Aug 26 13:30:41.755924: FIPS Product: YES Aug 26 13:30:41.755997: FIPS Kernel: NO Aug 26 13:30:41.756001: FIPS Mode: NO Aug 26 13:30:41.756003: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:30:41.756153: Initializing NSS Aug 26 13:30:41.756160: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:30:41.787227: NSS initialized Aug 26 13:30:41.787251: NSS crypto library initialized Aug 26 13:30:41.787255: FIPS HMAC integrity support [enabled] Aug 26 13:30:41.787258: FIPS mode disabled for pluto daemon Aug 26 13:30:41.829058: FIPS HMAC integrity verification self-test FAILED Aug 26 13:30:41.829410: libcap-ng support [enabled] Aug 26 13:30:41.829419: Linux audit support [enabled] Aug 26 13:30:41.829700: Linux audit activated Aug 26 13:30:41.829710: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:8935 Aug 26 13:30:41.829714: core dump dir: /tmp Aug 26 13:30:41.829716: secrets file: /etc/ipsec.secrets Aug 26 13:30:41.829719: leak-detective enabled Aug 26 13:30:41.829721: NSS crypto [enabled] Aug 26 13:30:41.829723: XAUTH PAM support [enabled] Aug 26 13:30:41.829801: | libevent is using pluto's memory allocator Aug 26 13:30:41.829809: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:30:41.829829: | libevent_malloc: new ptr-libevent@0x563307816538 size 40 Aug 26 13:30:41.829838: | libevent_malloc: new ptr-libevent@0x563307815cd8 size 40 Aug 26 13:30:41.829842: | libevent_malloc: new ptr-libevent@0x563307815dd8 size 40 Aug 26 13:30:41.829844: | creating event base Aug 26 13:30:41.829848: | libevent_malloc: new ptr-libevent@0x563307898b08 size 56 Aug 26 13:30:41.829854: | libevent_malloc: new ptr-libevent@0x563307844f28 size 664 Aug 26 13:30:41.829866: | libevent_malloc: new ptr-libevent@0x563307898b78 size 24 Aug 26 13:30:41.829869: | libevent_malloc: new ptr-libevent@0x563307898bc8 size 384 Aug 26 13:30:41.829880: | libevent_malloc: new ptr-libevent@0x563307898ac8 size 16 Aug 26 13:30:41.829884: | libevent_malloc: new ptr-libevent@0x563307815908 size 40 Aug 26 13:30:41.829886: | libevent_malloc: new ptr-libevent@0x563307815d38 size 48 Aug 26 13:30:41.829892: | libevent_realloc: new ptr-libevent@0x563307845a28 size 256 Aug 26 13:30:41.829895: | libevent_malloc: new ptr-libevent@0x563307898d78 size 16 Aug 26 13:30:41.829901: | libevent_free: release ptr-libevent@0x563307898b08 Aug 26 13:30:41.829905: | libevent initialized Aug 26 13:30:41.829909: | libevent_realloc: new ptr-libevent@0x563307898b08 size 64 Aug 26 13:30:41.829915: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:30:41.829929: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:30:41.829932: NAT-Traversal support [enabled] Aug 26 13:30:41.829935: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:30:41.829941: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:30:41.829944: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:30:41.829977: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:30:41.829981: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:30:41.829984: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:30:41.830030: Encryption algorithms: Aug 26 13:30:41.830037: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:30:41.830041: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:30:41.830045: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:30:41.830048: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:30:41.830052: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:30:41.830062: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:30:41.830066: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:30:41.830069: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:30:41.830073: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:30:41.830077: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:30:41.830080: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:30:41.830084: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:30:41.830088: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:30:41.830092: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:30:41.830096: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:30:41.830099: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:30:41.830104: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:30:41.830111: Hash algorithms: Aug 26 13:30:41.830115: MD5 IKEv1: IKE IKEv2: Aug 26 13:30:41.830118: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:30:41.830121: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:30:41.830125: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:30:41.830128: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:30:41.830144: PRF algorithms: Aug 26 13:30:41.830148: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:30:41.830152: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:30:41.830156: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:30:41.830159: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:30:41.830163: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:30:41.830166: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:30:41.830193: Integrity algorithms: Aug 26 13:30:41.830197: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:30:41.830201: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:30:41.830206: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:30:41.830210: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:30:41.830214: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:30:41.830217: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:30:41.830221: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:30:41.830224: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:30:41.830227: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:30:41.830239: DH algorithms: Aug 26 13:30:41.830243: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:30:41.830246: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:30:41.830249: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:30:41.830254: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:30:41.830258: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:30:41.830260: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:30:41.830263: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:30:41.830266: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:30:41.830270: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:30:41.830273: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:30:41.830276: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:30:41.830279: testing CAMELLIA_CBC: Aug 26 13:30:41.830282: Camellia: 16 bytes with 128-bit key Aug 26 13:30:41.830427: Camellia: 16 bytes with 128-bit key Aug 26 13:30:41.830463: Camellia: 16 bytes with 256-bit key Aug 26 13:30:41.830500: Camellia: 16 bytes with 256-bit key Aug 26 13:30:41.830530: testing AES_GCM_16: Aug 26 13:30:41.830535: empty string Aug 26 13:30:41.830565: one block Aug 26 13:30:41.830594: two blocks Aug 26 13:30:41.830624: two blocks with associated data Aug 26 13:30:41.830653: testing AES_CTR: Aug 26 13:30:41.830658: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:30:41.830686: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:30:41.830716: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:30:41.830746: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:30:41.830776: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:30:41.830806: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:30:41.830834: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:30:41.830862: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:30:41.830892: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:30:41.830922: testing AES_CBC: Aug 26 13:30:41.830926: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:30:41.830955: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:30:41.830988: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:30:41.831021: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:30:41.831059: testing AES_XCBC: Aug 26 13:30:41.831064: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:30:41.831192: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:30:41.831335: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:30:41.831471: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:30:41.831604: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:30:41.831743: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:30:41.831881: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:30:41.832175: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:30:41.832317: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:30:41.832465: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:30:41.832728: testing HMAC_MD5: Aug 26 13:30:41.832735: RFC 2104: MD5_HMAC test 1 Aug 26 13:30:41.832903: RFC 2104: MD5_HMAC test 2 Aug 26 13:30:41.833053: RFC 2104: MD5_HMAC test 3 Aug 26 13:30:41.833194: 8 CPU cores online Aug 26 13:30:41.833198: starting up 7 crypto helpers Aug 26 13:30:41.833306: started thread for crypto helper 0 Aug 26 13:30:41.833340: started thread for crypto helper 1 Aug 26 13:30:41.833346: | starting up helper thread 1 Aug 26 13:30:41.833348: | starting up helper thread 0 Aug 26 13:30:41.833370: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:30:41.833374: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:30:41.833361: started thread for crypto helper 2 Aug 26 13:30:41.833386: | starting up helper thread 2 Aug 26 13:30:41.833392: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:30:41.833377: | crypto helper 1 waiting (nothing to do) Aug 26 13:30:41.833407: | crypto helper 0 waiting (nothing to do) Aug 26 13:30:41.833408: started thread for crypto helper 3 Aug 26 13:30:41.833418: | crypto helper 2 waiting (nothing to do) Aug 26 13:30:41.833412: | starting up helper thread 3 Aug 26 13:30:41.833425: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:30:41.833427: | crypto helper 3 waiting (nothing to do) Aug 26 13:30:41.833444: started thread for crypto helper 4 Aug 26 13:30:41.833445: | starting up helper thread 4 Aug 26 13:30:41.833456: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:30:41.833457: | crypto helper 4 waiting (nothing to do) Aug 26 13:30:41.833467: started thread for crypto helper 5 Aug 26 13:30:41.833468: | starting up helper thread 5 Aug 26 13:30:41.833474: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:30:41.833475: | crypto helper 5 waiting (nothing to do) Aug 26 13:30:41.833487: started thread for crypto helper 6 Aug 26 13:30:41.833489: | starting up helper thread 6 Aug 26 13:30:41.833493: | checking IKEv1 state table Aug 26 13:30:41.833494: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:30:41.833500: | crypto helper 6 waiting (nothing to do) Aug 26 13:30:41.833504: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:30:41.833507: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:30:41.833510: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:30:41.833513: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:30:41.833515: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:30:41.833518: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:30:41.833521: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:41.833523: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:41.833526: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:30:41.833528: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:30:41.833530: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:41.833533: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:41.833536: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:30:41.833538: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:30:41.833541: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:30:41.833543: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:30:41.833546: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:30:41.833548: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:30:41.833550: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:30:41.833553: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:30:41.833555: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:30:41.833558: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.833561: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:30:41.833563: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.833566: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:30:41.833568: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:30:41.833571: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:30:41.833573: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:30:41.833576: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:30:41.833579: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:30:41.833581: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:30:41.833583: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:30:41.833586: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:30:41.833588: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.833591: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:30:41.833594: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.833596: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:30:41.833599: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:30:41.833605: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:30:41.833608: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:30:41.833611: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:30:41.833614: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:30:41.833617: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:30:41.833619: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.833622: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:30:41.833624: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.833627: | INFO: category: informational flags: 0: Aug 26 13:30:41.833630: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.833633: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:30:41.833635: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.833638: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:30:41.833641: | -> XAUTH_R1 EVENT_NULL Aug 26 13:30:41.833644: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:30:41.833646: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:30:41.833649: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:30:41.833651: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:30:41.833654: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:30:41.833657: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:30:41.833660: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:30:41.833662: | -> UNDEFINED EVENT_NULL Aug 26 13:30:41.833665: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:30:41.833668: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:30:41.833671: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:30:41.833673: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:30:41.833676: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:30:41.833678: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:30:41.833685: | checking IKEv2 state table Aug 26 13:30:41.833692: | PARENT_I0: category: ignore flags: 0: Aug 26 13:30:41.833695: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:30:41.833698: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:30:41.833702: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:30:41.833705: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:30:41.833708: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:30:41.833711: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:30:41.833714: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:30:41.833717: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:30:41.833720: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:30:41.833723: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:30:41.833726: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:30:41.833728: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:30:41.833731: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:30:41.833734: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:30:41.833737: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:30:41.833740: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:30:41.833743: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:30:41.833746: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:30:41.833748: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:30:41.833751: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:30:41.833754: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:30:41.833757: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:30:41.833763: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:30:41.833766: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:30:41.833769: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:30:41.833772: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:30:41.833774: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:30:41.833777: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:30:41.833780: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:30:41.833783: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:30:41.833786: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:30:41.833789: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:30:41.833792: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:30:41.833795: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:30:41.833798: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:30:41.833801: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:30:41.833804: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:30:41.833807: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:30:41.833810: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:30:41.833813: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:30:41.833816: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:30:41.833819: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:30:41.833822: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:30:41.833826: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:30:41.833829: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:30:41.833832: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:30:41.833847: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:30:41.833917: | Hard-wiring algorithms Aug 26 13:30:41.833922: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:30:41.833927: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:30:41.833930: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:30:41.833933: | adding 3DES_CBC to kernel algorithm db Aug 26 13:30:41.833936: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:30:41.833938: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:30:41.833941: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:30:41.833943: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:30:41.833946: | adding AES_CTR to kernel algorithm db Aug 26 13:30:41.833948: | adding AES_CBC to kernel algorithm db Aug 26 13:30:41.833951: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:30:41.833954: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:30:41.833957: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:30:41.833960: | adding NULL to kernel algorithm db Aug 26 13:30:41.833963: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:30:41.833966: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:30:41.833968: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:30:41.833971: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:30:41.833973: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:30:41.833976: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:30:41.833979: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:30:41.833981: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:30:41.833984: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:30:41.833986: | adding NONE to kernel algorithm db Aug 26 13:30:41.834012: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:30:41.834019: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:30:41.834022: | setup kernel fd callback Aug 26 13:30:41.834026: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x56330789e388 Aug 26 13:30:41.834031: | libevent_malloc: new ptr-libevent@0x563307881bd8 size 128 Aug 26 13:30:41.834035: | libevent_malloc: new ptr-libevent@0x56330789d8e8 size 16 Aug 26 13:30:41.834042: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x56330789d7d8 Aug 26 13:30:41.834046: | libevent_malloc: new ptr-libevent@0x563307848118 size 128 Aug 26 13:30:41.834049: | libevent_malloc: new ptr-libevent@0x56330789e2d8 size 16 Aug 26 13:30:41.834294: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:30:41.834309: selinux support is enabled. Aug 26 13:30:41.834645: | unbound context created - setting debug level to 5 Aug 26 13:30:41.834678: | /etc/hosts lookups activated Aug 26 13:30:41.834696: | /etc/resolv.conf usage activated Aug 26 13:30:41.834765: | outgoing-port-avoid set 0-65535 Aug 26 13:30:41.834799: | outgoing-port-permit set 32768-60999 Aug 26 13:30:41.834803: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:30:41.834806: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:30:41.834810: | Setting up events, loop start Aug 26 13:30:41.834813: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x56330789e318 Aug 26 13:30:41.834817: | libevent_malloc: new ptr-libevent@0x5633078aa558 size 128 Aug 26 13:30:41.834821: | libevent_malloc: new ptr-libevent@0x5633078b57e8 size 16 Aug 26 13:30:41.834828: | libevent_realloc: new ptr-libevent@0x563307844bb8 size 256 Aug 26 13:30:41.834832: | libevent_malloc: new ptr-libevent@0x5633078b5828 size 8 Aug 26 13:30:41.834836: | libevent_realloc: new ptr-libevent@0x563307845468 size 144 Aug 26 13:30:41.834838: | libevent_malloc: new ptr-libevent@0x5633078458c8 size 152 Aug 26 13:30:41.834842: | libevent_malloc: new ptr-libevent@0x5633078b5868 size 16 Aug 26 13:30:41.834846: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:30:41.834850: | libevent_malloc: new ptr-libevent@0x5633078b58a8 size 8 Aug 26 13:30:41.834853: | libevent_malloc: new ptr-libevent@0x5633078b58e8 size 152 Aug 26 13:30:41.834857: | signal event handler PLUTO_SIGTERM installed Aug 26 13:30:41.834860: | libevent_malloc: new ptr-libevent@0x5633078b59b8 size 8 Aug 26 13:30:41.834863: | libevent_malloc: new ptr-libevent@0x5633078b59f8 size 152 Aug 26 13:30:41.834866: | signal event handler PLUTO_SIGHUP installed Aug 26 13:30:41.834869: | libevent_malloc: new ptr-libevent@0x5633078b5ac8 size 8 Aug 26 13:30:41.834872: | libevent_realloc: release ptr-libevent@0x563307845468 Aug 26 13:30:41.834875: | libevent_realloc: new ptr-libevent@0x5633078b5b08 size 256 Aug 26 13:30:41.834878: | libevent_malloc: new ptr-libevent@0x5633078b5c38 size 152 Aug 26 13:30:41.834881: | signal event handler PLUTO_SIGSYS installed Aug 26 13:30:41.835212: | created addconn helper (pid:9033) using fork+execve Aug 26 13:30:41.835227: | forked child 9033 Aug 26 13:30:41.835657: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:41.835681: listening for IKE messages Aug 26 13:30:41.835718: | Inspecting interface lo Aug 26 13:30:41.835726: | found lo with address 127.0.0.1 Aug 26 13:30:41.835732: | Inspecting interface eth0 Aug 26 13:30:41.835737: | found eth0 with address 192.0.2.254 Aug 26 13:30:41.835740: | Inspecting interface eth1 Aug 26 13:30:41.835745: | found eth1 with address 192.1.2.23 Aug 26 13:30:41.835840: Kernel supports NIC esp-hw-offload Aug 26 13:30:41.835852: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:30:41.835876: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:30:41.835881: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:30:41.835886: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:30:41.835918: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:30:41.835941: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:30:41.835946: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:30:41.835951: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:30:41.835977: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:30:41.836000: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:30:41.836005: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:30:41.836009: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:30:41.836074: | no interfaces to sort Aug 26 13:30:41.836081: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:30:41.836090: | add_fd_read_event_handler: new ethX-pe@0x5633078b6198 Aug 26 13:30:41.836094: | libevent_malloc: new ptr-libevent@0x5633078aa4a8 size 128 Aug 26 13:30:41.836098: | libevent_malloc: new ptr-libevent@0x5633078b6208 size 16 Aug 26 13:30:41.836105: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:30:41.836108: | add_fd_read_event_handler: new ethX-pe@0x5633078b6248 Aug 26 13:30:41.836113: | libevent_malloc: new ptr-libevent@0x563307846378 size 128 Aug 26 13:30:41.836116: | libevent_malloc: new ptr-libevent@0x5633078b62b8 size 16 Aug 26 13:30:41.836121: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:30:41.836124: | add_fd_read_event_handler: new ethX-pe@0x5633078b62f8 Aug 26 13:30:41.836127: | libevent_malloc: new ptr-libevent@0x563307848218 size 128 Aug 26 13:30:41.836130: | libevent_malloc: new ptr-libevent@0x5633078b6368 size 16 Aug 26 13:30:41.836134: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:30:41.836137: | add_fd_read_event_handler: new ethX-pe@0x5633078b63a8 Aug 26 13:30:41.836140: | libevent_malloc: new ptr-libevent@0x563307845368 size 128 Aug 26 13:30:41.836143: | libevent_malloc: new ptr-libevent@0x5633078b6418 size 16 Aug 26 13:30:41.836149: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:30:41.836152: | add_fd_read_event_handler: new ethX-pe@0x5633078b6458 Aug 26 13:30:41.836156: | libevent_malloc: new ptr-libevent@0x56330781bb78 size 128 Aug 26 13:30:41.836159: | libevent_malloc: new ptr-libevent@0x5633078b64c8 size 16 Aug 26 13:30:41.836163: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:30:41.836166: | add_fd_read_event_handler: new ethX-pe@0x5633078b6508 Aug 26 13:30:41.836170: | libevent_malloc: new ptr-libevent@0x5633078161d8 size 128 Aug 26 13:30:41.836173: | libevent_malloc: new ptr-libevent@0x5633078b6578 size 16 Aug 26 13:30:41.836178: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:30:41.836183: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:30:41.836185: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:30:41.836205: loading secrets from "/etc/ipsec.secrets" Aug 26 13:30:41.836215: | Processing PSK at line 1: passed Aug 26 13:30:41.836219: | certs and keys locked by 'process_secret' Aug 26 13:30:41.836223: | certs and keys unlocked by 'process_secret' Aug 26 13:30:41.836233: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:41.836241: | spent 0.962 milliseconds in whack Aug 26 13:30:41.861387: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:41.861417: listening for IKE messages Aug 26 13:30:41.861456: | Inspecting interface lo Aug 26 13:30:41.861465: | found lo with address 127.0.0.1 Aug 26 13:30:41.861469: | Inspecting interface eth0 Aug 26 13:30:41.861474: | found eth0 with address 192.0.2.254 Aug 26 13:30:41.861477: | Inspecting interface eth1 Aug 26 13:30:41.861481: | found eth1 with address 192.1.2.23 Aug 26 13:30:41.861551: | no interfaces to sort Aug 26 13:30:41.861563: | libevent_free: release ptr-libevent@0x5633078aa4a8 Aug 26 13:30:41.861566: | free_event_entry: release EVENT_NULL-pe@0x5633078b6198 Aug 26 13:30:41.861574: | add_fd_read_event_handler: new ethX-pe@0x5633078b6198 Aug 26 13:30:41.861578: | libevent_malloc: new ptr-libevent@0x5633078aa4a8 size 128 Aug 26 13:30:41.861586: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:30:41.861591: | libevent_free: release ptr-libevent@0x563307846378 Aug 26 13:30:41.861594: | free_event_entry: release EVENT_NULL-pe@0x5633078b6248 Aug 26 13:30:41.861597: | add_fd_read_event_handler: new ethX-pe@0x5633078b6248 Aug 26 13:30:41.861600: | libevent_malloc: new ptr-libevent@0x563307846378 size 128 Aug 26 13:30:41.861605: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:30:41.861609: | libevent_free: release ptr-libevent@0x563307848218 Aug 26 13:30:41.861612: | free_event_entry: release EVENT_NULL-pe@0x5633078b62f8 Aug 26 13:30:41.861614: | add_fd_read_event_handler: new ethX-pe@0x5633078b62f8 Aug 26 13:30:41.861617: | libevent_malloc: new ptr-libevent@0x563307848218 size 128 Aug 26 13:30:41.861622: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:30:41.861626: | libevent_free: release ptr-libevent@0x563307845368 Aug 26 13:30:41.861629: | free_event_entry: release EVENT_NULL-pe@0x5633078b63a8 Aug 26 13:30:41.861631: | add_fd_read_event_handler: new ethX-pe@0x5633078b63a8 Aug 26 13:30:41.861634: | libevent_malloc: new ptr-libevent@0x563307845368 size 128 Aug 26 13:30:41.861638: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:30:41.861642: | libevent_free: release