd2da07388 size 144 Aug 26 13:30:41.718688: | libevent_malloc: new ptr-libevent@0x55cd2da077e8 size 152 Aug 26 13:30:41.718693: | libevent_malloc: new ptr-libevent@0x55cd2da77888 size 16 Aug 26 13:30:41.718697: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:30:41.718700: | libevent_malloc: new ptr-libevent@0x55cd2da778c8 size 8 Aug 26 13:30:41.718703: | libevent_malloc: new ptr-libevent@0x55cd2da77908 size 152 Aug 26 13:30:41.718706: | signal event handler PLUTO_SIGTERM installed Aug 26 13:30:41.718708: | libevent_malloc: new ptr-libevent@0x55cd2da779d8 size 8 Aug 26 13:30:41.718711: | libevent_malloc: new ptr-libevent@0x55cd2da77a18 size 152 Aug 26 13:30:41.718714: | signal event handler PLUTO_SIGHUP installed Aug 26 13:30:41.718717: | libevent_malloc: new ptr-libevent@0x55cd2da77ae8 size 8 Aug 26 13:30:41.718720: | libevent_realloc: release ptr-libevent@0x55cd2da07388 Aug 26 13:30:41.718723: | libevent_realloc: new ptr-libevent@0x55cd2da77b28 size 256 Aug 26 13:30:41.718726: | libevent_malloc: new ptr-libevent@0x55cd2da77c58 size 152 Aug 26 13:30:41.718729: | signal event handler PLUTO_SIGSYS installed Aug 26 13:30:41.719051: | created addconn helper (pid:8892) using fork+execve Aug 26 13:30:41.719066: | forked child 8892 Aug 26 13:30:41.719114: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:41.719128: listening for IKE messages Aug 26 13:30:41.719188: | Inspecting interface lo Aug 26 13:30:41.719196: | found lo with address 127.0.0.1 Aug 26 13:30:41.719201: | Inspecting interface eth0 Aug 26 13:30:41.719205: | found eth0 with address 192.0.2.254 Aug 26 13:30:41.719210: | Inspecting interface eth1 Aug 26 13:30:41.719214: | found eth1 with address 192.1.2.23 Aug 26 13:30:41.719297: Kernel supports NIC esp-hw-offload Aug 26 13:30:41.719311: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:30:41.719335: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:30:41.719340: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:30:41.719344: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:30:41.719371: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:30:41.719392: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:30:41.719396: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:30:41.719400: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:30:41.719422: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:30:41.719442: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:30:41.719446: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:30:41.719449: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:30:41.719504: | no interfaces to sort Aug 26 13:30:41.719509: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:30:41.719518: | add_fd_read_event_handler: new ethX-pe@0x55cd2da78128 Aug 26 13:30:41.719521: | libevent_malloc: new ptr-libevent@0x55cd2da6c448 size 128 Aug 26 13:30:41.719524: | libevent_malloc: new ptr-libevent@0x55cd2da78198 size 16 Aug 26 13:30:41.719530: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:30:41.719533: | add_fd_read_event_handler: new ethX-pe@0x55cd2da781d8 Aug 26 13:30:41.719537: | libevent_malloc: new ptr-libevent@0x55cd2da08298 size 128 Aug 26 13:30:41.719540: | libevent_malloc: new ptr-libevent@0x55cd2da78248 size 16 Aug 26 13:30:41.719545: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:30:41.719548: | add_fd_read_event_handler: new ethX-pe@0x55cd2da78288 Aug 26 13:30:41.719551: | libevent_malloc: new ptr-libevent@0x55cd2da0a138 size 128 Aug 26 13:30:41.719553: | libevent_malloc: new ptr-libevent@0x55cd2da782f8 size 16 Aug 26 13:30:41.719558: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:30:41.719561: | add_fd_read_event_handler: new ethX-pe@0x55cd2da78338 Aug 26 13:30:41.719564: | libevent_malloc: new ptr-libevent@0x55cd2da07288 size 128 Aug 26 13:30:41.719567: | libevent_malloc: new ptr-libevent@0x55cd2da783a8 size 16 Aug 26 13:30:41.719571: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:30:41.719574: | add_fd_read_event_handler: new ethX-pe@0x55cd2da783e8 Aug 26 13:30:41.719578: | libevent_malloc: new ptr-libevent@0x55cd2d9d84e8 size 128 Aug 26 13:30:41.719581: | libevent_malloc: new ptr-libevent@0x55cd2da78458 size 16 Aug 26 13:30:41.719585: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:30:41.719588: | add_fd_read_event_handler: new ethX-pe@0x55cd2da78498 Aug 26 13:30:41.719591: | libevent_malloc: new ptr-libevent@0x55cd2d9d81d8 size 128 Aug 26 13:30:41.719594: | libevent_malloc: new ptr-libevent@0x55cd2da78508 size 16 Aug 26 13:30:41.719598: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:30:41.719603: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:30:41.719605: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:30:41.719624: loading secrets from "/etc/ipsec.secrets" Aug 26 13:30:41.719634: | Processing PSK at line 1: passed Aug 26 13:30:41.719638: | certs and keys locked by 'process_secret' Aug 26 13:30:41.719641: | certs and keys unlocked by 'process_secret' Aug 26 13:30:41.719651: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:41.719658: | spent 0.535 milliseconds in whack Aug 26 13:30:41.749269: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:41.749316: listening for IKE messages Aug 26 13:30:41.749360: | Inspecting interface lo Aug 26 13:30:41.749369: | found lo with address 127.0.0.1 Aug 26 13:30:41.749372: | Inspecting interface eth0 Aug 26 13:30:41.749377: | found eth0 with address 192.0.2.254 Aug 26 13:30:41.749380: | Inspecting interface eth1 Aug 26 13:30:41.749384: | found eth1 with address 192.1.2.23 Aug 26 13:30:41.749458: | no interfaces to sort Aug 26 13:30:41.749470: | libevent_free: release ptr-libevent@0x55cd2da6c448 Aug 26 13:30:41.749474: | free_event_entry: release EVENT_NULL-pe@0x55cd2da78128 Aug 26 13:30:41.749483: | add_fd_read_event_handler: new ethX-pe@0x55cd2da78128 Aug 26 13:30:41.749487: | libevent_malloc: new ptr-libevent@0x55cd2da6c448 size 128 Aug 26 13:30:41.749495: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:30:41.749500: | libevent_free: release ptr-libevent@0x55cd2da08298 Aug 26 13:30:41.749503: | free_event_entry: release EVENT_NULL-pe@0x55cd2da781d8 Aug 26 13:30:41.749506: | add_fd_read_event_handler: new ethX-pe@0x55cd2da781d8 Aug 26 13:30:41.749509: | libevent_malloc: new ptr-libevent@0x55cd2da08298 size 128 Aug 26 13:30:41.749514: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:30:41.749518: | libevent_free: release ptr-libevent@0x55cd2da0a138 Aug 26 13:30:41.749521: | free_event_entry: release EVENT_NULL-pe@0x55cd2da78288 Aug 26 13:30:41.749523: | add_fd_read_event_handler: new ethX-pe@0x55cd2da78288 Aug 26 13:30:41.749526: | libevent_malloc: new ptr-libevent@0x55cd2da0a138 size 128 Aug 26 13:30:41.749531: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:30:41.749535: | libevent_free: release ptr-libevent@0x55cd2da07288 Aug 26 13:30:41.749538: | free_event_entry: release EVENT_NULL-pe@0x55cd2da78338 Aug 26 13:30:41.749541: | add_fd_read_event_handler: new ethX-pe@0x55cd2da78338 Aug 26 13:30:41.749544: | libevent_malloc: new ptr-libevent@0x55cd2da07288 size 128 Aug 26 13:30:41.749549: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:30:41.749553: | libevent_free: release ptr-libevent@0x55cd2d9d84e8 Aug 26 13:30:41.749555: | free_event_entry: release EVENT_NULL-pe@0x55cd2da783e8 Aug 26 13:30:41.749558: | add_fd_read_event_handler: new ethX-pe@0x55cd2da783e8 Aug 26 13:30:41.749561: | libevent_malloc: new ptr-libevent@0x55cd2d9d84e8 size 128 Aug 26 13:30:41.749566: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:30:41.749570: | libevent_free: release ptr-libevent@0x55cd2d9d81d8 Aug 26 13:30:41.749573: | free_event_entry: release EVENT_NULL-pe@0x55cd2da78498 Aug 26 13:30:41.749576: | add_fd_read_event_handler: new ethX-pe@0x55cd2da78498 Aug 26 13:30:41.749578: | libevent_malloc: new ptr-libevent@0x55cd2d9d81d8 size 128 Aug 26 13:30:41.749583: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:30:41.749587: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:30:41.749589: forgetting secrets Aug 26 13:30:41.749596: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:30:41.749610: loading secrets from "/etc/ipsec.secrets" Aug 26 13:30:41.749618: | Processing PSK at line 1: passed Aug 26 13:30:41.749621: | certs and keys locked by 'process_secret' Aug 26 13:30:41.749623: | certs and keys unlocked by 'process_secret' Aug 26 13:30:41.749632: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:41.749640: | spent 0.371 milliseconds in whack Aug 26 13:30:41.750093: | processing signal PLUTO_SIGCHLD Aug 26 13:30:41.750106: | waitpid returned pid 8892 (exited with status 0) Aug 26 13:30:41.750113: | reaped addconn helper child (status 0) Aug 26 13:30:41.750118: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:41.750123: | spent 0.0172 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:41.804100: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:41.804124: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:30:41.804127: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:30:41.804129: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:30:41.804130: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:30:41.804133: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:30:41.804178: | Added new connection eastnet-northnet with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 13:30:41.804219: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:30:41.804227: | from whack: got --esp=aes256-sha2 Aug 26 13:30:41.804237: | ESP/AH string values: AES_CBC_256-HMAC_SHA2_256_128 Aug 26 13:30:41.804240: | counting wild cards for (none) is 15 Aug 26 13:30:41.804244: | counting wild cards for 192.1.2.23 is 0 Aug 26 13:30:41.804248: | based upon policy, the connection is a template. Aug 26 13:30:41.804253: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Aug 26 13:30:41.804255: | new hp@0x55cd2da7a458 Aug 26 13:30:41.804258: added connection description "eastnet-northnet" Aug 26 13:30:41.804267: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 13:30:41.804276: | 192.0.2.0/24===192.1.2.23<192.1.2.23>...%any===192.0.3.0/24 Aug 26 13:30:41.804283: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:41.804298: | spent 0.2 milliseconds in whack Aug 26 13:30:43.646596: | spent 0.00311 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:30:43.646626: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 13:30:43.646630: | c1 0c 6a f1 31 90 61 76 00 00 00 00 00 00 00 00 Aug 26 13:30:43.646633: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:30:43.646636: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:30:43.646638: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:30:43.646640: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:30:43.646643: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:30:43.646645: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:30:43.646648: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:30:43.646650: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:30:43.646653: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:30:43.646655: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:30:43.646658: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:30:43.646660: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:30:43.646663: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:30:43.646665: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:30:43.646668: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:30:43.646670: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:30:43.646673: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:30:43.646675: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:30:43.646678: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:30:43.646680: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:30:43.646683: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:30:43.646685: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:30:43.646688: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:30:43.646690: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:30:43.646692: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:30:43.646695: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:30:43.646697: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:30:43.646700: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:30:43.646702: | 28 00 01 08 00 0e 00 00 64 70 a7 83 90 dd c5 8b Aug 26 13:30:43.646705: | 66 95 f7 15 5d 64 c5 b7 0b 85 3f 77 23 4a 74 c3 Aug 26 13:30:43.646707: | eb d1 a1 f5 3d ca 78 77 05 0d f5 69 43 7b 77 52 Aug 26 13:30:43.646710: | a7 ff c1 52 af b6 09 d4 a0 fa a7 8c 78 18 e3 33 Aug 26 13:30:43.646712: | 57 d3 47 ca 89 7b 2c 0d 9f 64 bf 0d 16 d8 62 33 Aug 26 13:30:43.646718: | dd 5d 31 fa 70 7d 1e 7e dc 1a 96 a9 38 6d 91 e4 Aug 26 13:30:43.646721: | 74 db 0b 59 5d c5 3a a2 a9 ed 11 53 e1 43 f3 97 Aug 26 13:30:43.646723: | b6 61 56 95 33 01 66 0c bd 7a ac 60 34 1e 9a a5 Aug 26 13:30:43.646726: | 68 69 88 98 5d d2 31 dc ce 57 c7 2a e4 97 82 29 Aug 26 13:30:43.646728: | e2 35 a3 10 5a 09 f6 9a 4b 1f a6 32 3a 46 31 48 Aug 26 13:30:43.646731: | a7 83 a3 64 aa 18 b3 0f 0e 9c 81 23 14 99 e4 c5 Aug 26 13:30:43.646733: | 71 b1 a3 b6 24 6b 62 a4 33 8a f9 64 73 90 90 ed Aug 26 13:30:43.646736: | 60 93 73 fb 78 69 d4 db 1c dc 6f 59 13 5c 73 5b Aug 26 13:30:43.646738: | 77 f3 60 0b ec 2a 40 03 d2 d3 80 be 97 73 81 51 Aug 26 13:30:43.646741: | ce b5 36 d3 27 d1 84 49 4c c5 22 51 d0 54 17 74 Aug 26 13:30:43.646743: | 9b a0 63 b8 8f f3 54 ca b7 bf 82 e4 67 f0 91 f8 Aug 26 13:30:43.646746: | 60 a3 21 32 01 45 77 d6 29 00 00 24 af 7f 06 d1 Aug 26 13:30:43.646748: | ef 59 f9 3e 4c 00 dd fb d2 fa ab 9f 59 64 36 00 Aug 26 13:30:43.646751: | a8 2a 29 d0 f8 b4 ba 90 ee 01 a3 b5 29 00 00 08 Aug 26 13:30:43.646753: | 00 00 40 2e 29 00 00 1c 00 00 40 04 73 b9 34 7b Aug 26 13:30:43.646755: | 6d ee 0e 70 8b 00 60 c3 5c 71 0a 6a 3c 50 3d 61 Aug 26 13:30:43.646758: | 00 00 00 1c 00 00 40 05 53 aa 15 0f 66 6d 08 d2 Aug 26 13:30:43.646760: | fd f2 a9 06 22 a6 82 db 87 7a f6 7e Aug 26 13:30:43.646766: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 13:30:43.646770: | **parse ISAKMP Message: Aug 26 13:30:43.646773: | initiator cookie: Aug 26 13:30:43.646776: | c1 0c 6a f1 31 90 61 76 Aug 26 13:30:43.646778: | responder cookie: Aug 26 13:30:43.646781: | 00 00 00 00 00 00 00 00 Aug 26 13:30:43.646784: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:30:43.646786: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:43.646789: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:30:43.646792: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:30:43.646795: | Message ID: 0 (0x0) Aug 26 13:30:43.646797: | length: 828 (0x33c) Aug 26 13:30:43.646800: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:30:43.646804: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:30:43.646807: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:30:43.646810: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:30:43.646814: | ***parse IKEv2 Security Association Payload: Aug 26 13:30:43.646817: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:30:43.646819: | flags: none (0x0) Aug 26 13:30:43.646822: | length: 436 (0x1b4) Aug 26 13:30:43.646824: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:30:43.646827: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:30:43.646830: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:30:43.646832: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:30:43.646835: | flags: none (0x0) Aug 26 13:30:43.646837: | length: 264 (0x108) Aug 26 13:30:43.646840: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.646843: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:30:43.646845: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:30:43.646848: | ***parse IKEv2 Nonce Payload: Aug 26 13:30:43.646850: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.646853: | flags: none (0x0) Aug 26 13:30:43.646855: | length: 36 (0x24) Aug 26 13:30:43.646858: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:30:43.646860: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:43.646863: | ***parse IKEv2 Notify Payload: Aug 26 13:30:43.646866: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.646868: | flags: none (0x0) Aug 26 13:30:43.646871: | length: 8 (0x8) Aug 26 13:30:43.646874: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.646876: | SPI size: 0 (0x0) Aug 26 13:30:43.646879: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:30:43.646884: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:30:43.646886: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:43.646889: | ***parse IKEv2 Notify Payload: Aug 26 13:30:43.646892: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.646894: | flags: none (0x0) Aug 26 13:30:43.646897: | length: 28 (0x1c) Aug 26 13:30:43.646899: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.646902: | SPI size: 0 (0x0) Aug 26 13:30:43.646904: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:43.646907: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:43.646910: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:43.646912: | ***parse IKEv2 Notify Payload: Aug 26 13:30:43.646915: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.646917: | flags: none (0x0) Aug 26 13:30:43.646920: | length: 28 (0x1c) Aug 26 13:30:43.646922: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.646925: | SPI size: 0 (0x0) Aug 26 13:30:43.646927: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:43.646930: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:43.646933: | DDOS disabled and no cookie sent, continuing Aug 26 13:30:43.646939: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.646942: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:30:43.646945: | find_next_host_connection returns empty Aug 26 13:30:43.646949: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.646955: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:43.646958: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:30:43.646962: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 13:30:43.646964: | find_next_host_connection returns empty Aug 26 13:30:43.646968: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:30:43.646974: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.646976: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:30:43.646979: | find_next_host_connection returns empty Aug 26 13:30:43.646983: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.646988: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:43.646990: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:30:43.646994: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 13:30:43.646996: | find_next_host_connection returns empty Aug 26 13:30:43.647000: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:30:43.647005: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.647008: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:30:43.647010: | find_next_host_connection returns empty Aug 26 13:30:43.647014: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.647019: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:43.647022: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:30:43.647025: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 13:30:43.647028: | find_next_host_connection returns eastnet-northnet Aug 26 13:30:43.647030: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:30:43.647034: | find_next_host_connection returns empty Aug 26 13:30:43.647037: | rw_instantiate Aug 26 13:30:43.647046: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Aug 26 13:30:43.647049: | new hp@0x55cd2da7c3b8 Aug 26 13:30:43.647056: | rw_instantiate() instantiated "eastnet-northnet"[1] 192.1.3.33 for 192.1.3.33 Aug 26 13:30:43.647060: | found connection: eastnet-northnet[1] 192.1.3.33 with policy PSK+IKEV2_ALLOW Aug 26 13:30:43.647065: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:43.647088: | creating state object #1 at 0x55cd2da7c908 Aug 26 13:30:43.647091: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:30:43.647099: | pstats #1 ikev2.ike started Aug 26 13:30:43.647102: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:30:43.647106: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:30:43.647111: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:30:43.647120: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:30:43.647123: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:30:43.647129: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:30:43.647132: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:30:43.647136: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:30:43.647141: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:30:43.647144: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:30:43.647147: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:30:43.647150: | Now let's proceed with state specific processing Aug 26 13:30:43.647153: | calling processor Respond to IKE_SA_INIT Aug 26 13:30:43.647159: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:30:43.647162: | constructing local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals) Aug 26 13:30:43.647170: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:43.647178: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.647182: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:43.647188: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.647192: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:43.647198: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.647202: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:43.647208: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.647220: "eastnet-northnet"[1] 192.1.3.33: constructed local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.647226: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:30:43.647230: | local proposal 1 type ENCR has 1 transforms Aug 26 13:30:43.647233: | local proposal 1 type PRF has 2 transforms Aug 26 13:30:43.647236: | local proposal 1 type INTEG has 1 transforms Aug 26 13:30:43.647238: | local proposal 1 type DH has 8 transforms Aug 26 13:30:43.647241: | local proposal 1 type ESN has 0 transforms Aug 26 13:30:43.647245: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:30:43.647247: | local proposal 2 type ENCR has 1 transforms Aug 26 13:30:43.647250: | local proposal 2 type PRF has 2 transforms Aug 26 13:30:43.647253: | local proposal 2 type INTEG has 1 transforms Aug 26 13:30:43.647255: | local proposal 2 type DH has 8 transforms Aug 26 13:30:43.647258: | local proposal 2 type ESN has 0 transforms Aug 26 13:30:43.647261: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:30:43.647264: | local proposal 3 type ENCR has 1 transforms Aug 26 13:30:43.647266: | local proposal 3 type PRF has 2 transforms Aug 26 13:30:43.647269: | local proposal 3 type INTEG has 2 transforms Aug 26 13:30:43.647271: | local proposal 3 type DH has 8 transforms Aug 26 13:30:43.647274: | local proposal 3 type ESN has 0 transforms Aug 26 13:30:43.647277: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:30:43.647280: | local proposal 4 type ENCR has 1 transforms Aug 26 13:30:43.647282: | local proposal 4 type PRF has 2 transforms Aug 26 13:30:43.647285: | local proposal 4 type INTEG has 2 transforms Aug 26 13:30:43.647291: | local proposal 4 type DH has 8 transforms Aug 26 13:30:43.647297: | local proposal 4 type ESN has 0 transforms Aug 26 13:30:43.647300: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:30:43.647303: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.647306: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:30:43.647309: | length: 100 (0x64) Aug 26 13:30:43.647311: | prop #: 1 (0x1) Aug 26 13:30:43.647314: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.647317: | spi size: 0 (0x0) Aug 26 13:30:43.647319: | # transforms: 11 (0xb) Aug 26 13:30:43.647323: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:30:43.647326: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647329: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647331: | length: 12 (0xc) Aug 26 13:30:43.647334: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.647337: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:43.647339: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.647342: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.647345: | length/value: 256 (0x100) Aug 26 13:30:43.647350: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:30:43.647353: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647355: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647358: | length: 8 (0x8) Aug 26 13:30:43.647360: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.647363: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.647367: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:30:43.647372: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:30:43.647376: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:30:43.647379: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:30:43.647382: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647385: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647387: | length: 8 (0x8) Aug 26 13:30:43.647390: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.647392: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:43.647395: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647398: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647400: | length: 8 (0x8) Aug 26 13:30:43.647403: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647406: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.647409: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:30:43.647413: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:30:43.647416: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:30:43.647419: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:30:43.647422: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647424: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647427: | length: 8 (0x8) Aug 26 13:30:43.647429: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647432: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:43.647435: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647437: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647440: | length: 8 (0x8) Aug 26 13:30:43.647442: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647445: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:43.647448: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647450: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647452: | length: 8 (0x8) Aug 26 13:30:43.647455: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647457: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:43.647460: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647463: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647465: | length: 8 (0x8) Aug 26 13:30:43.647468: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647470: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:43.647473: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647475: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647478: | length: 8 (0x8) Aug 26 13:30:43.647480: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647483: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:43.647486: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647489: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647491: | length: 8 (0x8) Aug 26 13:30:43.647494: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647496: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:43.647499: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647502: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.647504: | length: 8 (0x8) Aug 26 13:30:43.647507: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647509: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:43.647514: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:30:43.647520: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:30:43.647523: | remote proposal 1 matches local proposal 1 Aug 26 13:30:43.647527: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.647529: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:30:43.647532: | length: 100 (0x64) Aug 26 13:30:43.647534: | prop #: 2 (0x2) Aug 26 13:30:43.647537: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.647539: | spi size: 0 (0x0) Aug 26 13:30:43.647541: | # transforms: 11 (0xb) Aug 26 13:30:43.647545: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:30:43.647548: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647551: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647553: | length: 12 (0xc) Aug 26 13:30:43.647556: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.647558: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:43.647561: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.647564: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.647566: | length/value: 128 (0x80) Aug 26 13:30:43.647569: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647572: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647574: | length: 8 (0x8) Aug 26 13:30:43.647577: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.647580: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.647582: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647585: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647587: | length: 8 (0x8) Aug 26 13:30:43.647590: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.647592: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:43.647595: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647598: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647600: | length: 8 (0x8) Aug 26 13:30:43.647602: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647605: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.647608: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647610: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647613: | length: 8 (0x8) Aug 26 13:30:43.647615: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647618: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:43.647621: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647623: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647626: | length: 8 (0x8) Aug 26 13:30:43.647629: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647631: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:43.647634: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647637: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647639: | length: 8 (0x8) Aug 26 13:30:43.647642: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647644: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:43.647647: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647649: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647652: | length: 8 (0x8) Aug 26 13:30:43.647654: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647657: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:43.647660: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647662: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647665: | length: 8 (0x8) Aug 26 13:30:43.647667: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647670: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:43.647672: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647678: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647681: | length: 8 (0x8) Aug 26 13:30:43.647684: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647686: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:43.647689: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647692: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.647694: | length: 8 (0x8) Aug 26 13:30:43.647697: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647699: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:43.647703: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:30:43.647707: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:30:43.647709: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.647712: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:30:43.647714: | length: 116 (0x74) Aug 26 13:30:43.647717: | prop #: 3 (0x3) Aug 26 13:30:43.647719: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.647722: | spi size: 0 (0x0) Aug 26 13:30:43.647724: | # transforms: 13 (0xd) Aug 26 13:30:43.647728: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:30:43.647730: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647733: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647735: | length: 12 (0xc) Aug 26 13:30:43.647738: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.647741: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:43.647743: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.647746: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.647749: | length/value: 256 (0x100) Aug 26 13:30:43.647752: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647754: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647757: | length: 8 (0x8) Aug 26 13:30:43.647759: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.647762: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.647765: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647768: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647770: | length: 8 (0x8) Aug 26 13:30:43.647773: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.647775: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:43.647778: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647780: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647783: | length: 8 (0x8) Aug 26 13:30:43.647785: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.647788: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:30:43.647791: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647793: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647796: | length: 8 (0x8) Aug 26 13:30:43.647798: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.647801: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:43.647804: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647806: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647809: | length: 8 (0x8) Aug 26 13:30:43.647811: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647814: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.647816: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647819: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647822: | length: 8 (0x8) Aug 26 13:30:43.647824: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647827: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:43.647830: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647832: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647839: | length: 8 (0x8) Aug 26 13:30:43.647842: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647844: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:43.647847: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647850: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647852: | length: 8 (0x8) Aug 26 13:30:43.647854: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647857: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:43.647860: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647863: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647865: | length: 8 (0x8) Aug 26 13:30:43.647867: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647870: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:43.647873: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647875: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647878: | length: 8 (0x8) Aug 26 13:30:43.647880: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647883: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:43.647886: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647888: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647891: | length: 8 (0x8) Aug 26 13:30:43.647893: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647896: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:43.647899: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647901: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.647904: | length: 8 (0x8) Aug 26 13:30:43.647906: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.647909: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:43.647913: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:30:43.647916: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:30:43.647919: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.647921: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:43.647924: | length: 116 (0x74) Aug 26 13:30:43.647926: | prop #: 4 (0x4) Aug 26 13:30:43.647929: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.647931: | spi size: 0 (0x0) Aug 26 13:30:43.647934: | # transforms: 13 (0xd) Aug 26 13:30:43.647937: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:30:43.647940: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647942: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647945: | length: 12 (0xc) Aug 26 13:30:43.647948: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.647950: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:43.647953: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.647956: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.647958: | length/value: 128 (0x80) Aug 26 13:30:43.647961: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647964: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647966: | length: 8 (0x8) Aug 26 13:30:43.647969: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.647971: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.647974: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647976: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647979: | length: 8 (0x8) Aug 26 13:30:43.647981: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.647984: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:43.647987: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.647989: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.647992: | length: 8 (0x8) Aug 26 13:30:43.647994: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.647998: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:30:43.648001: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.648004: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.648006: | length: 8 (0x8) Aug 26 13:30:43.648009: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.648011: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:43.648014: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.648016: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.648019: | length: 8 (0x8) Aug 26 13:30:43.648021: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.648024: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.648027: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.648030: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.648032: | length: 8 (0x8) Aug 26 13:30:43.648035: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.648037: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:43.648040: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.648043: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.648045: | length: 8 (0x8) Aug 26 13:30:43.648048: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.648050: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:43.648065: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.648069: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.648071: | length: 8 (0x8) Aug 26 13:30:43.648074: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.648076: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:43.648079: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.648081: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.648084: | length: 8 (0x8) Aug 26 13:30:43.648086: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.648089: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:43.648091: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.648094: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.648096: | length: 8 (0x8) Aug 26 13:30:43.648099: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.648101: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:43.648104: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.648106: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.648109: | length: 8 (0x8) Aug 26 13:30:43.648111: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.648114: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:43.648116: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.648119: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.648121: | length: 8 (0x8) Aug 26 13:30:43.648124: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.648126: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:43.648130: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:30:43.648134: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:30:43.648140: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:30:43.648146: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:30:43.648149: | converting proposal to internal trans attrs Aug 26 13:30:43.648153: | natd_hash: rcookie is zero Aug 26 13:30:43.648167: | natd_hash: hasher=0x55cd2bde5800(20) Aug 26 13:30:43.648171: | natd_hash: icookie= c1 0c 6a f1 31 90 61 76 Aug 26 13:30:43.648173: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:30:43.648175: | natd_hash: ip= c0 01 02 17 Aug 26 13:30:43.648178: | natd_hash: port=500 Aug 26 13:30:43.648180: | natd_hash: hash= 53 aa 15 0f 66 6d 08 d2 fd f2 a9 06 22 a6 82 db Aug 26 13:30:43.648182: | natd_hash: hash= 87 7a f6 7e Aug 26 13:30:43.648185: | natd_hash: rcookie is zero Aug 26 13:30:43.648192: | natd_hash: hasher=0x55cd2bde5800(20) Aug 26 13:30:43.648194: | natd_hash: icookie= c1 0c 6a f1 31 90 61 76 Aug 26 13:30:43.648197: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:30:43.648199: | natd_hash: ip= c0 01 03 21 Aug 26 13:30:43.648201: | natd_hash: port=500 Aug 26 13:30:43.648204: | natd_hash: hash= 73 b9 34 7b 6d ee 0e 70 8b 00 60 c3 5c 71 0a 6a Aug 26 13:30:43.648206: | natd_hash: hash= 3c 50 3d 61 Aug 26 13:30:43.648209: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:30:43.648211: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:30:43.648213: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:30:43.648217: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Aug 26 13:30:43.648222: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:30:43.648226: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55cd2da7c4e8 Aug 26 13:30:43.648230: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:30:43.648233: | libevent_malloc: new ptr-libevent@0x55cd2da7ec68 size 128 Aug 26 13:30:43.648259: | #1 spent 1.09 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:30:43.648267: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.648271: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:30:43.648269: | crypto helper 0 resuming Aug 26 13:30:43.648277: | suspending state #1 and saving MD Aug 26 13:30:43.648287: | crypto helper 0 starting work-order 1 for state #1 Aug 26 13:30:43.648301: | #1 is busy; has a suspended MD Aug 26 13:30:43.648303: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:30:43.648308: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:30:43.648313: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:30:43.648319: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:30:43.648324: | #1 spent 1.7 milliseconds in ikev2_process_packet() Aug 26 13:30:43.648328: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 13:30:43.648331: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:30:43.648334: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:30:43.648338: | spent 1.71 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:30:43.649273: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000969 seconds Aug 26 13:30:43.649286: | (#1) spent 0.981 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:30:43.649328: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 13:30:43.649336: | scheduling resume sending helper answer for #1 Aug 26 13:30:43.649340: | libevent_malloc: new ptr-libevent@0x7f911c002888 size 128 Aug 26 13:30:43.649350: | crypto helper 0 waiting (nothing to do) Aug 26 13:30:43.649359: | processing resume sending helper answer for #1 Aug 26 13:30:43.649370: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:30:43.649375: | crypto helper 0 replies to request ID 1 Aug 26 13:30:43.649377: | calling continuation function 0x55cd2bd10b50 Aug 26 13:30:43.649380: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:30:43.649412: | **emit ISAKMP Message: Aug 26 13:30:43.649416: | initiator cookie: Aug 26 13:30:43.649418: | c1 0c 6a f1 31 90 61 76 Aug 26 13:30:43.649421: | responder cookie: Aug 26 13:30:43.649423: | 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:43.649426: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:30:43.649429: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:43.649432: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:30:43.649435: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:30:43.649438: | Message ID: 0 (0x0) Aug 26 13:30:43.649441: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:30:43.649444: | Emitting ikev2_proposal ... Aug 26 13:30:43.649447: | ***emit IKEv2 Security Association Payload: Aug 26 13:30:43.649449: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.649452: | flags: none (0x0) Aug 26 13:30:43.649456: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:30:43.649459: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.649462: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.649465: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:43.649467: | prop #: 1 (0x1) Aug 26 13:30:43.649470: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.649473: | spi size: 0 (0x0) Aug 26 13:30:43.649475: | # transforms: 3 (0x3) Aug 26 13:30:43.649478: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:30:43.649481: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.649484: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.649487: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.649490: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:43.649493: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.649496: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.649498: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.649501: | length/value: 256 (0x100) Aug 26 13:30:43.649504: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:30:43.649507: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.649509: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.649512: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.649515: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.649518: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.649521: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.649524: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:43.649526: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.649529: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.649531: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.649534: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.649539: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.649542: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.649545: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:43.649548: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:30:43.649551: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:30:43.649553: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:30:43.649556: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:30:43.649560: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:30:43.649563: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.649565: | flags: none (0x0) Aug 26 13:30:43.649568: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.649571: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:30:43.649574: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.649578: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:30:43.649581: | ikev2 g^x bb 9a 2b 1c d4 2d 11 a4 e3 c0 c8 73 a8 07 73 35 Aug 26 13:30:43.649583: | ikev2 g^x bd 64 9c 46 55 1d a3 66 a5 22 e8 fb bf 5b 6e 7f Aug 26 13:30:43.649586: | ikev2 g^x 2f d9 d2 4e 18 c6 94 03 c4 50 a7 d7 f2 73 29 1b Aug 26 13:30:43.649588: | ikev2 g^x c2 f0 25 14 1d 65 7e 5d 92 4a 34 a3 23 b3 60 8c Aug 26 13:30:43.649590: | ikev2 g^x 90 99 b1 56 81 0d 29 81 86 4a e7 0f e2 f2 05 02 Aug 26 13:30:43.649593: | ikev2 g^x e7 e0 86 3b 5b cc 12 8a 4e ec b4 b9 65 d6 2f 18 Aug 26 13:30:43.649595: | ikev2 g^x 9f 09 73 50 b3 9c 8f 3b 7f a2 6a c7 07 0d 86 11 Aug 26 13:30:43.649598: | ikev2 g^x b8 f1 55 e4 e8 77 86 f3 bf ec d8 e9 a7 48 93 84 Aug 26 13:30:43.649600: | ikev2 g^x 58 06 f4 99 94 c0 79 0d 54 1d b3 c9 82 5b 5d 79 Aug 26 13:30:43.649603: | ikev2 g^x f0 79 f1 4f ec d8 39 f3 81 b1 56 6a d1 d2 e7 62 Aug 26 13:30:43.649605: | ikev2 g^x 0a 3a 3e c1 a6 2e e7 3b 18 12 eb 9b c1 3a 81 46 Aug 26 13:30:43.649608: | ikev2 g^x ba e4 e1 06 d1 e6 33 c7 26 af f1 a5 54 76 ea 51 Aug 26 13:30:43.649610: | ikev2 g^x 18 dd f9 b1 95 45 19 dd 0a ae 53 4a 0c 9f b7 ef Aug 26 13:30:43.649612: | ikev2 