ptr-libevent@0x56330781bb78 Aug 26 13:30:41.861645: | free_event_entry: release EVENT_NULL-pe@0x5633078b6458 Aug 26 13:30:41.861648: | add_fd_read_event_handler: new ethX-pe@0x5633078b6458 Aug 26 13:30:41.861651: | libevent_malloc: new ptr-libevent@0x56330781bb78 size 128 Aug 26 13:30:41.861656: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:30:41.861660: | libevent_free: release ptr-libevent@0x5633078161d8 Aug 26 13:30:41.861662: | free_event_entry: release EVENT_NULL-pe@0x5633078b6508 Aug 26 13:30:41.861665: | add_fd_read_event_handler: new ethX-pe@0x5633078b6508 Aug 26 13:30:41.861668: | libevent_malloc: new ptr-libevent@0x5633078161d8 size 128 Aug 26 13:30:41.861673: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:30:41.861677: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:30:41.861679: forgetting secrets Aug 26 13:30:41.861686: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:30:41.861702: loading secrets from "/etc/ipsec.secrets" Aug 26 13:30:41.861710: | Processing PSK at line 1: passed Aug 26 13:30:41.861714: | certs and keys locked by 'process_secret' Aug 26 13:30:41.861717: | certs and keys unlocked by 'process_secret' Aug 26 13:30:41.861725: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:41.861733: | spent 0.357 milliseconds in whack Aug 26 13:30:41.862229: | processing signal PLUTO_SIGCHLD Aug 26 13:30:41.862246: | waitpid returned pid 9033 (exited with status 0) Aug 26 13:30:41.862251: | reaped addconn helper child (status 0) Aug 26 13:30:41.862257: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:41.862263: | spent 0.021 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:41.924393: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:41.924425: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:30:41.924430: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:30:41.924433: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:30:41.924435: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:30:41.924439: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:30:41.924488: | Added new connection eastnet-northnet with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 13:30:41.924546: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:30:41.924559: | from whack: got --esp=aes256-sha2 Aug 26 13:30:41.924573: | ESP/AH string values: AES_CBC_256-HMAC_SHA2_256_128 Aug 26 13:30:41.924579: | counting wild cards for (none) is 15 Aug 26 13:30:41.924584: | counting wild cards for 192.1.2.23 is 0 Aug 26 13:30:41.924590: | based upon policy, the connection is a template. Aug 26 13:30:41.924597: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Aug 26 13:30:41.924600: | new hp@0x5633078b83a8 Aug 26 13:30:41.924605: added connection description "eastnet-northnet" Aug 26 13:30:41.924614: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 13:30:41.924622: | 192.0.2.0/24===192.1.2.23<192.1.2.23>...%any===192.0.3.0/24 Aug 26 13:30:41.924628: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:41.924635: | spent 0.243 milliseconds in whack Aug 26 13:30:43.679852: | spent 0.00278 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:30:43.679882: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 13:30:43.679887: | 4d 32 ac ac c7 3d 7a d4 00 00 00 00 00 00 00 00 Aug 26 13:30:43.679890: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:30:43.679892: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:30:43.679895: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:30:43.679897: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:30:43.679903: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:30:43.679906: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:30:43.679908: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:30:43.679911: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:30:43.679913: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:30:43.679916: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:30:43.679918: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:30:43.679921: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:30:43.679923: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:30:43.679926: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:30:43.679928: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:30:43.679931: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:30:43.679933: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:30:43.679936: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:30:43.679938: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:30:43.679941: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:30:43.679943: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:30:43.679946: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:30:43.679948: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:30:43.679951: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:30:43.679953: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:30:43.679956: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:30:43.679959: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:30:43.679961: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:30:43.679963: | 28 00 01 08 00 0e 00 00 9b 3f d0 7e 8e c1 ca db Aug 26 13:30:43.679966: | ad 8c 53 68 5e 1a 7c 91 25 d4 cc ba 90 35 71 05 Aug 26 13:30:43.679969: | 81 be 92 f3 9a 38 70 ba 95 5b 87 ae 1f 2e 32 4a Aug 26 13:30:43.679971: | 80 cf 10 fd 99 c2 a7 c8 d9 7e 1b 7d 27 0f 90 0a Aug 26 13:30:43.679973: | c0 1e bd 7f 1d 82 24 c7 a2 91 6d 9a 03 c1 96 21 Aug 26 13:30:43.679980: | 5c 73 3f f1 fb 69 f4 f2 11 f6 9d 73 f9 f1 6e a5 Aug 26 13:30:43.679982: | d3 11 b1 87 40 5b 60 81 d8 4a d2 c0 10 2b 03 78 Aug 26 13:30:43.679985: | 67 9e b2 8f a9 0a be 91 a7 a5 fb 39 75 3c 7a ef Aug 26 13:30:43.679987: | ef 8f 22 86 9c 08 9a 18 9e 19 a4 ae af b2 d8 36 Aug 26 13:30:43.679990: | f3 64 78 34 20 51 33 cf c7 e0 82 3b fb e9 09 db Aug 26 13:30:43.679992: | 9c cb e0 72 32 66 c4 d6 f7 ea 7b 4f 13 72 85 cc Aug 26 13:30:43.679995: | 38 7b 77 db f6 7b ea 22 99 89 00 b6 80 94 ed 51 Aug 26 13:30:43.679997: | 3b d9 32 38 d5 30 08 b1 31 63 08 97 ee 8d f8 94 Aug 26 13:30:43.680000: | 9b 05 c0 e6 00 87 5e ed 02 7d 7d 5a 8f 8f 4e eb Aug 26 13:30:43.680003: | 08 99 50 44 9b 39 47 08 2f 62 f5 1c 3d 63 42 15 Aug 26 13:30:43.680005: | be 0a 9c 99 a8 ed e7 0a db ea 32 87 87 f0 84 c0 Aug 26 13:30:43.680008: | b7 ab 93 7d 68 92 b6 46 29 00 00 24 36 52 a8 ef Aug 26 13:30:43.680010: | d7 c4 40 37 06 64 e0 32 9a 04 a5 87 71 38 d0 f4 Aug 26 13:30:43.680013: | c2 3d 7d 9b d1 ef d2 04 db f7 d3 c8 29 00 00 08 Aug 26 13:30:43.680015: | 00 00 40 2e 29 00 00 1c 00 00 40 04 12 e9 0f 21 Aug 26 13:30:43.680018: | 9a 6e 02 1e df c8 ab 45 ff 17 e9 bb 82 a5 c7 f6 Aug 26 13:30:43.680020: | 00 00 00 1c 00 00 40 05 b7 3c fe cd 64 46 00 b9 Aug 26 13:30:43.680023: | cf b8 ee 19 c1 7d bf 6b 0c 6e 2c 0b Aug 26 13:30:43.680029: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 13:30:43.680033: | **parse ISAKMP Message: Aug 26 13:30:43.680037: | initiator cookie: Aug 26 13:30:43.680039: | 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:43.680042: | responder cookie: Aug 26 13:30:43.680044: | 00 00 00 00 00 00 00 00 Aug 26 13:30:43.680047: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:30:43.680050: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:43.680053: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:30:43.680056: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:30:43.680059: | Message ID: 0 (0x0) Aug 26 13:30:43.680061: | length: 828 (0x33c) Aug 26 13:30:43.680065: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:30:43.680068: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:30:43.680072: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:30:43.680075: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:30:43.680079: | ***parse IKEv2 Security Association Payload: Aug 26 13:30:43.680082: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:30:43.680084: | flags: none (0x0) Aug 26 13:30:43.680087: | length: 436 (0x1b4) Aug 26 13:30:43.680090: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:30:43.680092: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:30:43.680095: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:30:43.680098: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:30:43.680101: | flags: none (0x0) Aug 26 13:30:43.680103: | length: 264 (0x108) Aug 26 13:30:43.680106: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.680109: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:30:43.680111: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:30:43.680114: | ***parse IKEv2 Nonce Payload: Aug 26 13:30:43.680117: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.680119: | flags: none (0x0) Aug 26 13:30:43.680122: | length: 36 (0x24) Aug 26 13:30:43.680125: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:30:43.680127: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:43.680130: | ***parse IKEv2 Notify Payload: Aug 26 13:30:43.680133: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.680135: | flags: none (0x0) Aug 26 13:30:43.680138: | length: 8 (0x8) Aug 26 13:30:43.680141: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.680143: | SPI size: 0 (0x0) Aug 26 13:30:43.680146: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:30:43.680151: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:30:43.680153: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:43.680156: | ***parse IKEv2 Notify Payload: Aug 26 13:30:43.680159: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.680161: | flags: none (0x0) Aug 26 13:30:43.680164: | length: 28 (0x1c) Aug 26 13:30:43.680167: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.680169: | SPI size: 0 (0x0) Aug 26 13:30:43.680172: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:43.680175: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:43.680177: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:43.680180: | ***parse IKEv2 Notify Payload: Aug 26 13:30:43.680183: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.680185: | flags: none (0x0) Aug 26 13:30:43.680188: | length: 28 (0x1c) Aug 26 13:30:43.680190: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.680193: | SPI size: 0 (0x0) Aug 26 13:30:43.680196: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:43.680198: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:43.680201: | DDOS disabled and no cookie sent, continuing Aug 26 13:30:43.680207: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.680211: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:30:43.680213: | find_next_host_connection returns empty Aug 26 13:30:43.680218: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.680223: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:43.680226: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:30:43.680230: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 13:30:43.680233: | find_next_host_connection returns empty Aug 26 13:30:43.680237: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:30:43.680242: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.680245: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:30:43.680248: | find_next_host_connection returns empty Aug 26 13:30:43.680252: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.680257: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:43.680260: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:30:43.680263: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 13:30:43.680265: | find_next_host_connection returns empty Aug 26 13:30:43.680269: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:30:43.680274: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.680277: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:30:43.680280: | find_next_host_connection returns empty Aug 26 13:30:43.680284: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:30:43.680292: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:43.680298: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:30:43.680301: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 13:30:43.680304: | find_next_host_connection returns eastnet-northnet Aug 26 13:30:43.680307: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:30:43.680311: | find_next_host_connection returns empty Aug 26 13:30:43.680314: | rw_instantiate Aug 26 13:30:43.680324: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Aug 26 13:30:43.680327: | new hp@0x5633078ba308 Aug 26 13:30:43.680334: | rw_instantiate() instantiated "eastnet-northnet"[1] 192.1.3.33 for 192.1.3.33 Aug 26 13:30:43.680339: | found connection: eastnet-northnet[1] 192.1.3.33 with policy PSK+IKEV2_ALLOW Aug 26 13:30:43.680344: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:43.680373: | creating state object #1 at 0x5633078ba858 Aug 26 13:30:43.680378: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:30:43.680386: | pstats #1 ikev2.ike started Aug 26 13:30:43.680390: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:30:43.680393: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:30:43.680399: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:30:43.680409: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:30:43.680412: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:30:43.680418: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:30:43.680421: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:30:43.680426: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:30:43.680430: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:30:43.680433: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:30:43.680437: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:30:43.680439: | Now let's proceed with state specific processing Aug 26 13:30:43.680442: | calling processor Respond to IKE_SA_INIT Aug 26 13:30:43.680448: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:30:43.680452: | constructing local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals) Aug 26 13:30:43.680460: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:43.680468: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.680472: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:43.680478: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.680482: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:43.680488: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.680492: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:43.680497: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.680511: "eastnet-northnet"[1] 192.1.3.33: constructed local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:43.680517: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:30:43.680520: | local proposal 1 type ENCR has 1 transforms Aug 26 13:30:43.680523: | local proposal 1 type PRF has 2 transforms Aug 26 13:30:43.680526: | local proposal 1 type INTEG has 1 transforms Aug 26 13:30:43.680529: | local proposal 1 type DH has 8 transforms Aug 26 13:30:43.680532: | local proposal 1 type ESN has 0 transforms Aug 26 13:30:43.680535: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:30:43.680538: | local proposal 2 type ENCR has 1 transforms Aug 26 13:30:43.680541: | local proposal 2 type PRF has 2 transforms Aug 26 13:30:43.680544: | local proposal 2 type INTEG has 1 transforms Aug 26 13:30:43.680546: | local proposal 2 type DH has 8 transforms Aug 26 13:30:43.680549: | local proposal 2 type ESN has 0 transforms Aug 26 13:30:43.680552: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:30:43.680555: | local proposal 3 type ENCR has 1 transforms Aug 26 13:30:43.680557: | local proposal 3 type PRF has 2 transforms Aug 26 13:30:43.680560: | local proposal 3 type INTEG has 2 transforms Aug 26 13:30:43.680563: | local proposal 3 type DH has 8 transforms Aug 26 13:30:43.680566: | local proposal 3 type ESN has 0 transforms Aug 26 13:30:43.680569: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:30:43.680572: | local proposal 4 type ENCR has 1 transforms Aug 26 13:30:43.680574: | local proposal 4 type PRF has 2 transforms Aug 26 13:30:43.680577: | local proposal 4 type INTEG has 2 transforms Aug 26 13:30:43.680580: | local proposal 4 type DH has 8 transforms Aug 26 13:30:43.680582: | local proposal 4 type ESN has 0 transforms Aug 26 13:30:43.680585: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:30:43.680589: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.680592: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:30:43.680594: | length: 100 (0x64) Aug 26 13:30:43.680597: | prop #: 1 (0x1) Aug 26 13:30:43.680600: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.680602: | spi size: 0 (0x0) Aug 26 13:30:43.680605: | # transforms: 11 (0xb) Aug 26 13:30:43.680609: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:30:43.680612: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680615: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680617: | length: 12 (0xc) Aug 26 13:30:43.680620: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.680623: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:43.680626: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.680629: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.680632: | length/value: 256 (0x100) Aug 26 13:30:43.680636: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:30:43.680639: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680642: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680644: | length: 8 (0x8) Aug 26 13:30:43.680647: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.680650: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.680654: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:30:43.680659: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:30:43.680662: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:30:43.680666: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:30:43.680669: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680671: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680674: | length: 8 (0x8) Aug 26 13:30:43.680676: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.680679: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:43.680682: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680685: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680687: | length: 8 (0x8) Aug 26 13:30:43.680690: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680693: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.680697: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:30:43.680700: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:30:43.680703: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:30:43.680707: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:30:43.680709: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680712: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680715: | length: 8 (0x8) Aug 26 13:30:43.680717: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680720: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:43.680723: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680726: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680728: | length: 8 (0x8) Aug 26 13:30:43.680731: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680734: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:43.680737: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680739: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680742: | length: 8 (0x8) Aug 26 13:30:43.680745: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680747: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:43.680750: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680753: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680755: | length: 8 (0x8) Aug 26 13:30:43.680758: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680761: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:43.680764: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680767: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680769: | length: 8 (0x8) Aug 26 13:30:43.680772: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680775: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:43.680778: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680780: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680783: | length: 8 (0x8) Aug 26 13:30:43.680785: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680788: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:43.680791: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680794: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.680796: | length: 8 (0x8) Aug 26 13:30:43.680799: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680802: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:43.680806: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:30:43.680812: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:30:43.680815: | remote proposal 1 matches local proposal 1 Aug 26 13:30:43.680818: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.680821: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:30:43.680824: | length: 100 (0x64) Aug 26 13:30:43.680826: | prop #: 2 (0x2) Aug 26 13:30:43.680829: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.680832: | spi size: 0 (0x0) Aug 26 13:30:43.680834: | # transforms: 11 (0xb) Aug 26 13:30:43.680838: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:30:43.680841: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680843: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680846: | length: 12 (0xc) Aug 26 13:30:43.680848: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.680851: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:43.680854: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.680857: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.680859: | length/value: 128 (0x80) Aug 26 13:30:43.680863: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680865: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680868: | length: 8 (0x8) Aug 26 13:30:43.680870: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.680873: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.680876: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680878: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680881: | length: 8 (0x8) Aug 26 13:30:43.680883: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.680886: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:43.680889: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680892: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680894: | length: 8 (0x8) Aug 26 13:30:43.680897: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680899: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.680902: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680905: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680907: | length: 8 (0x8) Aug 26 13:30:43.680910: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680912: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:43.680915: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680918: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680920: | length: 8 (0x8) Aug 26 13:30:43.680923: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680925: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:43.680928: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680931: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680933: | length: 8 (0x8) Aug 26 13:30:43.680936: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680939: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:43.680942: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680945: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680947: | length: 8 (0x8) Aug 26 13:30:43.680950: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680953: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:43.680956: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680958: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680961: | length: 8 (0x8) Aug 26 13:30:43.680964: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680967: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:43.680970: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680976: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.680979: | length: 8 (0x8) Aug 26 13:30:43.680982: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680984: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:43.680987: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.680990: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.680993: | length: 8 (0x8) Aug 26 13:30:43.680995: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.680998: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:43.681002: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:30:43.681005: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:30:43.681008: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.681011: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:30:43.681013: | length: 116 (0x74) Aug 26 13:30:43.681016: | prop #: 3 (0x3) Aug 26 13:30:43.681019: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.681021: | spi size: 0 (0x0) Aug 26 13:30:43.681024: | # transforms: 13 (0xd) Aug 26 13:30:43.681027: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:30:43.681030: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681033: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681035: | length: 12 (0xc) Aug 26 13:30:43.681038: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.681041: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:43.681043: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.681046: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.681049: | length/value: 256 (0x100) Aug 26 13:30:43.681052: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681055: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681057: | length: 8 (0x8) Aug 26 13:30:43.681060: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.681062: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.681065: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681068: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681070: | length: 8 (0x8) Aug 26 13:30:43.681073: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.681076: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:43.681079: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681081: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681084: | length: 8 (0x8) Aug 26 13:30:43.681087: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.681089: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:30:43.681092: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681095: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681098: | length: 8 (0x8) Aug 26 13:30:43.681100: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.681103: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:43.681106: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681109: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681111: | length: 8 (0x8) Aug 26 13:30:43.681114: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681117: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.681120: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681122: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681125: | length: 8 (0x8) Aug 26 13:30:43.681128: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681130: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:43.681133: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681136: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681140: | length: 8 (0x8) Aug 26 13:30:43.681142: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681145: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:43.681148: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681151: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681153: | length: 8 (0x8) Aug 26 13:30:43.681156: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681159: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:43.681162: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681165: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681167: | length: 8 (0x8) Aug 26 13:30:43.681170: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681172: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:43.681175: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681178: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681181: | length: 8 (0x8) Aug 26 13:30:43.681183: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681186: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:43.681189: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681192: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681194: | length: 8 (0x8) Aug 26 13:30:43.681197: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681200: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:43.681203: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681205: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.681208: | length: 8 (0x8) Aug 26 13:30:43.681211: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681213: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:43.681218: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:30:43.681221: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:30:43.681224: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.681226: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:43.681229: | length: 116 (0x74) Aug 26 13:30:43.681231: | prop #: 4 (0x4) Aug 26 13:30:43.681234: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.681237: | spi size: 0 (0x0) Aug 26 13:30:43.681239: | # transforms: 13 (0xd) Aug 26 13:30:43.681242: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:30:43.681245: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681248: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681250: | length: 12 (0xc) Aug 26 13:30:43.681253: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.681256: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:43.681259: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.681261: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.681264: | length/value: 128 (0x80) Aug 26 13:30:43.681267: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681270: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681272: | length: 8 (0x8) Aug 26 13:30:43.681275: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.681278: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.681281: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681283: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681286: | length: 8 (0x8) Aug 26 13:30:43.681293: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.681298: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:43.681301: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681304: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681307: | length: 8 (0x8) Aug 26 13:30:43.681310: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.681314: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:30:43.681317: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681320: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681322: | length: 8 (0x8) Aug 26 13:30:43.681325: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.681328: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:43.681331: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681334: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681336: | length: 8 (0x8) Aug 26 13:30:43.681339: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681342: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.681345: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681348: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681350: | length: 8 (0x8) Aug 26 13:30:43.681353: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681356: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:43.681358: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681361: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681364: | length: 8 (0x8) Aug 26 13:30:43.681366: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681369: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:43.681372: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681375: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681377: | length: 8 (0x8) Aug 26 13:30:43.681380: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681383: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:43.681386: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681389: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681391: | length: 8 (0x8) Aug 26 13:30:43.681394: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681396: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:43.681399: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681402: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681405: | length: 8 (0x8) Aug 26 13:30:43.681407: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681410: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:43.681413: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681416: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.681419: | length: 8 (0x8) Aug 26 13:30:43.681421: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681424: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:43.681427: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.681430: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.681432: | length: 8 (0x8) Aug 26 13:30:43.681435: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.681438: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:43.681442: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:30:43.681445: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:30:43.681451: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:30:43.681457: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:30:43.681460: | converting proposal to internal trans attrs Aug 26 13:30:43.681465: | natd_hash: rcookie is zero Aug 26 13:30:43.681479: | natd_hash: hasher=0x5633060a4800(20) Aug 26 13:30:43.681482: | natd_hash: icookie= 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:43.681485: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:30:43.681487: | natd_hash: ip= c0 01 02 17 Aug 26 13:30:43.681490: | natd_hash: port=500 Aug 26 13:30:43.681493: | natd_hash: hash= b7 3c fe cd 64 46 00 b9 cf b8 ee 19 c1 7d bf 6b Aug 26 13:30:43.681495: | natd_hash: hash= 0c 6e 2c 0b Aug 26 13:30:43.681498: | natd_hash: rcookie is zero Aug 26 13:30:43.681505: | natd_hash: hasher=0x5633060a4800(20) Aug 26 13:30:43.681508: | natd_hash: icookie= 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:43.681510: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:30:43.681513: | natd_hash: ip= c0 01 03 21 Aug 26 13:30:43.681515: | natd_hash: port=500 Aug 26 13:30:43.681518: | natd_hash: hash= 12 e9 0f 21 9a 6e 02 1e df c8 ab 45 ff 17 e9 bb Aug 26 13:30:43.681520: | natd_hash: hash= 82 a5 c7 f6 Aug 26 13:30:43.681523: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:30:43.681526: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:30:43.681528: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:30:43.681532: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Aug 26 13:30:43.681538: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:30:43.681542: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5633078ba438 Aug 26 13:30:43.681546: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:30:43.681549: | libevent_malloc: new ptr-libevent@0x5633078bcbb8 size 128 Aug 26 13:30:43.681563: | #1 spent 1.11 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:30:43.681569: | crypto helper 1 resuming Aug 26 13:30:43.681571: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.681590: | crypto helper 1 starting work-order 1 for state #1 Aug 26 13:30:43.681592: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:30:43.681597: | suspending state #1 and saving MD Aug 26 13:30:43.681597: | crypto helper 1 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:30:43.681604: | #1 is busy; has a suspended MD Aug 26 13:30:43.681616: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:30:43.681621: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:30:43.681627: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:30:43.681633: | #1 spent 1.75 milliseconds in ikev2_process_packet() Aug 26 13:30:43.681637: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 13:30:43.681640: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:30:43.681644: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:30:43.681648: | spent 1.76 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:30:43.682314: | crypto helper 1 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000717 seconds Aug 26 13:30:43.682328: | (#1) spent 0.71 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:30:43.682332: | crypto helper 1 sending results from work-order 1 for state #1 to event queue Aug 26 13:30:43.682338: | scheduling resume sending helper answer for #1 Aug 26 13:30:43.682342: | libevent_malloc: new ptr-libevent@0x7fb3ec002888 size 128 Aug 26 13:30:43.682350: | crypto helper 1 waiting (nothing to do) Aug 26 13:30:43.682358: | processing resume sending helper answer for #1 Aug 26 13:30:43.682367: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:30:43.682371: | crypto helper 1 replies to request ID 1 Aug 26 13:30:43.682374: | calling continuation function 0x563305fcfb50 Aug 26 13:30:43.682377: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:30:43.682408: | **emit ISAKMP Message: Aug 26 13:30:43.682412: | initiator cookie: Aug 26 13:30:43.682414: | 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:43.682417: | responder cookie: Aug 26 13:30:43.682419: | 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:43.682422: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:30:43.682425: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:43.682428: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:30:43.682431: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:30:43.682433: | Message ID: 0 (0x0) Aug 26 13:30:43.682437: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:30:43.682440: | Emitting ikev2_proposal ... Aug 26 13:30:43.682442: | ***emit IKEv2 Security Association Payload: Aug 26 13:30:43.682445: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.682448: | flags: none (0x0) Aug 26 13:30:43.682451: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:30:43.682454: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.682457: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.682460: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:43.682462: | prop #: 1 (0x1) Aug 26 13:30:43.682465: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:43.682468: | spi size: 0 (0x0) Aug 26 13:30:43.682470: | # transforms: 3 (0x3) Aug 26 13:30:43.682473: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:30:43.682476: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.682479: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.682481: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.682484: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:43.682487: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.682490: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.682493: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.682495: | length/value: 256 (0x100) Aug 26 13:30:43.682498: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:30:43.682501: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.682503: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.682506: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:43.682509: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:43.682512: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.682515: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.682518: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:43.682521: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.682523: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.682526: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:43.682528: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.682534: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.682537: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.682539: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:43.682542: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:30:43.682545: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:30:43.682548: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:30:43.682550: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:30:43.682554: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:30:43.682557: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.682560: | flags: none (0x0) Aug 26 13:30:43.682562: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:43.682566: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:30:43.682569: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.682572: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:30:43.682575: | ikev2 g^x 1a a3 2f f0 d4 3a 37 03 4d 86 55 9d 84 41 e4 b7 Aug 26 13:30:43.682578: | ikev2 g^x fb 7a cd 37 b9 00 e4 07 ab dc 67 81 29 47 48 c3 Aug 26 13:30:43.682581: | ikev2 g^x 73 30 a1 26 dc 77 36 24 76 6a 33 5d 7e 63 bd ba Aug 26 13:30:43.682583: | ikev2 g^x 8e e5 dd 18 df 54 81 ff 95 d9 22 f6 5a 38 5f df Aug 26 13:30:43.682586: | ikev2 g^x 69 9f b3 e7 c3 78 62 c6 08 63 6c d5 5c 66 74 ab Aug 26 13:30:43.682588: | ikev2 g^x e9 8a b3 a1 2c d2 1d c0 f3 f6 40 96 1e cd fb 32 Aug 26 13:30:43.682591: | ikev2 g^x 84 06 28 68 e7 53 7e 47 0f 99 01 c4 11 9b e9 e2 Aug 26 13:30:43.682593: | ikev2 g^x 84 55 6e 20 77 72 93 e3 2c dc 04 fb 15 92 39 94 Aug 26 13:30:43.682596: | ikev2 g^x 03 23 d5 2e 3d 53 56 12 81 9f 04 35 48 2f 46 9d Aug 26 13:30:43.682598: | ikev2 g^x d6 14 0e e2 dd b7 01 a3 5d b7 c4 6f ad eb d8 13 Aug 26 13:30:43.682601: | ikev2 g^x cd d4 3e 08 ea d4 66 c6 5d 9b 38 c0 6c 71 15 1c Aug 26 13:30:43.682603: | ikev2 g^x d5 77 f5 80 4e 4d dd bc d4 03 ac 1b 70 b9 ed bb Aug 26 13:30:43.682606: | ikev2 g^x 2a 91 a9 ec 61 ec 8c d8 96 2b e5 78 da fb 10 53 Aug 26 13:30:43.682608: | ikev2 g^x 1d f6 52 45 3f 08 48 ce d2 ab 96 91 9a 88 20 c8 Aug 26 13:30:43.682611: | ikev2 g^x 1f 87 02 9a b0 64 59 ed 7c b0 08 72 ad 33 8b bc Aug 26 13:30:43.682613: | ikev2 g^x 40 38 47 c6 d3 7c 47 cd c3 84 62 b4 dc 17 e6 0c Aug 26 13:30:43.682616: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:30:43.682619: | ***emit IKEv2 Nonce Payload: Aug 26 13:30:43.682621: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.682624: | flags: none (0x0) Aug 26 13:30:43.682627: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:30:43.682630: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:30:43.682633: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.682636: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:30:43.682639: | IKEv2 nonce 14 0b 14 f8 07 6c a5 37 dd 27 8f 9a 12 0a da e6 Aug 26 13:30:43.682642: | IKEv2 nonce 39 d1 e1 2d 02 4c d1 98 ad 0d e0 1e a0 61 60 d9 Aug 26 13:30:43.682644: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:30:43.682647: | Adding a v2N Payload Aug 26 13:30:43.682650: | ***emit IKEv2 Notify Payload: Aug 26 13:30:43.682654: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.682656: | flags: none (0x0) Aug 26 13:30:43.682659: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.682662: | SPI size: 0 (0x0) Aug 26 