g^x e9 6c b3 cf 0d 3a 14 0b a0 91 8e ca 97 87 ca 99 Aug 26 13:30:43.649615: | ikev2 g^x c7 e9 77 1c 23 55 c1 bf c6 b9 e3 19 2c 0c 89 0b Aug 26 13:30:43.649617: | ikev2 g^x 18 e9 87 e4 0e 20 91 07 31 e4 9f 91 48 b2 3e d4 Aug 26 13:30:43.649620: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:30:43.649623: | ***emit IKEv2 Nonce Payload: Aug 26 13:30:43.649625: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.649628: | flags: none (0x0) Aug 26 13:30:43.649631: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:30:43.649634: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:30:43.649637: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.649640: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:30:43.649643: | IKEv2 nonce 75 cb ec 48 a6 2b fd eb 14 fb fb f4 22 cf b4 d1 Aug 26 13:30:43.649645: | IKEv2 nonce 9c 6a 0b cd 15 89 13 b2 e9 18 0f cc 6d ea b0 ca Aug 26 13:30:43.649648: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:30:43.649650: | Adding a v2N Payload Aug 26 13:30:43.649653: | ***emit IKEv2 Notify Payload: Aug 26 13:30:43.649657: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.649659: | flags: none (0x0) Aug 26 13:30:43.649662: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.649664: | SPI size: 0 (0x0) Aug 26 13:30:43.649667: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:30:43.649670: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:43.649673: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.649676: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:30:43.649679: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:30:43.649689: | natd_hash: hasher=0x55cd2bde5800(20) Aug 26 13:30:43.649692: | natd_hash: icookie= c1 0c 6a f1 31 90 61 76 Aug 26 13:30:43.649695: | natd_hash: rcookie= 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:43.649697: | natd_hash: ip= c0 01 02 17 Aug 26 13:30:43.649699: | natd_hash: port=500 Aug 26 13:30:43.649702: | natd_hash: hash= fe a7 84 5e ed 0d c6 f0 c2 e0 2c 4c 9a c1 25 05 Aug 26 13:30:43.649704: | natd_hash: hash= 6c 05 37 38 Aug 26 13:30:43.649706: | Adding a v2N Payload Aug 26 13:30:43.649709: | ***emit IKEv2 Notify Payload: Aug 26 13:30:43.649711: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.649714: | flags: none (0x0) Aug 26 13:30:43.649716: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.649719: | SPI size: 0 (0x0) Aug 26 13:30:43.649721: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:43.649724: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:43.649727: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.649730: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:43.649733: | Notify data fe a7 84 5e ed 0d c6 f0 c2 e0 2c 4c 9a c1 25 05 Aug 26 13:30:43.649735: | Notify data 6c 05 37 38 Aug 26 13:30:43.649737: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:43.649744: | natd_hash: hasher=0x55cd2bde5800(20) Aug 26 13:30:43.649747: | natd_hash: icookie= c1 0c 6a f1 31 90 61 76 Aug 26 13:30:43.649749: | natd_hash: rcookie= 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:43.649751: | natd_hash: ip= c0 01 03 21 Aug 26 13:30:43.649754: | natd_hash: port=500 Aug 26 13:30:43.649756: | natd_hash: hash= ad d9 e7 c9 e6 32 e9 c0 44 e5 03 9b 46 fe 5b 0f Aug 26 13:30:43.649758: | natd_hash: hash= 3a 6a 11 b2 Aug 26 13:30:43.649760: | Adding a v2N Payload Aug 26 13:30:43.649763: | ***emit IKEv2 Notify Payload: Aug 26 13:30:43.649765: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.649768: | flags: none (0x0) Aug 26 13:30:43.649771: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.649773: | SPI size: 0 (0x0) Aug 26 13:30:43.649776: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:43.649779: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:43.649782: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.649786: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:43.649788: | Notify data ad d9 e7 c9 e6 32 e9 c0 44 e5 03 9b 46 fe 5b 0f Aug 26 13:30:43.649791: | Notify data 3a 6a 11 b2 Aug 26 13:30:43.649793: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:43.649796: | emitting length of ISAKMP Message: 432 Aug 26 13:30:43.649806: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.649811: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:30:43.649814: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:30:43.649819: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:30:43.649822: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:30:43.649828: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:30:43.649832: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:30:43.649838: "eastnet-northnet"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:30:43.649843: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 13:30:43.649852: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:30:43.649855: | c1 0c 6a f1 31 90 61 76 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:43.649858: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:30:43.649860: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:30:43.649863: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:30:43.649865: | 04 00 00 0e 28 00 01 08 00 0e 00 00 bb 9a 2b 1c Aug 26 13:30:43.649868: | d4 2d 11 a4 e3 c0 c8 73 a8 07 73 35 bd 64 9c 46 Aug 26 13:30:43.649870: | 55 1d a3 66 a5 22 e8 fb bf 5b 6e 7f 2f d9 d2 4e Aug 26 13:30:43.649873: | 18 c6 94 03 c4 50 a7 d7 f2 73 29 1b c2 f0 25 14 Aug 26 13:30:43.649875: | 1d 65 7e 5d 92 4a 34 a3 23 b3 60 8c 90 99 b1 56 Aug 26 13:30:43.649877: | 81 0d 29 81 86 4a e7 0f e2 f2 05 02 e7 e0 86 3b Aug 26 13:30:43.649880: | 5b cc 12 8a 4e ec b4 b9 65 d6 2f 18 9f 09 73 50 Aug 26 13:30:43.649882: | b3 9c 8f 3b 7f a2 6a c7 07 0d 86 11 b8 f1 55 e4 Aug 26 13:30:43.649885: | e8 77 86 f3 bf ec d8 e9 a7 48 93 84 58 06 f4 99 Aug 26 13:30:43.649887: | 94 c0 79 0d 54 1d b3 c9 82 5b 5d 79 f0 79 f1 4f Aug 26 13:30:43.649890: | ec d8 39 f3 81 b1 56 6a d1 d2 e7 62 0a 3a 3e c1 Aug 26 13:30:43.649892: | a6 2e e7 3b 18 12 eb 9b c1 3a 81 46 ba e4 e1 06 Aug 26 13:30:43.649895: | d1 e6 33 c7 26 af f1 a5 54 76 ea 51 18 dd f9 b1 Aug 26 13:30:43.649897: | 95 45 19 dd 0a ae 53 4a 0c 9f b7 ef e9 6c b3 cf Aug 26 13:30:43.649899: | 0d 3a 14 0b a0 91 8e ca 97 87 ca 99 c7 e9 77 1c Aug 26 13:30:43.649902: | 23 55 c1 bf c6 b9 e3 19 2c 0c 89 0b 18 e9 87 e4 Aug 26 13:30:43.649904: | 0e 20 91 07 31 e4 9f 91 48 b2 3e d4 29 00 00 24 Aug 26 13:30:43.649907: | 75 cb ec 48 a6 2b fd eb 14 fb fb f4 22 cf b4 d1 Aug 26 13:30:43.649909: | 9c 6a 0b cd 15 89 13 b2 e9 18 0f cc 6d ea b0 ca Aug 26 13:30:43.649912: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:30:43.649914: | fe a7 84 5e ed 0d c6 f0 c2 e0 2c 4c 9a c1 25 05 Aug 26 13:30:43.649917: | 6c 05 37 38 00 00 00 1c 00 00 40 05 ad d9 e7 c9 Aug 26 13:30:43.649919: | e6 32 e9 c0 44 e5 03 9b 46 fe 5b 0f 3a 6a 11 b2 Aug 26 13:30:43.649979: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:30:43.649984: | libevent_free: release ptr-libevent@0x55cd2da7ec68 Aug 26 13:30:43.649988: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55cd2da7c4e8 Aug 26 13:30:43.649991: | event_schedule: new EVENT_SO_DISCARD-pe@0x55cd2da7c4e8 Aug 26 13:30:43.649995: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:30:43.649998: | libevent_malloc: new ptr-libevent@0x55cd2da7fdb8 size 128 Aug 26 13:30:43.650002: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:30:43.650008: | #1 spent 0.6 milliseconds in resume sending helper answer Aug 26 13:30:43.650014: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:30:43.650018: | libevent_free: release ptr-libevent@0x7f911c002888 Aug 26 13:30:43.652488: | spent 0.00255 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:30:43.652516: | *received 241 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 13:30:43.652521: | c1 0c 6a f1 31 90 61 76 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:43.652524: | 2e 20 23 08 00 00 00 01 00 00 00 f1 23 00 00 d5 Aug 26 13:30:43.652527: | c8 bb e9 b7 38 7c 21 72 de 17 51 cc 68 34 3b 84 Aug 26 13:30:43.652529: | 0e 2d 23 4f fc 31 6b 56 86 da a4 61 65 99 e1 99 Aug 26 13:30:43.652532: | b6 97 55 bd 38 41 48 42 3c ca 13 fe 5a 3f 2e 27 Aug 26 13:30:43.652534: | 62 87 01 d4 32 45 31 52 52 cf 47 b0 87 ae 77 83 Aug 26 13:30:43.652537: | 47 79 86 73 12 4e de 2d 0c 8c ee 07 42 78 ea 8d Aug 26 13:30:43.652539: | bf 7c a8 02 0a 98 c5 9e 7d d2 db 99 18 62 e9 97 Aug 26 13:30:43.652542: | f9 1f 0f bd 05 6f 15 88 ce c7 99 41 51 ce 6b de Aug 26 13:30:43.652545: | 51 03 4d a4 a7 6c c0 54 e1 4a 07 d5 bf 4d 35 3e Aug 26 13:30:43.652548: | f0 46 e7 c4 33 4b 9e 0f 2e 8b cb 76 74 2e 69 f8 Aug 26 13:30:43.652550: | 46 ab 76 94 18 cf fe da f3 ce 7f 37 a1 ea 1b 29 Aug 26 13:30:43.652553: | af cf 61 a1 5b 92 7c 71 68 45 95 ed 6e 70 71 26 Aug 26 13:30:43.652555: | a6 97 4d f5 fe 29 8d 8e f6 43 c0 66 4b 41 37 0d Aug 26 13:30:43.652558: | 40 7c 86 d7 76 ba 8c fe 82 e3 d0 4f b4 30 af c1 Aug 26 13:30:43.652560: | b1 Aug 26 13:30:43.652565: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 13:30:43.652569: | **parse ISAKMP Message: Aug 26 13:30:43.652578: | initiator cookie: Aug 26 13:30:43.652581: | c1 0c 6a f1 31 90 61 76 Aug 26 13:30:43.652583: | responder cookie: Aug 26 13:30:43.652586: | 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:43.652589: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:30:43.652592: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:43.652595: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:30:43.652598: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:30:43.652601: | Message ID: 1 (0x1) Aug 26 13:30:43.652604: | length: 241 (0xf1) Aug 26 13:30:43.652607: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:30:43.652610: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:30:43.652615: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:30:43.652623: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:30:43.652627: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:30:43.652632: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:30:43.652636: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:30:43.652640: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:30:43.652643: | unpacking clear payload Aug 26 13:30:43.652646: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:30:43.652649: | ***parse IKEv2 Encryption Payload: Aug 26 13:30:43.652652: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:30:43.652654: | flags: none (0x0) Aug 26 13:30:43.652657: | length: 213 (0xd5) Aug 26 13:30:43.652659: | processing payload: ISAKMP_NEXT_v2SK (len=209) Aug 26 13:30:43.652664: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:30:43.652667: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:30:43.652670: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:30:43.652673: | Now let's proceed with state specific processing Aug 26 13:30:43.652675: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:30:43.652679: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:30:43.652683: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:30:43.652690: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:30:43.652693: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:30:43.652698: | libevent_free: release ptr-libevent@0x55cd2da7fdb8 Aug 26 13:30:43.652701: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55cd2da7c4e8 Aug 26 13:30:43.652705: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55cd2da7c4e8 Aug 26 13:30:43.652709: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:30:43.652712: | libevent_malloc: new ptr-libevent@0x7f911c002888 size 128 Aug 26 13:30:43.652724: | #1 spent 0.0427 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:30:43.652729: | crypto helper 1 resuming Aug 26 13:30:43.652730: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.652743: | crypto helper 1 starting work-order 2 for state #1 Aug 26 13:30:43.652751: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:30:43.652755: | crypto helper 1 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:30:43.652756: | suspending state #1 and saving MD Aug 26 13:30:43.652764: | #1 is busy; has a suspended MD Aug 26 13:30:43.652771: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:30:43.652776: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:30:43.652781: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:30:43.652787: | #1 spent 0.273 milliseconds in ikev2_process_packet() Aug 26 13:30:43.652791: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 13:30:43.652794: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:30:43.652797: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:30:43.652801: | spent 0.288 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:30:43.653727: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:30:43.654159: | crypto helper 1 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001403 seconds Aug 26 13:30:43.654167: | (#1) spent 1.4 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:30:43.654170: | crypto helper 1 sending results from work-order 2 for state #1 to event queue Aug 26 13:30:43.654173: | scheduling resume sending helper answer for #1 Aug 26 13:30:43.654177: | libevent_malloc: new ptr-libevent@0x7f9114000f48 size 128 Aug 26 13:30:43.654185: | crypto helper 1 waiting (nothing to do) Aug 26 13:30:43.654194: | processing resume sending helper answer for #1 Aug 26 13:30:43.654206: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:30:43.654211: | crypto helper 1 replies to request ID 2 Aug 26 13:30:43.654214: | calling continuation function 0x55cd2bd10b50 Aug 26 13:30:43.654217: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:30:43.654221: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:30:43.654234: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:30:43.654238: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:30:43.654242: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:30:43.654245: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:30:43.654248: | flags: none (0x0) Aug 26 13:30:43.654251: | length: 12 (0xc) Aug 26 13:30:43.654254: | ID type: ID_IPV4_ADDR (0x1) Aug 26 13:30:43.654258: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:30:43.654263: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:30:43.654267: | **parse IKEv2 Authentication Payload: Aug 26 13:30:43.654270: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:30:43.654273: | flags: none (0x0) Aug 26 13:30:43.654276: | length: 72 (0x48) Aug 26 13:30:43.654279: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:30:43.654282: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:30:43.654285: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:30:43.654303: | **parse IKEv2 Security Association Payload: Aug 26 13:30:43.654310: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:30:43.654313: | flags: none (0x0) Aug 26 13:30:43.654315: | length: 44 (0x2c) Aug 26 13:30:43.654318: | processing payload: ISAKMP_NEXT_v2SA (len=40) Aug 26 13:30:43.654334: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:30:43.654337: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:30:43.654340: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:30:43.654343: | flags: none (0x0) Aug 26 13:30:43.654345: | length: 24 (0x18) Aug 26 13:30:43.654348: | number of TS: 1 (0x1) Aug 26 13:30:43.654351: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:30:43.654354: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:30:43.654357: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:30:43.654359: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.654362: | flags: none (0x0) Aug 26 13:30:43.654365: | length: 24 (0x18) Aug 26 13:30:43.654368: | number of TS: 1 (0x1) Aug 26 13:30:43.654371: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:30:43.654373: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:43.654376: | **parse IKEv2 Notify Payload: Aug 26 13:30:43.654379: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.654382: | flags: none (0x0) Aug 26 13:30:43.654385: | length: 8 (0x8) Aug 26 13:30:43.654388: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.654390: | SPI size: 0 (0x0) Aug 26 13:30:43.654393: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 13:30:43.654396: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:30:43.654399: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:30:43.654402: | Now let's proceed with state specific processing Aug 26 13:30:43.654405: | calling