13:30:43.682665: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:30:43.682668: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:43.682670: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.682673: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:30:43.682676: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:30:43.682686: | natd_hash: hasher=0x5633060a4800(20) Aug 26 13:30:43.682689: | natd_hash: icookie= 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:43.682691: | natd_hash: rcookie= 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:43.682694: | natd_hash: ip= c0 01 02 17 Aug 26 13:30:43.682696: | natd_hash: port=500 Aug 26 13:30:43.682699: | natd_hash: hash= f3 d5 eb 5d 4e b6 fb f3 c3 09 a2 2a 1f 18 87 bd Aug 26 13:30:43.682701: | natd_hash: hash= 6d 16 15 14 Aug 26 13:30:43.682703: | Adding a v2N Payload Aug 26 13:30:43.682706: | ***emit IKEv2 Notify Payload: Aug 26 13:30:43.682708: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.682711: | flags: none (0x0) Aug 26 13:30:43.682713: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.682716: | SPI size: 0 (0x0) Aug 26 13:30:43.682718: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:43.682721: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:43.682724: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.682727: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:43.682730: | Notify data f3 d5 eb 5d 4e b6 fb f3 c3 09 a2 2a 1f 18 87 bd Aug 26 13:30:43.682733: | Notify data 6d 16 15 14 Aug 26 13:30:43.682735: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:43.682741: | natd_hash: hasher=0x5633060a4800(20) Aug 26 13:30:43.682744: | natd_hash: icookie= 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:43.682747: | natd_hash: rcookie= 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:43.682749: | natd_hash: ip= c0 01 03 21 Aug 26 13:30:43.682751: | natd_hash: port=500 Aug 26 13:30:43.682754: | natd_hash: hash= 0d d7 76 a4 b3 96 7d 3f 9e bb 1c b6 98 e4 ec 8c Aug 26 13:30:43.682756: | natd_hash: hash= 74 eb b4 ec Aug 26 13:30:43.682759: | Adding a v2N Payload Aug 26 13:30:43.682761: | ***emit IKEv2 Notify Payload: Aug 26 13:30:43.682764: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.682766: | flags: none (0x0) Aug 26 13:30:43.682769: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.682771: | SPI size: 0 (0x0) Aug 26 13:30:43.682774: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:43.682777: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:43.682780: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.682783: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:43.682785: | Notify data 0d d7 76 a4 b3 96 7d 3f 9e bb 1c b6 98 e4 ec 8c Aug 26 13:30:43.682788: | Notify data 74 eb b4 ec Aug 26 13:30:43.682790: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:43.682793: | emitting length of ISAKMP Message: 432 Aug 26 13:30:43.682803: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.682807: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:30:43.682810: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:30:43.682815: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:30:43.682818: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:30:43.682824: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:30:43.682828: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:30:43.682834: "eastnet-northnet"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:30:43.682839: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 13:30:43.682845: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:30:43.682850: | 4d 32 ac ac c7 3d 7a d4 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:43.682853: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:30:43.682856: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:30:43.682858: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:30:43.682861: | 04 00 00 0e 28 00 01 08 00 0e 00 00 1a a3 2f f0 Aug 26 13:30:43.682863: | d4 3a 37 03 4d 86 55 9d 84 41 e4 b7 fb 7a cd 37 Aug 26 13:30:43.682866: | b9 00 e4 07 ab dc 67 81 29 47 48 c3 73 30 a1 26 Aug 26 13:30:43.682868: | dc 77 36 24 76 6a 33 5d 7e 63 bd ba 8e e5 dd 18 Aug 26 13:30:43.682870: | df 54 81 ff 95 d9 22 f6 5a 38 5f df 69 9f b3 e7 Aug 26 13:30:43.682873: | c3 78 62 c6 08 63 6c d5 5c 66 74 ab e9 8a b3 a1 Aug 26 13:30:43.682875: | 2c d2 1d c0 f3 f6 40 96 1e cd fb 32 84 06 28 68 Aug 26 13:30:43.682878: | e7 53 7e 47 0f 99 01 c4 11 9b e9 e2 84 55 6e 20 Aug 26 13:30:43.682880: | 77 72 93 e3 2c dc 04 fb 15 92 39 94 03 23 d5 2e Aug 26 13:30:43.682883: | 3d 53 56 12 81 9f 04 35 48 2f 46 9d d6 14 0e e2 Aug 26 13:30:43.682885: | dd b7 01 a3 5d b7 c4 6f ad eb d8 13 cd d4 3e 08 Aug 26 13:30:43.682888: | ea d4 66 c6 5d 9b 38 c0 6c 71 15 1c d5 77 f5 80 Aug 26 13:30:43.682890: | 4e 4d dd bc d4 03 ac 1b 70 b9 ed bb 2a 91 a9 ec Aug 26 13:30:43.682893: | 61 ec 8c d8 96 2b e5 78 da fb 10 53 1d f6 52 45 Aug 26 13:30:43.682895: | 3f 08 48 ce d2 ab 96 91 9a 88 20 c8 1f 87 02 9a Aug 26 13:30:43.682898: | b0 64 59 ed 7c b0 08 72 ad 33 8b bc 40 38 47 c6 Aug 26 13:30:43.682900: | d3 7c 47 cd c3 84 62 b4 dc 17 e6 0c 29 00 00 24 Aug 26 13:30:43.682903: | 14 0b 14 f8 07 6c a5 37 dd 27 8f 9a 12 0a da e6 Aug 26 13:30:43.682905: | 39 d1 e1 2d 02 4c d1 98 ad 0d e0 1e a0 61 60 d9 Aug 26 13:30:43.682908: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:30:43.682910: | f3 d5 eb 5d 4e b6 fb f3 c3 09 a2 2a 1f 18 87 bd Aug 26 13:30:43.682913: | 6d 16 15 14 00 00 00 1c 00 00 40 05 0d d7 76 a4 Aug 26 13:30:43.682915: | b3 96 7d 3f 9e bb 1c b6 98 e4 ec 8c 74 eb b4 ec Aug 26 13:30:43.682969: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:30:43.682974: | libevent_free: release ptr-libevent@0x5633078bcbb8 Aug 26 13:30:43.682978: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5633078ba438 Aug 26 13:30:43.682981: | event_schedule: new EVENT_SO_DISCARD-pe@0x5633078ba438 Aug 26 13:30:43.682985: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:30:43.682988: | libevent_malloc: new ptr-libevent@0x5633078bdd08 size 128 Aug 26 13:30:43.682992: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:30:43.682997: | #1 spent 0.595 milliseconds in resume sending helper answer Aug 26 13:30:43.683004: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:30:43.683007: | libevent_free: release ptr-libevent@0x7fb3ec002888 Aug 26 13:30:43.685574: | spent 0.00243 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:30:43.685596: | *received 241 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 13:30:43.685600: | 4d 32 ac ac c7 3d 7a d4 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:43.685603: | 2e 20 23 08 00 00 00 01 00 00 00 f1 23 00 00 d5 Aug 26 13:30:43.685606: | 15 6f 27 05 0c 1b 6b 83 87 ed ef ea 5f f5 fc 54 Aug 26 13:30:43.685608: | 7c 3a c9 f0 ce d9 53 fb c5 e5 43 9f 56 d6 a0 73 Aug 26 13:30:43.685610: | 64 be 9a 3c 6d 93 27 46 ff 78 36 2b 9a 30 9a 39 Aug 26 13:30:43.685613: | 69 ca 3d 2e 76 53 02 ac 31 0b ee f4 b1 d0 e4 67 Aug 26 13:30:43.685615: | cb e5 bc 10 dc 3f 3b c5 1b c6 5a 43 37 21 12 a2 Aug 26 13:30:43.685618: | 99 aa 79 01 9b 36 7a 35 f9 a1 b3 d3 b0 c9 e0 2c Aug 26 13:30:43.685620: | 83 b9 bd f9 5a 47 49 1f 1a 65 5f ed 40 a5 2f 97 Aug 26 13:30:43.685623: | 90 44 69 9a f1 67 c8 bf 35 d6 fa 12 1c a3 56 ed Aug 26 13:30:43.685625: | cc d8 88 a6 3e 49 4a 45 42 04 98 22 4f a7 9d 36 Aug 26 13:30:43.685628: | 2b aa a0 9c ac 43 98 cd c9 f8 00 af ce 5a be c4 Aug 26 13:30:43.685630: | 00 02 b0 71 dd 89 9c 67 c7 0d 71 e5 03 13 66 75 Aug 26 13:30:43.685633: | 35 1e 85 a0 d1 bf 5e 83 fb 78 eb 79 35 ee 01 e0 Aug 26 13:30:43.685635: | 17 60 6a 91 c5 93 c5 e7 35 54 7e 7d 82 1b ea 09 Aug 26 13:30:43.685638: | 28 Aug 26 13:30:43.685642: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 13:30:43.685646: | **parse ISAKMP Message: Aug 26 13:30:43.685649: | initiator cookie: Aug 26 13:30:43.685651: | 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:43.685654: | responder cookie: Aug 26 13:30:43.685656: | 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:43.685659: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:30:43.685662: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:43.685665: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:30:43.685668: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:30:43.685670: | Message ID: 1 (0x1) Aug 26 13:30:43.685673: | length: 241 (0xf1) Aug 26 13:30:43.685676: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:30:43.685679: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:30:43.685683: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:30:43.685691: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:30:43.685694: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:30:43.685700: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:30:43.685703: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:30:43.685708: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:30:43.685710: | unpacking clear payload Aug 26 13:30:43.685713: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:30:43.685716: | ***parse IKEv2 Encryption Payload: Aug 26 13:30:43.685719: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:30:43.685721: | flags: none (0x0) Aug 26 13:30:43.685724: | length: 213 (0xd5) Aug 26 13:30:43.685727: | processing payload: ISAKMP_NEXT_v2SK (len=209) Aug 26 13:30:43.685731: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:30:43.685734: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:30:43.685737: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:30:43.685740: | Now let's proceed with state specific processing Aug 26 13:30:43.685743: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:30:43.685746: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:30:43.685750: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:30:43.685755: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:30:43.685759: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:30:43.685762: | libevent_free: release ptr-libevent@0x5633078bdd08 Aug 26 13:30:43.685765: | free_event_entry: release EVENT_SO_DISCARD-pe@0x5633078ba438 Aug 26 13:30:43.685768: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5633078ba438 Aug 26 13:30:43.685772: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:30:43.685775: | libevent_malloc: new ptr-libevent@0x7fb3ec002888 size 128 Aug 26 13:30:43.685785: | #1 spent 0.0378 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:30:43.685791: | crypto helper 0 resuming Aug 26 13:30:43.685792: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.685808: | crypto helper 0 starting work-order 2 for state #1 Aug 26 13:30:43.685811: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:30:43.685814: | crypto helper 0 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:30:43.685815: | suspending state #1 and saving MD Aug 26 13:30:43.685831: | #1 is busy; has a suspended MD Aug 26 13:30:43.685841: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:30:43.685846: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:30:43.685852: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:30:43.685858: | #1 spent 0.261 milliseconds in ikev2_process_packet() Aug 26 13:30:43.685863: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 13:30:43.685866: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:30:43.685869: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:30:43.685873: | spent 0.277 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:30:43.686787: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:30:43.687246: | crypto helper 0 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.00143 seconds Aug 26 13:30:43.687256: | (#1) spent 1.4 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:30:43.687260: | crypto helper 0 sending results from work-order 2 for state #1 to event queue Aug 26 13:30:43.687263: | scheduling resume sending helper answer for #1 Aug 26 13:30:43.687266: | libevent_malloc: new ptr-libevent@0x7fb3e4000f48 size 128 Aug 26 13:30:43.687274: | crypto helper 0 waiting (nothing to do) Aug 26 13:30:43.687283: | processing resume sending helper answer for #1 Aug 26 13:30:43.687312: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:30:43.687320: | crypto helper 0 replies to request ID 2 Aug 26 13:30:43.687323: | calling continuation function 0x563305fcfb50 Aug 26 13:30:43.687326: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:30:43.687330: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:30:43.687343: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:30:43.687346: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:30:43.687350: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:30:43.687353: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:30:43.687356: | flags: none (0x0) Aug 26 13:30:43.687358: | length: 12 (0xc) Aug 26 13:30:43.687361: | ID type: ID_IPV4_ADDR (0x1) Aug 26 13:30:43.687364: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:30:43.687370: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:30:43.687374: | **parse IKEv2 Authentication Payload: Aug 26 13:30:43.687377: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:30:43.687380: | flags: none (0x0) Aug 26 13:30:43.687382: | length: 72 (0x48) Aug 26 13:30:43.687385: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:30:43.687388: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:30:43.687391: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:30:43.687393: | **parse IKEv2 Security Association Payload: Aug 26 13:30:43.687396: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:30:43.687399: | flags: none (0x0) Aug 26 13:30:43.687401: | length: 44 (0x2c) Aug 26 13:30:43.687404: | processing payload: ISAKMP_NEXT_v2SA (len=40) Aug 26 13:30:43.687407: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:30:43.687410: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:30:43.687412: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:30:43.687415: | flags: none (0x0) Aug 26 13:30:43.687417: | length: 24 (0x18) Aug 26 13:30:43.687420: | number of TS: 1 (0x1) Aug 26 13:30:43.687423: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:30:43.687425: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:30:43.687428: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:30:43.687431: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:43.687433: | flags: none (0x0) Aug 26 13:30:43.687436: | length: 24 (0x18) Aug 26 13:30:43.687438: | number of TS: 1 (0x1) Aug 26 13:30:43.687441: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:30:43.687444: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:43.687447: | **parse IKEv2 Notify Payload: Aug 26 13:30:43.687450: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.687452: | flags: none (0x0) Aug 26 13:30:43.687455: | length: 8 (0x8) Aug 26 13:30:43.687458: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.687460: | SPI size: 0 (0x0) Aug 26 13:30:43.687463: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 13:30:43.687466: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:30:43.687469: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:30:43.687471: | Now let's proceed with state specific processing Aug 26 13:30:43.687474: | calling processor Responder: process IKE_AUTH request Aug 26 13:30:43.687481: "eastnet-northnet"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N} Aug 26 13:30:43.687488: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:30:43.687493: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 13:30:43.687495: | peer ID c0 01 03 21 Aug 26 13:30:43.687500: | refine_host_connection for IKEv2: starting with "eastnet-northnet"[1] 192.1.3.33 Aug 26 13:30:43.687506: | match_id a=192.1.3.33 Aug 26 13:30:43.687509: | b=192.1.3.33 Aug 26 13:30:43.687512: | results matched Aug 26 13:30:43.687518: | refine_host_connection: checking "eastnet-northnet"[1] 192.1.3.33 against "eastnet-northnet"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:30:43.687520: | Warning: not switching back to template of current instance Aug 26 13:30:43.687523: | No IDr payload received from peer Aug 26 13:30:43.687528: | refine_host_connection: checked eastnet-northnet[1] 192.1.3.33 against eastnet-northnet[1] 192.1.3.33, now for see if best Aug 26 13:30:43.687533: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.687537: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.687542: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 13:30:43.687546: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.687549: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.687553: | line 1: match=002 Aug 26 13:30:43.687556: | match 002 beats previous best_match 000 match=0x563307811c48 (line=1) Aug 26 13:30:43.687559: | concluding with best_match=002 best=0x563307811c48 (lineno=1) Aug 26 13:30:43.687561: | returning because exact peer id match Aug 26 13:30:43.687565: | offered CA: '%none' Aug 26 13:30:43.687569: "eastnet-northnet"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.33' Aug 26 13:30:43.687573: | received v2N_MOBIKE_SUPPORTED while it did not sent Aug 26 13:30:43.687593: | verifying AUTH payload Aug 26 13:30:43.687597: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:30:43.687602: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.687606: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.687611: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 13:30:43.687614: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.687617: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.687619: | line 1: match=002 Aug 26 13:30:43.687623: | match 002 beats previous best_match 000 match=0x563307811c48 (line=1) Aug 26 13:30:43.687626: | concluding with best_match=002 best=0x563307811c48 (lineno=1) Aug 26 13:30:43.687687: "eastnet-northnet"[1] 192.1.3.33 #1: Authenticated using authby=secret Aug 26 13:30:43.687693: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:30:43.687698: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:30:43.687701: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:30:43.687704: | libevent_free: release ptr-libevent@0x7fb3ec002888 Aug 26 13:30:43.687707: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5633078ba438 Aug 26 13:30:43.687710: | event_schedule: new EVENT_SA_REKEY-pe@0x5633078ba438 Aug 26 13:30:43.687714: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 13:30:43.687717: | libevent_malloc: new ptr-libevent@0x5633078bcdc8 size 128 Aug 26 13:30:43.687803: | pstats #1 ikev2.ike established Aug 26 13:30:43.687811: | **emit ISAKMP Message: Aug 26 13:30:43.687814: | initiator cookie: Aug 26 13:30:43.687817: | 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:43.687819: | responder cookie: Aug 26 13:30:43.687822: | 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:43.687825: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:30:43.687827: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:43.687830: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:30:43.687833: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:30:43.687836: | Message ID: 1 (0x1) Aug 26 13:30:43.687839: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:30:43.687842: | IKEv2 CERT: send a certificate? Aug 26 13:30:43.687845: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:30:43.687848: | ***emit IKEv2 Encryption Payload: Aug 26 13:30:43.687851: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.687853: | flags: none (0x0) Aug 26 13:30:43.687856: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:30:43.687859: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.687863: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:30:43.687872: | Adding a v2N Payload Aug 26 13:30:43.687875: | ****emit IKEv2 Notify Payload: Aug 26 13:30:43.687877: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.687880: | flags: none (0x0) Aug 26 13:30:43.687883: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:43.687885: | SPI size: 0 (0x0) Aug 26 13:30:43.687888: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 13:30:43.687895: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:43.687898: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.687901: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:30:43.687905: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:30:43.687918: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:30:43.687922: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.687924: | flags: none (0x0) Aug 26 13:30:43.687927: | ID type: ID_IPV4_ADDR (0x1) Aug 26 13:30:43.687930: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:30:43.687933: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.687937: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:30:43.687939: | my identity c0 01 02 17 Aug 26 13:30:43.687942: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:30:43.687950: | assembled IDr payload Aug 26 13:30:43.687952: | CHILD SA proposals received Aug 26 13:30:43.687955: | going to assemble AUTH payload Aug 26 13:30:43.687957: | ****emit IKEv2 Authentication Payload: Aug 26 13:30:43.687960: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:30:43.687963: | flags: none (0x0) Aug 26 13:30:43.687965: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:30:43.687969: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:30:43.687972: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:30:43.687975: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.687978: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:30:43.687983: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.687987: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:43.687992: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 13:30:43.687995: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.687998: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:43.688000: | line 1: match=002 Aug 26 13:30:43.688003: | match 002 beats previous best_match 000 match=0x563307811c48 (line=1) Aug 26 13:30:43.688006: | concluding with best_match=002 best=0x563307811c48 (lineno=1) Aug 26 13:30:43.688061: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:30:43.688065: | PSK auth 55 27 f2 a1 66 c7 b9 e6 e9 d2 99 98 b4 69 de 3e Aug 26 13:30:43.688067: | PSK auth 1a ed 4f fe 99 cc 58 7c 3e 40 2c 1d 4d 9e b1 4c Aug 26 13:30:43.688070: | PSK auth 50 a6 66 8a fe 68 4a 28 71 63 bb a8 70 6a 0f ec Aug 26 13:30:43.688072: | PSK auth 81 20 35 11 4d 91 99 aa ca ef ea 25 8b f4 c8 9c Aug 26 13:30:43.688075: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:30:43.688088: | creating state object #2 at 0x5633078bed98 Aug 26 13:30:43.688091: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:30:43.688095: | pstats #2 ikev2.child started Aug 26 13:30:43.688100: | duplicating state object #1 "eastnet-northnet"[1] 192.1.3.33 as #2 for IPSEC SA Aug 26 13:30:43.688105: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:30:43.688111: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:30:43.688118: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:30:43.688122: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:30:43.688126: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:30:43.688128: | TSi: parsing 1 traffic selectors Aug 26 13:30:43.688132: | ***parse IKEv2 Traffic Selector: Aug 26 13:30:43.688134: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:43.688137: | IP Protocol ID: 0 (0x0) Aug 26 13:30:43.688140: | length: 16 (0x10) Aug 26 13:30:43.688142: | start port: 0 (0x0) Aug 26 13:30:43.688145: | end port: 65535 (0xffff) Aug 26 13:30:43.688148: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:30:43.688150: | TS low c0 00 03 00 Aug 26 13:30:43.688153: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:30:43.688156: | TS high c0 00 03 ff Aug 26 13:30:43.688158: | TSi: parsed 1 traffic selectors Aug 26 13:30:43.688161: | TSr: parsing 1 traffic selectors Aug 26 13:30:43.688163: | ***parse IKEv2 Traffic Selector: Aug 26 13:30:43.688166: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:43.688168: | IP Protocol ID: 0 (0x0) Aug 26 13:30:43.688171: | length: 16 (0x10) Aug 26 13:30:43.688173: | start port: 0 (0x0) Aug 26 13:30:43.688176: | end port: 65535 (0xffff) Aug 26 13:30:43.688179: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:30:43.688181: | TS low c0 00 02 00 Aug 26 13:30:43.688184: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:30:43.688186: | TS high c0 00 02 ff Aug 26 13:30:43.688189: | TSr: parsed 1 traffic selectors Aug 26 13:30:43.688191: | looking for best SPD in current connection Aug 26 13:30:43.688198: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:30:43.688203: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:43.688210: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:30:43.688213: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:30:43.688216: | TSi[0] port match: YES fitness 65536 Aug 26 13:30:43.688219: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:30:43.688223: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:43.688227: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:43.688233: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:30:43.688236: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:30:43.688239: | TSr[0] port match: YES fitness 65536 Aug 26 13:30:43.688241: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:30:43.688244: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:43.688247: | best fit so far: TSi[0] TSr[0] Aug 26 13:30:43.688250: | found better spd route for TSi[0],TSr[0] Aug 26 13:30:43.688252: | looking for better host pair Aug 26 13:30:43.688257: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 13:30:43.688262: | checking hostpair 192.0.2.0/24 -> 192.0.3.0/24 is found Aug 26 13:30:43.688265: | investigating connection "eastnet-northnet" as a better match Aug 26 13:30:43.688269: | match_id a=192.1.3.33 Aug 26 13:30:43.688272: | b=192.1.3.33 Aug 26 13:30:43.688274: | results matched Aug 26 13:30:43.688280: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:30:43.688285: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:43.688306: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:30:43.688313: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:30:43.688316: | TSi[0] port match: YES fitness 65536 Aug 26 13:30:43.688319: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:30:43.688322: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:43.688326: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:43.688332: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:30:43.688335: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:30:43.688338: | TSr[0] port match: YES fitness 65536 Aug 26 13:30:43.688340: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:30:43.688343: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:43.688346: | best fit so far: TSi[0] TSr[0] Aug 26 13:30:43.688348: | did not find a better connection using host pair Aug 26 13:30:43.688351: | printing contents struct traffic_selector Aug 26 13:30:43.688354: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:30:43.688356: | ipprotoid: 0 Aug 26 13:30:43.688359: | port range: 0-65535 Aug 26 13:30:43.688363: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:30:43.688365: | printing contents struct traffic_selector Aug 26 13:30:43.688368: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:30:43.688370: | ipprotoid: 0 Aug 26 13:30:43.688373: | port range: 0-65535 Aug 26 13:30:43.688377: | ip range: 192.0.3.0-192.0.3.255 Aug 26 13:30:43.688381: | constructing ESP/AH proposals with all DH removed for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:30:43.688386: | converting proposal AES_CBC_256-HMAC_SHA2_256_128 to ikev2 ... Aug 26 13:30:43.688392: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:30:43.688398: "eastnet-northnet"[1] 192.1.3.33: constructed local ESP/AH proposals for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Aug 26 13:30:43.688401: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Aug 26 13:30:43.688407: | local proposal 1 type ENCR has 1 transforms Aug 26 13:30:43.688409: | local proposal 1 type PRF has 0 transforms Aug 26 13:30:43.688412: | local proposal 1 type INTEG has 1 transforms Aug 26 13:30:43.688415: | local proposal 1 type DH has 1 transforms Aug 26 13:30:43.688417: | local proposal 1 type ESN has 1 transforms Aug 26 13:30:43.688421: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Aug 26 13:30:43.688425: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.688428: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:43.688430: | length: 40 (0x28) Aug 26 13:30:43.688433: | prop #: 1 (0x1) Aug 26 13:30:43.688435: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:30:43.688438: | spi size: 4 (0x4) Aug 26 13:30:43.688440: | # transforms: 3 (0x3) Aug 26 13:30:43.688444: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:30:43.688446: | remote SPI f7 98 fc d6 Aug 26 13:30:43.688450: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Aug 26 