processor Responder: process IKE_AUTH request Aug 26 13:30:43.654412: "eastnet-northnet"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N} Aug 26 13:30:43.654419: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:30:43.654424: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 13:30:43.654426: | peer ID c0 01 03 21 Aug 26 13:30:43.654432: | refine_host_connection for IKEv2: starting with "eastnet-northnet"[1] 192.1.3.33 Aug 26 13:30:43.654438: | match_id a=192.1.3.33 Aug 26 13:30:43.654441: | b=192.1.3.33 Aug 26 13:30:43.654443: | results matched Aug 26 13:30:43.654450: | refine_host_connection: checking "eastnet-northnet"[1] 192.1.3.33 against "eastnet-northnet"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:30:43.654453: | Warning: not switching back to template of current instance Aug 26 13:30:43.654456: | No IDr payload received from peer Aug 26 13:30:43.654461: | refine_host_connection: checked eastnet-northnet[1] 192.1.3.33 against eastnet-northnet[1] 192.1.3.33, now for see if best Aug 26 13:30:43.654467: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.654471: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.654476: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 13:30:43.654481: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.654484: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.654489: | line 1: match=002 Aug 26 13:30:43.654492: | match 002 beats previous best_match 000 match=0x55cd2d9d3c48 (line=1) Aug 26 13:30:43.654495: | concluding with best_match=002 best=0x55cd2d9d3c48 (lineno=1) Aug 26 13:30:43.654498: | returning because exact peer id match Aug 26 13:30:43.654501: | offered CA: '%none' Aug 26 13:30:43.654507: "eastnet-northnet"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.33' Aug 26 13:30:43.654510: | received v2N_MOBIKE_SUPPORTED while it did not sent Aug 26 13:30:43.654532: | verifying AUTH payload Aug 26 13:30:43.654536: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:30:43.654541: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.654545: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.654550: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 13:30:43.654554: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.654557: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.654560: | line 1: match=002 Aug 26 13:30:43.654563: | match 002 beats previous best_match 000 match=0x55cd2d9d3c48 (line=1) Aug 26 13:30:43.654566: | concluding with best_match=002 best=0x55cd2d9d3c48 (lineno=1) Aug 26 13:30:43.654631: "eastnet-northnet"[1] 192.1.3.33 #1: Authenticated using authby=secret Aug 26 13:30:43.654637: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:30:43.654642: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:30:43.654645: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:30:43.654649: | libevent_free: release ptr-libevent@0x7f911c002888 Aug 26 13:30:43.654653: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55cd2da7c4e8 Aug 26 13:30:43.654656: | event_schedule: new EVENT_SA_REKEY-pe@0x55cd2da7c4e8 Aug 26 13:30:43.654660: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 13:30:43.654663: | libevent_malloc: new ptr-libevent@0x55cd2da7ee78 size 128 Aug 26 13:30:43.654778: | pstats #1 ikev2.ike established Aug 26 13:30:43.654787: | **emit ISAKMP Message: Aug 26 13:30:43.654790: | initiator cookie: Aug 26 13:30:43.654793: | c1 0c 6a f1 31 90 61 76 Aug 26 13:30:43.654796: | responder cookie: Aug 26 13:30:43.654798: | 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:43.654801: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:30:43.654804: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:43.654808: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:30:43.654811: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:30:43.654814: | Message ID: 1 (0x1) Aug 26 13:30:43.654817: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:30:43.654820: | IKEv2 CERT: send a certificate? Aug 26 13:30:43.654824: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:30:43.654827: | ***emit IKEv2 Encryption Payload: Aug 26 13:30:43.654830: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.654833: | flags: none (0x0) Aug 26 13:30:43.654836: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:30:43.654839: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.654843: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:30:43.654852: | Adding a v2N Payload Aug 26 13:30:43.654855: | ****emit IKEv2 Notify Payload: Aug 26 13:30:43.654858: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.654860: | flags: none (0x0) Aug 26 13:30:43.654863: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.654866: | SPI size: 0 (0x0) Aug 26 13:30:43.654869: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 13:30:43.654875: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:43.654879: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.654882: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:30:43.654885: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:30:43.654899: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:30:43.654902: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.654905: | flags: none (0x0) Aug 26 13:30:43.654908: | ID type: ID_IPV4_ADDR (0x1) Aug 26 13:30:43.654912: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:30:43.654915: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.654919: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:30:43.654921: | my identity c0 01 02 17 Aug 26 13:30:43.654924: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:30:43.654933: | assembled IDr payload Aug 26 13:30:43.654936: | CHILD SA proposals received Aug 26 13:30:43.654939: | going to assemble AUTH payload Aug 26 13:30:43.654942: | ****emit IKEv2 Authentication Payload: Aug 26 13:30:43.654945: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:30:43.654948: | flags: none (0x0) Aug 26 13:30:43.654951: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:30:43.654954: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:30:43.654958: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:30:43.654961: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.654965: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:30:43.654970: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.654974: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.654980: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 13:30:43.654983: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.654986: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.654989: | line 1: match=002 Aug 26 13:30:43.654993: | match 002 beats previous best_match 000 match=0x55cd2d9d3c48 (line=1) Aug 26 13:30:43.654996: | concluding with best_match=002 best=0x55cd2d9d3c48 (lineno=1) Aug 26 13:30:43.655054: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:30:43.655058: | PSK auth 6f 28 fe d9 05 6c a8 00 d6 ab ad 23 cb bc b0 60 Aug 26 13:30:43.655061: | PSK auth f9 28 d8 7f fa eb f9 28 a1 f4 d3 59 0f a3 c4 46 Aug 26 13:30:43.655064: | PSK auth 74 43 b2 ac 49 bf f7 67 18 31 a4 d1 c6 6a d9 b1 Aug 26 13:30:43.655066: | PSK auth dc 1d 6c ef f7 4f 9f 82 37 48 f4 67 2c ba 85 5f Aug 26 13:30:43.655070: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:30:43.655077: | creating state object #2 at 0x55cd2da80e48 Aug 26 13:30:43.655081: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:30:43.655085: | pstats #2 ikev2.child started Aug 26 13:30:43.655091: | duplicating state object #1 "eastnet-northnet"[1] 192.1.3.33 as #2 for IPSEC SA Aug 26 13:30:43.655096: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:30:43.655103: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:30:43.655110: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:30:43.655115: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:30:43.655118: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:30:43.655122: | TSi: parsing 1 traffic selectors Aug 26 13:30:43.655125: | ***parse IKEv2 Traffic Selector: Aug 26 13:30:43.655128: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:43.655131: | IP Protocol ID: 0 (0x0) Aug 26 13:30:43.655134: | length: 16 (0x10) Aug 26 13:30:43.655137: | start port: 0 (0x0) Aug 26 13:30:43.655140: | end port: 65535 (0xffff) Aug 26 13:30:43.655143: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:30:43.655146: | TS low c0 00 03 00 Aug 26 13:30:43.655149: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:30:43.655152: | TS high c0 00 03 ff Aug 26 13:30:43.655154: | TSi: parsed 1 traffic selectors Aug 26 13:30:43.655157: | TSr: parsing 1 traffic selectors Aug 26 13:30:43.655160: | ***parse IKEv2 Traffic Selector: Aug 26 13:30:43.655163: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:43.655166: | IP Protocol ID: 0 (0x0) Aug 26 13:30:43.655169: | length: 16 (0x10) Aug 26 13:30:43.655171: | start port: 0 (0x0) Aug 26 13:30:43.655174: | end port: 65535 (0xffff) Aug 26 13:30:43.655177: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:30:43.655180: | TS low c0 00 02 00 Aug 26 13:30:43.655183: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:30:43.655185: | TS high c0 00 02 ff Aug 26 13:30:43.655188: | TSr: parsed 1 traffic selectors Aug 26 13:30:43.655191: | looking for best SPD in current connection Aug 26 13:30:43.655199: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:30:43.655205: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:43.655212: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:30:43.655216: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:30:43.655219: | TSi[0] port match: YES fitness 65536 Aug 26 13:30:43.655222: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:30:43.655225: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:43.655231: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:43.655237: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:30:43.655240: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:30:43.655243: | TSr[0] port match: YES fitness 65536 Aug 26 13:30:43.655246: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:30:43.655250: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:43.655253: | best fit so far: TSi[0] TSr[0] Aug 26 13:30:43.655256: | found better spd route for TSi[0],TSr[0] Aug 26 13:30:43.655258: | looking for better host pair Aug 26 13:30:43.655264: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 13:30:43.655270: | checking hostpair 192.0.2.0/24 -> 192.0.3.0/24 is found Aug 26 13:30:43.655273: | investigating connection "eastnet-northnet" as a better match Aug 26 13:30:43.655278: | match_id a=192.1.3.33 Aug 26 13:30:43.655280: | b=192.1.3.33 Aug 26 13:30:43.655283: | results matched Aug 26 13:30:43.655310: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:30:43.655318: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:43.655325: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:30:43.655342: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:30:43.655345: | TSi[0] port match: YES fitness 65536 Aug 26 13:30:43.655348: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:30:43.655352: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:43.655356: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:43.655363: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:30:43.655366: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:30:43.655369: | TSr[0] port match: YES fitness 65536 Aug 26 13:30:43.655372: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:30:43.655375: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:43.655378: | best fit so far: TSi[0] TSr[0] Aug 26 13:30:43.655380: | did not find a better connection using host pair Aug 26 13:30:43.655383: | printing contents struct traffic_selector Aug 26 13:30:43.655386: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:30:43.655389: | ipprotoid: 0 Aug 26 13:30:43.655392: | port range: 0-65535 Aug 26 13:30:43.655396: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:30:43.655399: | printing contents struct traffic_selector Aug 26 13:30:43.655401: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:30:43.655404: | ipprotoid: 0 Aug 26 13:30:43.655406: | port range: 0-65535 Aug 26 13:30:43.655411: | ip range: 192.0.3.0-192.0.3.255 Aug 26 13:30:43.655415: | constructing ESP/AH proposals with all DH removed for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:30:43.655420: | converting proposal AES_CBC_256-HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:30:43.655427: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:30:43.655433: "eastnet-northnet"[1] 192.1.3.33: constructed local ESP/AH proposals for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:30:43.655436: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Aug 26 13:30:43.655442: | local proposal 1 type ENCR has 1 transforms Aug 26 13:30:43.655445: | local proposal 1 type PRF has 0 transforms Aug 26 13:30:43.655448: | local proposal 1 type INTEG has 1 transforms Aug 26 13:30:43.655451: | local proposal 1 type DH has 1 transforms Aug 26 13:30:43.655454: | local proposal 1 type ESN has 1 transforms Aug 26 13:30:43.655458: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:30:43.655461: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.655464: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:43.655467: | length: 40 (0x28) Aug 26 13:30:43.655470: | prop #: 1 (0x1) Aug 26 13:30:43.655473: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:30:43.655476: | spi size: 4 (0x4) Aug 26 13:30:43.655478: | # transforms: 3 (0x3) Aug 26 13:30:43.655482: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:30:43.655485: | remote SPI 42 14 7c 9c Aug 26 13:30:43.655488: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Aug 26 13:30:43.655491: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.655494: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.655497: | length: 12 (0xc) Aug 26 13:30:43.655500: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.655503: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:43.655506: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.655509: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.655512: | length/value: 256 (0x100) Aug 26 13:30:43.655517: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:30:43.655524: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.655527: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.655529: | length: 8 (0x8) Aug 26 13:30:43.655532: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.655535: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:43.655539: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 13:30:43.655542: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.655545: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.655548: | length: 8 (0x8) Aug 26 13:30:43.655551: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:30:43.655553: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:30:43.655557: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:30:43.655561: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Aug 26 13:30:43.655566: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Aug 26 13:30:43.655569: | remote proposal 1 matches local proposal 1 Aug 26 13:30:43.655576: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=42147c9c;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match] Aug 26 13:30:43.655582: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=42147c9c;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 13:30:43.655585: | converting proposal to internal trans attrs Aug 26 13:30:43.655605: | netlink_get_spi: allocated 0x1b000ba4 for esp.0@192.1.2.23 Aug 26 13:30:43.655609: | Emitting ikev2_proposal ... Aug 26 13:30:43.655612: | ****emit IKEv2 Security Association Payload: Aug 26 13:30:43.655615: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.655617: | flags: none (0x0) Aug 26 13:30:43.655621: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:30:43.655624: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.655628: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.655631: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:43.655634: | prop #: 1 (0x1) Aug 26 13:30:43.655636: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:30:43.655639: | spi size: 4 (0x4) Aug 26 13:30:43.655642: | # transforms: 3 (0x3) Aug 26 13:30:43.655645: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:30:43.655649: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:30:43.655652: | our spi 1b 00 0b a4 Aug 26 13:30:43.655654: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.655657: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.655660: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.655663: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:43.655666: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.655669: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.655672: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.655675: | length/value: 256 (0x100) Aug 26 13:30:43.655678: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:30:43.655681: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.655684: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.655687: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.655690: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:43.655695: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.655698: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.655701: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:43.655704: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.655707: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.655710: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:30:43.655713: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:30:43.655716: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.655719: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.655722: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:43.655725: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:30:43.655728: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:30:43.655731: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:30:43.655734: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:30:43.655738: | received v2N_MOBIKE_SUPPORTED Aug 26 13:30:43.655741: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:30:43.655744: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.655746: | flags: none (0x0) Aug 26 13:30:43.655749: | number of TS: 1 (0x1) Aug 26 13:30:43.655753: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:30:43.655756: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.655759: | *****emit IKEv2 Traffic Selector: Aug 26 13:30:43.655762: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:43.655765: | IP Protocol ID: 0 (0x0) Aug 26 13:30:43.655767: | start port: 0 (0x0) Aug 26 13:30:43.655770: | end port: 65535 (0xffff) Aug 26 13:30:43.655774: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:30:43.655776: | ipv4 start c0 00 03 00 Aug 26 13:30:43.655779: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:30:43.655782: | ipv4 end c0 00 03 ff Aug 26 13:30:43.655785: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:30:43.655788: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:30:43.655791: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:30:43.655793: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.655796: | flags: none (0x0) Aug 26 13:30:43.655799: | number of TS: 1 (0x1) Aug 26 13:30:43.655802: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:30:43.655806: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.655808: | *****emit IKEv2 Traffic Selector: Aug 26 13:30:43.655811: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:43.655814: | IP Protocol ID: 0 (0x0) Aug 26 13:30:43.655817: | start port: 0 (0x0) Aug 26 13:30:43.655820: | end port: 65535 (0xffff) Aug 26 13:30:43.655823: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:30:43.655826: | ipv4 start c0 00 02 00 Aug 26 13:30:43.655829: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:30:43.655833: | ipv4 end c0 00 02 ff Aug 26 13:30:43.655836: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:30:43.655839: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:30:43.655842: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:30:43.655846: | integ=sha2_256: .key_size=32 encrypt=aes: .key_size=32 .salt_size=0 keymat_len=64 Aug 26 13:30:43.655995: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:30:43.656003: | #1 spent 1.57 milliseconds Aug 26 13:30:43.656006: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:30:43.656009: | could_route called for eastnet-northnet (kind=CK_INSTANCE) Aug 26 13:30:43.656012: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:30:43.656015: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:43.656018: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:43.656021: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:43.656023: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:43.656028: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 13:30:43.656032: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Aug 26 13:30:43.656035: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Aug 26 13:30:43.656038: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Aug 26 13:30:43.656042: | setting IPsec SA replay-window to 32 Aug 26 13:30:43.656045: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 13:30:43.656048: | netlink: enabling tunnel mode Aug 26 13:30:43.656051: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:30:43.656054: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:30:43.656122: | netlink response for Add SA esp.42147c9c@192.1.3.33 included non-error error Aug 26 13:30:43.656141: | set up outgoing SA, ref=0/0 Aug 26 13:30:43.656144: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Aug 26 13:30:43.656147: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Aug 26 13:30:43.656150: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Aug 26 13:30:43.656154: | setting IPsec SA replay-window to 32 Aug 26 13:30:43.656156: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 13:30:43.656159: | netlink: enabling tunnel mode Aug 26 13:30:43.656162: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:30:43.656164: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:30:43.656197: | netlink response for Add SA esp.1b000ba4@192.1.2.23 included non-error error Aug 26 13:30:43.656201: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:30:43.656208: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:30:43.656211: | IPsec Sa SPD priority set to 1042407 Aug 26 13:30:43.656232: | raw_eroute result=success Aug 26 13:30:43.656235: | set up incoming SA, ref=0/0 Aug 26 13:30:43.656238: | sr for #2: unrouted Aug 26 13:30:43.656241: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:30:43.656244: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:30:43.656246: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:43.656249: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:43.656252: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:43.656255: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:43.656259: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 13:30:43.656263: | route_and_eroute with c: eastnet-northnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:30:43.656266: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:30:43.656273: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Aug 26 13:30:43.656278: | IPsec Sa SPD priority set to 1042407 Aug 26 13:30:43.656314: | raw_eroute result=success Aug 26 13:30:43.656328: | running updown command "ipsec _updown" for verb up Aug 26 13:30:43.656335: | command executing up-client Aug 26 13:30:43.656375: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI Aug 26 13:30:43.656379: | popen cmd is 1048 chars long Aug 26 13:30:43.656382: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' P: Aug 26 13:30:43.656385: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 13:30:43.656388: | cmd( 160):_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Aug 26 13:30:43.656390: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Aug 26 13:30:43.656393: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='1: Aug 26 13:30:43.656395: | cmd( 400):92.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Aug 26 13:30:43.656398: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Aug 26 13:30:43.656401: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Aug 26 13:30:43.656403: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_C: Aug 26 13:30:43.656406: | cmd( 720):ONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Aug 26 13:30:43.656409: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Aug 26 13:30:43.656411: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Aug 26 13:30:43.656414: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x42147c9c SPI_OUT=0x1b000ba4 ipsec _upd: Aug 26 13:30:43.656416: | cmd(1040):own 2>&1: Aug 26 13:30:43.666784: | route_and_eroute: firewall_notified: true Aug 26 13:30:43.666805: | running updown command "ipsec _updown" for verb prepare Aug 26 13:30:43.666810: | command executing prepare-client Aug 26 13:30:43.666846: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Aug 26 13:30:43.666855: | popen cmd is 1053 chars long Aug 26 13:30:43.666859: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 13:30:43.666862: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 13:30:43.666865: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 13:30:43.666868: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 13:30:43.666871: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Aug 26 13:30:43.666873: | cmd( 400):ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Aug 26 13:30:43.666876: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Aug 26 13:30:43.666879: | cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=: Aug 26 13:30:43.666882: | cmd( 640):'PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PL: Aug 26 13:30:43.666884: | cmd( 720):UTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Aug 26 13:30:43.666887: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Aug 26 13:30:43.666890: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Aug 26 13:30:43.666893: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x42147c9c SPI_OUT=0x1b000ba4 ipsec: Aug 26 13:30:43.666895: | cmd(1040): _updown 2>&1: Aug 26 13:30:43.677528: | running updown command "ipsec _updown" for verb route Aug 26 13:30:43.677544: | command executing route-client Aug 26 13:30:43.677578: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Aug 26 13:30:43.677584: | popen cmd is 1051 chars long Aug 26 13:30:43.677588: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet: Aug 26 13:30:43.677591: | cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO: Aug 26 13:30:43.677593: | cmd( 160):_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: Aug 26 13:30:43.677596: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 13:30:43.677598: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Aug 26 13:30:43.677601: | cmd( 400):='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Aug 26 13:30:43.677603: | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Aug 26 13:30:43.677606: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: Aug 26 13:30:43.677609: | cmd( 640):SK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUT: Aug 26 13:30:43.677614: | cmd( 720):O_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Aug 26 13:30:43.677616: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Aug 26 13:30:43.677619: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Aug 26 13:30:43.677621: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x42147c9c SPI_OUT=0x1b000ba4 ipsec _: Aug 26 13:30:43.677624: | cmd(1040):updown 2>&1: Aug 26 13:30:43.696731: | route_and_eroute: instance "eastnet-northnet"[1] 192.1.3.33, setting eroute_owner {spd=0x55cd2da7be08,sr=0x55cd2da7be08} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:30:43.697756: | #1 spent 1.87 milliseconds in install_ipsec_sa() Aug 26 13:30:43.697771: | ISAKMP_v2_IKE_AUTH: instance eastnet-northnet[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:30:43.697775: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:30:43.697779: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:30:43.697783: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:30:43.697786: | emitting length of IKEv2 Encryption Payload: 213 Aug 26 13:30:43.697789: | emitting length of ISAKMP Message: 241 Aug 26 13:30:43.697823: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:30:43.697829: | #1 spent 3.51 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:30:43.697840: | suspend processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.697847: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.697852: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:30:43.697855: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:30:43.697859: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:30:43.697863: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:30:43.697869: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:30:43.697874: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:30:43.697878: | pstats #2 ikev2.child established Aug 26 13:30:43.697888: "eastnet-northnet"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 13:30:43.697893: | NAT-T: encaps is 'auto' Aug 26 13:30:43.697898: "eastnet-northnet"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x42147c9c <0x1b000ba4 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive} Aug 26 13:30:43.697905: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 13:30:43.697914: | sending 241 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:30:43.697917: | c1 0c 6a f1 31 90 61 76 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:43.697920: | 2e 20 23 20 00 00 00 01 00 00 00 f1 29 00 00 d5 Aug 26 13:30:43.697922: | 69 7c 0f 48 93 52 e2 0e e5 b9 27 4d ba 8b 51 34 Aug 26 13:30:43.697925: | 04 7c f7 c7 d7 36 aa df 33 3d 55 9c fb ab 96 0a Aug 26 13:30:43.697927: | 1d 6e 80 a8 28 63 7c 9d 8b 61 b4 78 6e dd d8 4c Aug 26 13:30:43.697929: | 7c 9b 18 73 ad e9 42 d2 1d 68 97 da 1d f2 fa 2d Aug 26 13:30:43.697932: | 91 c5 db 2c 51 7b f0 4d 73 f9 c4 2f f5 14 dd 90 Aug 26 13:30:43.697934: | 1a 20 aa 56 71 75 d4 78 df 24 58 78 46 91 bf 0f Aug 26 13:30:43.697936: | 8e 86 3a 49 22 2c fb a1 ad a9 8c e2 c8 1c 7b 78 Aug 26 13:30:43.697941: | 88 f8 34 e1 42 19 7d a9 12 5f 71 73 21 39 57 14 Aug 26 13:30:43.697944: | fc 34 7d ec a6 7f 92 19 88 fb b8 f2 4a 8d 79 ef Aug 26 13:30:43.697946: | 1e 9f a2 ad 5a 2a 6b 87 70 4f 67 6b 5c 8b b9 49 Aug 26 13:30:43.697949: | e1 8d 88 c6 a3 fc 1b 83 7a c9 4b dd 11 cc 1e 56 Aug 26 13:30:43.697951: | 4c a9 01 10 21 02 2f 3b 49 98 bf ca c6 0c 0a 19 Aug 26 13:30:43.697953: | 3e 0c 13 19 54 c9 a3 ba 72 1b 99 6f f2 55 82 ee Aug 26 13:30:43.697956: | 60 Aug 26 13:30:43.698896: | releasing whack for #2 (sock=fd@-1) Aug 26 13:30:43.698907: | releasing whack and unpending for parent #1 Aug 26 13:30:43.698913: | unpending state #1 connection "eastnet-northnet"[1] 192.1.3.33 Aug 26 13:30:43.698917: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:30:43.698921: | event_schedule: new EVENT_SA_REKEY-pe@0x55cd2da7fdf8 Aug 26 13:30:43.698925: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 13:30:43.698929: | libevent_malloc: new ptr-libevent@0x55cd2da7f4c8 size 128 Aug 26 13:30:43.698945: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:30:43.698954: | #1 spent 3.94 milliseconds in resume sending helper answer Aug 26 13:30:43.698961: | stop processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:30:43.698967: | libevent_free: release ptr-libevent@0x7f9114000f48 Aug 26 13:30:43.698983: | processing signal PLUTO_SIGCHLD Aug 26 13:30:43.698989: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:43.698994: | spent 0.00539 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:43.698997: | processing signal PLUTO_SIGCHLD Aug 26 13:30:43.699000: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:43.699004: | spent 0.0035 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:43.699006: | processing signal PLUTO_SIGCHLD Aug 26 13:30:43.699010: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:43.699014: | spent 0.00355 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:50.320965: | spent 0.00269 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:30:50.320989: | *received 121 bytes from 192.1.8.22:500 on eth1 (192.1.2.23:500) Aug 26 13:30:50.320991: | c1 0c 6a f1 31 90 61 76 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:50.320993: | 2e 20 25 08 00 00 00 02 00 00 00 79 29 00 00 5d Aug 26 13:30:50.320995: | 31 35 69 ea 38 d9 06 7f 19 4e 2d a1 63 06 d9 74 Aug 26 13:30:50.320996: | 64 a8 4c 1e 66 1f bd c2 bf 77 e9 69 4a 5f 89 56 Aug 26 13:30:50.320998: | 14 b7 cf 02 db 5a e9 3e 25 0f 38 61 8a d1 99 c8 Aug 26 13:30:50.320999: | 11 97 ee 0d 40 f6 e3 3b a0 96 6c ce 6f 9f 84 c8 Aug 26 13:30:50.321001: | 33 92 ad 01 e5 85 3b d9 cd 9b 6f cd 7f 46 53 5e Aug 26 13:30:50.321002: | 5f 0d f8 73 25 fc e1 7d 7c Aug 26 13:30:50.321006: | start processing: from 192.1.8.22:500 (in process_md() at demux.c:378) Aug 26 13:30:50.321009: | **parse ISAKMP Message: Aug 26 13:30:50.321011: | initiator cookie: Aug 26 13:30:50.321012: | c1 0c 6a f1 31 90 61 76 Aug 26 13:30:50.321014: | responder cookie: Aug 26 13:30:50.321015: | 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:50.321017: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:30:50.321019: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:50.321021: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:30:50.321024: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:30:50.321025: | Message ID: 2 (0x2) Aug 26 13:30:50.321027: | length: 121 (0x79) Aug 26 13:30:50.321029: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:30:50.321032: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:30:50.321035: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:30:50.321040: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:30:50.321045: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:30:50.321049: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:30:50.321051: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:30:50.321056: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 13:30:50.321058: | unpacking clear payload Aug 26 13:30:50.321060: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:30:50.321064: | ***parse IKEv2 Encryption Payload: Aug 26 13:30:50.321067: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:50.321069: | flags: none (0x0) Aug 26 13:30:50.321072: | length: 93 (0x5d) Aug 26 13:30:50.321075: | processing payload: ISAKMP_NEXT_v2SK (len=89) Aug 26 13:30:50.321079: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 13:30:50.321082: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:30:50.321102: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:30:50.321105: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:50.321108: | **parse IKEv2 Notify Payload: Aug 26 13:30:50.321111: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:50.321114: | flags: none (0x0) Aug 26 13:30:50.321116: | length: 8 (0x8) Aug 26 13:30:50.321119: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:50.321122: | SPI size: 0 (0x0) Aug 26 13:30:50.321125: | Notify Message Type: v2N_UPDATE_SA_ADDRESSES (0x4010) Aug 26 13:30:50.321128: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:30:50.321130: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:50.321133: | **parse IKEv2 Notify Payload: Aug 26 13:30:50.321135: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:50.321138: | flags: none (0x0) Aug 26 13:30:50.321140: | length: 28 (0x1c) Aug 26 13:30:50.321142: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:50.321145: | SPI size: 0 (0x0) Aug 26 13:30:50.321148: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:50.321150: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:50.321152: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:50.321155: | **parse IKEv2 Notify Payload: Aug 26 13:30:50.321158: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:50.321160: | flags: none (0x0) Aug 26 13:30:50.321162: | length: 28 (0x1c) Aug 26 13:30:50.321165: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:50.321167: | SPI size: 0 (0x0) Aug 26 13:30:50.321170: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:50.321172: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:50.321175: | selected state microcode R2: process Informational Request Aug 26 13:30:50.321177: | Now let's proceed with state specific processing Aug 26 13:30:50.321180: | calling processor R2: process Informational Request Aug 26 13:30:50.321184: | an informational request should send a response Aug 26 13:30:50.321187: | Need to process v2N_UPDATE_SA_ADDRESSES Aug 26 13:30:50.321190: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 13:30:50.321192: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 13:30:50.321199: | #2 pst=#1 MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 13:30:50.321206: | responder migrate kernel SA esp.42147c9c@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_OUT Aug 26 13:30:50.321284: | responder migrate kernel SA esp.1b000ba4@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_IN Aug 26 13:30:50.321324: | responder migrate kernel SA esp.1b000ba4@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_FWD Aug 26 13:30:50.321345: "eastnet-northnet"[1] 192.1.3.33 #1: success MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 13:30:50.321353: | free hp@0x55cd2da7c3b8 Aug 26 13:30:50.321360: | connect_to_host_pair: 192.1.2.23:500 192.1.8.22:500 -> hp@(nil): none Aug 26 13:30:50.321363: | new hp@0x55cd2da7c3b8 Aug 26 13:30:50.321371: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:30:50.321375: "eastnet-northnet"[1] 192.1.8.22 #1: MOBIKE request: updating IPsec SA by request Aug 26 13:30:50.321399: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:30:50.321404: | **emit ISAKMP Message: Aug 26 13:30:50.321407: | initiator cookie: Aug 26 13:30:50.321410: | c1 0c 6a f1 31 90 61 76 Aug 26 13:30:50.321412: | responder cookie: Aug 26 13:30:50.321415: | 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:50.321418: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:30:50.321421: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:50.321424: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:30:50.321427: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:30:50.321430: | Message ID: 2 (0x2) Aug 26 13:30:50.321434: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:30:50.321437: | ***emit IKEv2 Encryption Payload: Aug 26 13:30:50.321439: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:50.321442: | flags: none (0x0) Aug 26 13:30:50.321445: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:30:50.321449: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:30:50.321453: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:30:50.321467: | adding NATD payloads to MOBIKE response Aug 26 13:30:50.321471: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:30:50.321488: | natd_hash: hasher=0x55cd2bde5800(20) Aug 26 13:30:50.321491: | natd_hash: icookie= c1 0c 6a f1 31 90 61 76 Aug 26 13:30:50.321494: | natd_hash: rcookie= 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:50.321497: | natd_hash: ip= c0 01 02 17 Aug 26 13:30:50.321499: | natd_hash: port=500 Aug 26 13:30:50.321502: | natd_hash: hash= fe a7 84 5e ed 0d c6 f0 c2 e0 2c 4c 9a c1 25 05 Aug 26 13:30:50.321504: | natd_hash: hash= 6c 05 37 38 Aug 26 13:30:50.321507: | Adding a v2N Payload Aug 26 13:30:50.321509: | ****emit IKEv2 Notify Payload: Aug 26 13:30:50.321512: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:50.321515: | flags: none (0x0) Aug 26 13:30:50.321518: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:50.321520: | SPI size: 0 (0x0) Aug 26 13:30:50.321523: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:50.321526: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:50.321530: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:30:50.321534: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:50.321537: | Notify data fe a7 84 5e ed 0d c6 f0 c2 e0 2c 4c 9a c1 25 05 Aug 26 13:30:50.321539: | Notify data 6c 05 37 38 Aug 26 13:30:50.321542: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:50.321551: | natd_hash: hasher=0x55cd2bde5800(20) Aug 26 13:30:50.321554: | natd_hash: icookie= c1 0c 6a f1 31 90 61 76 Aug 26 13:30:50.321557: | natd_hash: rcookie= 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:50.321559: | natd_hash: ip= c0 01 08 16 Aug 26 13:30:50.321562: | natd_hash: port=500 Aug 26 13:30:50.321565: | natd_hash: hash= 9c 8b f0 d0 b5 40 12 ef c4 15 73 b1 8e 8e 36 c0 Aug 26 13:30:50.321567: | natd_hash: hash= bb 02 a0 22 Aug 26 13:30:50.321570: | Adding a v2N Payload Aug 26 13:30:50.321574: | ****emit IKEv2 Notify Payload: Aug 26 13:30:50.321577: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:50.321580: | flags: none (0x0) Aug 26 13:30:50.321582: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:50.321585: | SPI size: 0 (0x0) Aug 26 13:30:50.321588: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:50.321592: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:50.321595: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:30:50.321599: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:50.321602: | Notify data 9c 8b f0 d0 b5 40 12 ef c4 15 73 b1 8e 8e 36 c0 Aug 26 13:30:50.321604: | Notify data bb 02 a0 22 Aug 26 13:30:50.321607: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:50.321610: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:30:50.321614: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:30:50.321618: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:30:50.321621: | emitting length of IKEv2 Encryption Payload: 85 Aug 26 13:30:50.321623: | emitting length of ISAKMP Message: 113 Aug 26 13:30:50.321638: | sending 113 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 13:30:50.321642: | c1 0c 6a f1 31 90 61 76 15 04 c6 8e 39 77 35 d8 Aug 26 13:30:50.321644: | 2e 20 25 20 00 00 00 02 00 00 00 71 29 00 00 55 Aug 26 13:30:50.321647: | 51 97 c0 3e 86 4e 42 a6 f4 52 d9 b7 56 f5 9c 63 Aug 26 13:30:50.321649: | 3f 3c b7 78 f0 f6 e7 3f e2 b9 8e c6 91 2f 63 fe Aug 26 13:30:50.321651: | 3f c8 7d 15 68 7a b1 02 15 45 09 9d e6 92 bf 20 Aug 26 13:30:50.321654: | 8c fd b9 71 dd 94 46 a8 19 c5 9e 03 4e ab 9a 84 Aug 26 13:30:50.321657: | 38 36 df 6a 8f ea b4 ab 38 4b 26 a2 3a 9e 8a a6 Aug 26 13:30:50.321659: | 87 Aug 26 13:30:50.321705: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 13:30:50.321712: | Message ID: sent #1 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 13:30:50.321718: | #1 spent 0.503 milliseconds in processing: R2: process Informational Request in ikev2_process_state_packet() Aug 26 13:30:50.321725: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:50.321729: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:30:50.321732: | Message ID: updating counters for #1 to 2 after switching state Aug 26 13:30:50.321737: | Message ID: recv #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=1->2 wip.initiator=-1 wip.responder=2->-1 Aug 26 13:30:50.321741: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1 Aug 26 13:30:50.321744: | STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:30:50.321750: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:30:50.321755: | #1 spent 0.747 milliseconds in ikev2_process_packet() Aug 26 13:30:50.321759: | stop processing: from 192.1.8.22:500 (in process_md() at demux.c:380) Aug 26 13:30:50.321763: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:30:50.321766: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:30:50.321772: | spent 0.765 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:31:01.730223: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:31:01.730242: | expiring aged bare shunts from shunt table Aug 26 13:31:01.730247: | spent 0.00386 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:31:03.735942: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:31:03.735964: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:31:03.735983: | FOR_EACH_STATE_... in sort_states Aug 26 13:31:03.735989: | get_sa_info esp.1b000ba4@192.1.2.23 Aug 26 13:31:03.736000: | get_sa_info esp.42147c9c@192.1.8.22 Aug 26 13:31:03.736015: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:31:03.736019: | spent 0.0846 milliseconds in whack Aug 26 13:31:03.956645: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:31:03.956986: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:31:03.956997: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:31:03.957136: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:31:03.957145: | FOR_EACH_STATE_... in sort_states Aug 26 13:31:03.957168: | get_sa_info esp.1b000ba4@192.1.2.23 Aug 26 13:31:03.957193: | get_sa_info esp.42147c9c@192.1.8.22 Aug 26 13:31:03.957223: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:31:03.957231: | spent 0.595 milliseconds in whack Aug 26 13:31:05.314346: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:31:05.314363: shutting down Aug 26 13:31:05.314370: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:31:05.314373: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:31:05.314374: forgetting secrets Aug 26 13:31:05.314379: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:31:05.314384: | start processing: connection "eastnet-northnet"[1] 192.1.8.22 (in delete_connection() at connections.c:189) Aug 26 13:31:05.314388: "eastnet-northnet"[1] 192.1.8.22: deleting connection "eastnet-northnet"[1] 192.1.8.22 instance with peer 192.1.8.22 {isakmp=#1/ipsec=#2} Aug 26 13:31:05.314390: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:31:05.314391: | pass 0 Aug 26 13:31:05.314393: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:05.314395: | state #2 Aug 26 13:31:05.314398: | suspend processing: connection "eastnet-northnet"[1] 192.1.8.22 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:31:05.314402: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:31:05.314405: | pstats #2 ikev2.child deleted completed Aug 26 13:31:05.314408: | [RE]START processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 13:31:05.314411: "eastnet-northnet"[1] 192.1.8.22 #2: deleting state (STATE_V2_IPSEC_R) aged 21.659s and sending notification Aug 26 13:31:05.314414: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:31:05.314417: | get_sa_info esp.42147c9c@192.1.8.22 Aug 26 13:31:05.314429: | get_sa_info esp.1b000ba4@192.1.2.23 Aug 26 13:31:05.314436: "eastnet-northnet"[1] 192.1.8.22 #2: ESP traffic information: in=336B out=336B Aug 26 13:31:05.314439: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:31:05.314441: | Opening output PBS informational exchange delete request Aug 26 13:31:05.314443: | **emit ISAKMP Message: Aug 26 13:31:05.314445: | initiator cookie: Aug 26 13:31:05.314447: | c1 0c 6a f1 31 90 61 76 Aug 26 13:31:05.314448: | responder cookie: Aug 26 13:31:05.314450: | 15 04 c6 8e 39 77 35 d8 Aug 26 13:31:05.314452: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:31:05.314457: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:31:05.314459: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:31:05.314460: | flags: none (0x0) Aug 26 13:31:05.314462: | Message ID: 0 (0x0) Aug 26 13:31:05.314464: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:31:05.314466: | ***emit IKEv2 Encryption Payload: Aug 26 13:31:05.314468: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:05.314469: | flags: none (0x0) Aug 26 13:31:05.314472: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:31:05.314473: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:05.314476: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:31:05.314483: | ****emit IKEv2 Delete Payload: Aug 26 13:31:05.314485: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:05.314487: | flags: none (0x0) Aug 26 13:31:05.314488: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:31:05.314490: | SPI size: 4 (0x4) Aug 26 13:31:05.314491: | number of SPIs: 1 (0x1) Aug 26 13:31:05.314494: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:31:05.314495: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:05.314498: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:31:05.314499: | local spis 1b 00 0b a4 Aug 26 13:31:05.314501: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:31:05.314503: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:31:05.314505: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:31:05.314507: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:31:05.314508: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:31:05.314510: | emitting length of ISAKMP Message: 69 Aug 26 13:31:05.314530: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #2) Aug 26 13:31:05.314532: | c1 0c 6a f1 31 90 61 76 15 04 c6 8e 39 77 35 d8 Aug 26 13:31:05.314534: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:31:05.314535: | b2 09 b1 d0 d9 38 1a 8c b4 7c 60 54 fd 09 2a 9d Aug 26 13:31:05.314537: | 6f 21 b8 18 17 e5 a6 73 15 91 b9 cb 38 c8 94 bd Aug 26 13:31:05.314538: | 85 ed 12 7a 8a Aug 26 13:31:05.314581: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 13:31:05.314585: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 13:31:05.314589: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:31:05.314592: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:31:05.314597: | libevent_free: release ptr-libevent@0x55cd2da7f4c8 Aug 26 13:31:05.314600: | free_event_entry: release EVENT_SA_REKEY-pe@0x55cd2da7fdf8 Aug 26 13:31:05.314653: | running updown command "ipsec _updown" for verb down Aug 26 13:31:05.314657: | command executing down-client Aug 26 13:31:05.314687: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826243' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ Aug 26 13:31:05.314693: | popen cmd is 1061 chars long Aug 26 13:31:05.314696: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet': Aug 26 13:31:05.314699: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Aug 26 13:31:05.314702: | cmd( 160):MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Aug 26 13:31:05.314705: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Aug 26 13:31:05.314707: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID=: Aug 26 13:31:05.314710: | cmd( 400):'192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Aug 26 13:31:05.314713: | cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Aug 26 13:31:05.314716: | cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826243' PLUTO_CONN_P: Aug 26 13:31:05.314718: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_: Aug 26 13:31:05.314721: | cmd( 720):NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Aug 26 13:31:05.314724: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Aug 26 13:31:05.314727: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Aug 26 13:31:05.314729: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x42147c9c SPI_OUT=0x1b000b: Aug 26 13:31:05.314732: | cmd(1040):a4 ipsec _updown 2>&1: Aug 26 13:31:05.322667: | shunt_eroute() called for connection 'eastnet-northnet' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:31:05.322680: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:31:05.322684: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:05.322690: | IPsec Sa SPD priority set to 1042407 Aug 26 13:31:05.322732: | delete esp.42147c9c@192.1.8.22 Aug 26 13:31:05.322751: | netlink response for Del SA esp.42147c9c@192.1.8.22 included non-error error Aug 26 13:31:05.322755: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:05.322762: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:31:05.322785: | raw_eroute result=success Aug 26 13:31:05.322790: | delete esp.1b000ba4@192.1.2.23 Aug 26 13:31:05.322816: | netlink response for Del SA esp.1b000ba4@192.1.2.23 included non-error error Aug 26 13:31:05.322831: | stop processing: connection "eastnet-northnet"[1] 192.1.8.22 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:31:05.322837: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:31:05.322839: | in connection_discard for connection eastnet-northnet Aug 26 13:31:05.322841: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 13:31:05.322847: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:31:05.322855: | stop processing: state #2 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 13:31:05.322867: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:31:05.322869: | state #1 Aug 26 13:31:05.322870: | pass 1 Aug 26 13:31:05.322872: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:05.322874: | state #1 Aug 26 13:31:05.322877: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:31:05.322882: | pstats #1 ikev2.ike deleted completed Aug 26 13:31:05.322887: | #1 spent 9.63 milliseconds in total Aug 26 13:31:05.322891: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 13:31:05.322894: "eastnet-northnet"[1] 192.1.8.22 #1: deleting state (STATE_PARENT_R2) aged 21.675s and sending notification Aug 26 13:31:05.322897: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 13:31:05.322944: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 13:31:05.322952: | Opening output PBS informational exchange delete request Aug 26 13:31:05.322956: | **emit ISAKMP Message: Aug 26 13:31:05.322972: | initiator cookie: Aug 26 13:31:05.322975: | c1 0c 6a f1 31 90 61 76 Aug 26 13:31:05.322977: | responder cookie: Aug 26 13:31:05.322980: | 15 04 c6 8e 39 77 35 d8 Aug 26 13:31:05.322998: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:31:05.323001: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:31:05.323004: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:31:05.323009: | flags: none (0x0) Aug 26 13:31:05.323012: | Message ID: 1 (0x1) Aug 26 13:31:05.323015: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:31:05.323018: | ***emit IKEv2 Encryption Payload: Aug 26 13:31:05.323034: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:05.323036: | flags: none (0x0) Aug 26 13:31:05.323040: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:31:05.323043: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:05.323046: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:31:05.323062: | ****emit IKEv2 Delete Payload: Aug 26 13:31:05.323065: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:05.323068: | flags: none (0x0) Aug 26 13:31:05.323071: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:31:05.323073: | SPI size: 0 (0x0) Aug 26 13:31:05.323076: | number of SPIs: 0 (0x0) Aug 26 13:31:05.323079: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:31:05.323082: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:05.323085: | emitting length of IKEv2 Delete Payload: 8 Aug 26 13:31:05.323088: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:31:05.323092: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:31:05.323095: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:31:05.323098: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 13:31:05.323100: | emitting length of ISAKMP Message: 65 Aug 26 13:31:05.323127: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 13:31:05.323131: | c1 0c 6a f1 31 90 61 76 15 04 c6 8e 39 77 35 d8 Aug 26 13:31:05.323133: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 13:31:05.323136: | b4 3a 48 d6 77 f8 c4 78 26 55 25 25 04 34 59 af Aug 26 13:31:05.323138: | 70 43 60 54 53 13 bf fa 4a 64 b6 ab 41 12 0a e2 Aug 26 13:31:05.323141: | 09 Aug 26 13:31:05.323191: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 13:31:05.323195: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 13:31:05.323200: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Aug 26 13:31:05.323209: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Aug 26 13:31:05.323212: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:31:05.323221: | libevent_free: release ptr-libevent@0x55cd2da7ee78 Aug 26 13:31:05.323224: | free_event_entry: release EVENT_SA_REKEY-pe@0x55cd2da7c4e8 Aug 26 13:31:05.323230: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:31:05.323233: | in connection_discard for connection eastnet-northnet Aug 26 13:31:05.323236: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 13:31:05.323240: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 13:31:05.323273: | stop processing: state #1 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 13:31:05.323327: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:31:05.323347: | shunt_eroute() called for connection 'eastnet-northnet' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:31:05.323351: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:31:05.323354: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:05.323372: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:05.323382: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:31:05.323386: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:31:05.323389: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:31:05.323392: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:31:05.323395: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:31:05.323399: | route owner of "eastnet-northnet" unrouted: NULL Aug 26 13:31:05.323402: | running updown command "ipsec _updown" for verb unroute Aug 26 13:31:05.323405: | command executing unroute-client Aug 26 13:31:05.323435: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH Aug 26 13:31:05.323438: | popen cmd is 1042 chars long Aug 26 13:31:05.323442: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 13:31:05.323445: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 13:31:05.323448: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 13:31:05.323451: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 13:31:05.323453: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER: Aug 26 13:31:05.323456: | cmd( 400):_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Aug 26 13:31:05.323459: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Aug 26 13:31:05.323462: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Aug 26 13:31:05.323467: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' P: Aug 26 13:31:05.323470: | cmd( 720):LUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Aug 26 13:31:05.323472: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Aug 26 13:31:05.323475: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Aug 26 13:31:05.323478: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: Aug 26 13:31:05.323480: | cmd(1040):&1: Aug 26 13:31:05.331662: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:05.331680: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:05.331682: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:05.331684: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:05.331686: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:05.331688: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:05.331689: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:05.331691: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:05.335952: | free hp@0x55cd2da7c3b8 Aug 26 13:31:05.335964: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 13:31:05.335967: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:31:05.335976: | start processing: connection "eastnet-northnet" (in delete_connection() at connections.c:189) Aug 26 13:31:05.335978: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:31:05.335980: | pass 0 Aug 26 13:31:05.335981: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:05.335983: | pass 1 Aug 26 13:31:05.335984: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:05.335986: | free hp@0x55cd2da7a458 Aug 26 13:31:05.335988: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 13:31:05.335990: | stop processing: connection "eastnet-northnet" (in discard_connection() at connections.c:249) Aug 26 13:31:05.335999: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:31:05.336000: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:31:05.336007: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:31:05.336009: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:31:05.336011: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 13:31:05.336013: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 13:31:05.336015: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 13:31:05.336017: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 13:31:05.336020: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:31:05.336028: | libevent_free: release ptr-libevent@0x55cd2da6c448 Aug 26 13:31:05.336031: | free_event_entry: release EVENT_NULL-pe@0x55cd2da78128 Aug 26 13:31:05.336038: | libevent_free: release ptr-libevent@0x55cd2da08298 Aug 26 13:31:05.336040: | free_event_entry: release EVENT_NULL-pe@0x55cd2da781d8 Aug 26 13:31:05.336046: | libevent_free: release ptr-libevent@0x55cd2da0a138 Aug 26 13:31:05.336047: | free_event_entry: release EVENT_NULL-pe@0x55cd2da78288 Aug 26 13:31:05.336052: | libevent_free: release ptr-libevent@0x55cd2da07288 Aug 26 13:31:05.336055: | free_event_entry: release EVENT_NULL-pe@0x55cd2da78338 Aug 26 13:31:05.336059: | libevent_free: release ptr-libevent@0x55cd2d9d84e8 Aug 26 13:31:05.336061: | free_event_entry: release EVENT_NULL-pe@0x55cd2da783e8 Aug 26 13:31:05.336065: | libevent_free: release ptr-libevent@0x55cd2d9d81d8 Aug 26 13:31:05.336067: | free_event_entry: release EVENT_NULL-pe@0x55cd2da78498 Aug 26 13:31:05.336070: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:31:05.336452: | libevent_free: release ptr-libevent@0x55cd2da6c4f8 Aug 26 13:31:05.336458: | free_event_entry: release EVENT_NULL-pe@0x55cd2da60238 Aug 26 13:31:05.336465: | libevent_free: release ptr-libevent@0x55cd2da0a038 Aug 26 13:31:05.336468: | free_event_entry: release EVENT_NULL-pe@0x55cd2da5f6f8 Aug 26 13:31:05.336472: | libevent_free: release ptr-libevent@0x55cd2da43af8 Aug 26 13:31:05.336474: | free_event_entry: release EVENT_NULL-pe@0x55cd2da602a8 Aug 26 13:31:05.336477: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:31:05.336479: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:31:05.336480: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:31:05.336482: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:31:05.336483: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:31:05.336485: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:31:05.336486: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:31:05.336488: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:31:05.336489: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:31:05.336493: | libevent_free: release ptr-libevent@0x55cd2da077e8 Aug 26 13:31:05.336495: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:31:05.336497: | libevent_free: release ptr-libevent@0x55cd2da77908 Aug 26 13:31:05.336498: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:31:05.336501: | libevent_free: release ptr-libevent@0x55cd2da77a18 Aug 26 13:31:05.336502: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:31:05.336504: | libevent_free: release ptr-libevent@0x55cd2da77c58 Aug 26 13:31:05.336506: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:31:05.336507: | releasing event base Aug 26 13:31:05.336516: | libevent_free: release ptr-libevent@0x55cd2da77b28 Aug 26 13:31:05.336518: | libevent_free: release ptr-libevent@0x55cd2da5aae8 Aug 26 13:31:05.336521: | libevent_free: release ptr-libevent@0x55cd2da5aa98 Aug 26 13:31:05.336522: | libevent_free: release ptr-libevent@0x55cd2da5aa28 Aug 26 13:31:05.336524: | libevent_free: release ptr-libevent@0x55cd2da5a9e8 Aug 26 13:31:05.336526: | libevent_free: release ptr-libevent@0x55cd2da77808 Aug 26 13:31:05.336527: | libevent_free: release ptr-libevent@0x55cd2da77888 Aug 26 13:31:05.336529: | libevent_free: release ptr-libevent@0x55cd2da5ac98 Aug 26 13:31:05.336530: | libevent_free: release ptr-libevent@0x55cd2da5f808 Aug 26 13:31:05.336532: | libevent_free: release ptr-libevent@0x55cd2da601f8 Aug 26 13:31:05.336533: | libevent_free: release ptr-libevent@0x55cd2da78508 Aug 26 13:31:05.336535: | libevent_free: release ptr-libevent@0x55cd2da78458 Aug 26 13:31:05.336536: | libevent_free: release ptr-libevent@0x55cd2da783a8 Aug 26 13:31:05.336538: | libevent_free: release ptr-libevent@0x55cd2da782f8 Aug 26 13:31:05.336539: | libevent_free: release ptr-libevent@0x55cd2da78248 Aug 26 13:31:05.336541: | libevent_free: release ptr-libevent@0x55cd2da78198 Aug 26 13:31:05.336542: | libevent_free: release ptr-libevent@0x55cd2da07948 Aug 26 13:31:05.336544: | libevent_free: release ptr-libevent@0x55cd2da779d8 Aug 26 13:31:05.336545: | libevent_free: release ptr-libevent@0x55cd2da778c8 Aug 26 13:31:05.336547: | libevent_free: release ptr-libevent@0x55cd2da77848 Aug 26 13:31:05.336548: | libevent_free: release ptr-libevent@0x55cd2da77ae8 Aug 26 13:31:05.336550: | libevent_free: release ptr-libevent@0x55cd2da06ad8 Aug 26 13:31:05.336552: | libevent_free: release ptr-libevent@0x55cd2d9d7908 Aug 26 13:31:05.336553: | libevent_free: release ptr-libevent@0x55cd2d9d7d38 Aug 26 13:31:05.336555: | libevent_free: release ptr-libevent@0x55cd2da06e48 Aug 26 13:31:05.336557: | releasing global libevent data Aug 26 13:31:05.336559: | libevent_free: release ptr-libevent@0x55cd2d9d3178 Aug 26 13:31:05.336560: | libevent_free: release ptr-libevent@0x55cd2d9d7cd8 Aug 26 13:31:05.336562: | libevent_free: release ptr-libevent@0x55cd2d9d7dd8 Aug 26 13:31:05.336592: leak detective found no leaks