13:30:43.688453: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.688455: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.688458: | length: 12 (0xc) Aug 26 13:30:43.688460: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.688463: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:43.688466: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.688469: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.688471: | length/value: 256 (0x100) Aug 26 13:30:43.688476: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:30:43.688480: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.688482: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.688485: | length: 8 (0x8) Aug 26 13:30:43.688488: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.688490: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:43.688494: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Aug 26 13:30:43.688497: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:43.688500: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.688502: | length: 8 (0x8) Aug 26 13:30:43.688505: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:30:43.688507: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:30:43.688511: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:30:43.688515: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Aug 26 13:30:43.688519: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Aug 26 13:30:43.688522: | remote proposal 1 matches local proposal 1 Aug 26 13:30:43.688528: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=f798fcd6;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match] Aug 26 13:30:43.688534: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=f798fcd6;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Aug 26 13:30:43.688537: | converting proposal to internal trans attrs Aug 26 13:30:43.688557: | netlink_get_spi: allocated 0x4920f818 for esp.0@192.1.2.23 Aug 26 13:30:43.688560: | Emitting ikev2_proposal ... Aug 26 13:30:43.688563: | ****emit IKEv2 Security Association Payload: Aug 26 13:30:43.688566: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.688569: | flags: none (0x0) Aug 26 13:30:43.688572: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:30:43.688575: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.688578: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:30:43.688581: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:43.688583: | prop #: 1 (0x1) Aug 26 13:30:43.688586: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:30:43.688588: | spi size: 4 (0x4) Aug 26 13:30:43.688591: | # transforms: 3 (0x3) Aug 26 13:30:43.688594: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:30:43.688597: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:30:43.688600: | our spi 49 20 f8 18 Aug 26 13:30:43.688602: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.688605: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.688607: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:43.688610: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:43.688613: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.688616: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:30:43.688619: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:43.688622: | length/value: 256 (0x100) Aug 26 13:30:43.688625: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:30:43.688627: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.688630: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.688632: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:43.688635: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:43.688640: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.688643: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.688646: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:43.688648: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:30:43.688651: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:43.688654: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:30:43.688656: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:30:43.688659: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:43.688662: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:43.688665: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:43.688667: | emitting length of IKEv2 Proposal Substructure Payload: 40 Aug 26 13:30:43.688670: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:30:43.688673: | emitting length of IKEv2 Security Association Payload: 44 Aug 26 13:30:43.688676: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:30:43.688679: | received v2N_MOBIKE_SUPPORTED Aug 26 13:30:43.688682: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:30:43.688685: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.688687: | flags: none (0x0) Aug 26 13:30:43.688690: | number of TS: 1 (0x1) Aug 26 13:30:43.688693: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:30:43.688696: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.688699: | *****emit IKEv2 Traffic Selector: Aug 26 13:30:43.688701: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:43.688704: | IP Protocol ID: 0 (0x0) Aug 26 13:30:43.688707: | start port: 0 (0x0) Aug 26 13:30:43.688709: | end port: 65535 (0xffff) Aug 26 13:30:43.688712: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:30:43.688715: | ipv4 start c0 00 03 00 Aug 26 13:30:43.688718: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:30:43.688720: | ipv4 end c0 00 03 ff Aug 26 13:30:43.688723: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:30:43.688725: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:30:43.688728: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:30:43.688730: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:43.688733: | flags: none (0x0) Aug 26 13:30:43.688735: | number of TS: 1 (0x1) Aug 26 13:30:43.688739: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:30:43.688742: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:30:43.688744: | *****emit IKEv2 Traffic Selector: Aug 26 13:30:43.688747: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:43.688749: | IP Protocol ID: 0 (0x0) Aug 26 13:30:43.688752: | start port: 0 (0x0) Aug 26 13:30:43.688754: | end port: 65535 (0xffff) Aug 26 13:30:43.688757: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:30:43.688760: | ipv4 start c0 00 02 00 Aug 26 13:30:43.688763: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:30:43.688767: | ipv4 end c0 00 02 ff Aug 26 13:30:43.688770: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:30:43.688772: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:30:43.688775: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:30:43.688779: | integ=sha2_256: .key_size=32 encrypt=aes: .key_size=32 .salt_size=0 keymat_len=64 Aug 26 13:30:43.688932: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:30:43.688941: | #1 spent 1.44 milliseconds Aug 26 13:30:43.688944: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:30:43.688947: | could_route called for eastnet-northnet (kind=CK_INSTANCE) Aug 26 13:30:43.688950: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:30:43.688953: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:43.688956: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:43.688959: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:43.688962: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:43.688967: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 13:30:43.688971: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Aug 26 13:30:43.688974: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Aug 26 13:30:43.688977: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Aug 26 13:30:43.688981: | setting IPsec SA replay-window to 32 Aug 26 13:30:43.688984: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 13:30:43.688988: | netlink: enabling tunnel mode Aug 26 13:30:43.688991: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:30:43.688994: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:30:43.689062: | netlink response for Add SA esp.f798fcd6@192.1.3.33 included non-error error Aug 26 13:30:43.689066: | set up outgoing SA, ref=0/0 Aug 26 13:30:43.689069: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Aug 26 13:30:43.689072: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Aug 26 13:30:43.689075: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Aug 26 13:30:43.689079: | setting IPsec SA replay-window to 32 Aug 26 13:30:43.689081: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 13:30:43.689084: | netlink: enabling tunnel mode Aug 26 13:30:43.689087: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:30:43.689089: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:30:43.689124: | netlink response for Add SA esp.4920f818@192.1.2.23 included non-error error Aug 26 13:30:43.689128: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:30:43.689135: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:30:43.689138: | IPsec Sa SPD priority set to 1042407 Aug 26 13:30:43.689161: | raw_eroute result=success Aug 26 13:30:43.689165: | set up incoming SA, ref=0/0 Aug 26 13:30:43.689167: | sr for #2: unrouted Aug 26 13:30:43.689170: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:30:43.689173: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:30:43.689176: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:43.689179: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:43.689182: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:43.689184: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:43.689189: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 13:30:43.689193: | route_and_eroute with c: eastnet-northnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:30:43.689196: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:30:43.689203: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Aug 26 13:30:43.689208: | IPsec Sa SPD priority set to 1042407 Aug 26 13:30:43.689219: | raw_eroute result=success Aug 26 13:30:43.689223: | running updown command "ipsec _updown" for verb up Aug 26 13:30:43.689226: | command executing up-client Aug 26 13:30:43.689253: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI Aug 26 13:30:43.689256: | popen cmd is 1048 chars long Aug 26 13:30:43.689259: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' P: Aug 26 13:30:43.689262: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 13:30:43.689265: | cmd( 160):_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Aug 26 13:30:43.689268: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Aug 26 13:30:43.689270: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='1: Aug 26 13:30:43.689273: | cmd( 400):92.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Aug 26 13:30:43.689276: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Aug 26 13:30:43.689279: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Aug 26 13:30:43.689282: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_C: Aug 26 13:30:43.689284: | cmd( 720):ONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Aug 26 13:30:43.689287: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Aug 26 13:30:43.689325: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Aug 26 13:30:43.689328: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xf798fcd6 SPI_OUT=0x4920f818 ipsec _upd: Aug 26 13:30:43.689330: | cmd(1040):own 2>&1: Aug 26 13:30:43.700923: | route_and_eroute: firewall_notified: true Aug 26 13:30:43.700940: | running updown command "ipsec _updown" for verb prepare Aug 26 13:30:43.700945: | command executing prepare-client Aug 26 13:30:43.700982: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Aug 26 13:30:43.700991: | popen cmd is 1053 chars long Aug 26 13:30:43.700995: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 13:30:43.700998: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 13:30:43.701001: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 13:30:43.701004: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 13:30:43.701007: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Aug 26 13:30:43.701010: | cmd( 400):ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Aug 26 13:30:43.701013: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Aug 26 13:30:43.701016: | cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=: Aug 26 13:30:43.701019: | cmd( 640):'PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PL: Aug 26 13:30:43.701021: | cmd( 720):UTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Aug 26 13:30:43.701024: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Aug 26 13:30:43.701027: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Aug 26 13:30:43.701030: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xf798fcd6 SPI_OUT=0x4920f818 ipsec: Aug 26 13:30:43.701032: | cmd(1040): _updown 2>&1: Aug 26 13:30:43.711256: | running updown command "ipsec _updown" for verb route Aug 26 13:30:43.711271: | command executing route-client Aug 26 13:30:43.711350: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Aug 26 13:30:43.711360: | popen cmd is 1051 chars long Aug 26 13:30:43.711364: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet: Aug 26 13:30:43.711367: | cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO: Aug 26 13:30:43.711370: | cmd( 160):_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: Aug 26 13:30:43.711376: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 13:30:43.711379: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Aug 26 13:30:43.711381: | cmd( 400):='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Aug 26 13:30:43.711384: | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Aug 26 13:30:43.711387: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: Aug 26 13:30:43.711390: | cmd( 640):SK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUT: Aug 26 13:30:43.711395: | cmd( 720):O_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Aug 26 13:30:43.711398: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Aug 26 13:30:43.711400: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Aug 26 13:30:43.711403: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xf798fcd6 SPI_OUT=0x4920f818 ipsec _: Aug 26 13:30:43.711405: | cmd(1040):updown 2>&1: Aug 26 13:30:43.727225: | route_and_eroute: instance "eastnet-northnet"[1] 192.1.3.33, setting eroute_owner {spd=0x5633078b9d58,sr=0x5633078b9d58} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:30:43.727377: | #1 spent 1.86 milliseconds in install_ipsec_sa() Aug 26 13:30:43.727392: | ISAKMP_v2_IKE_AUTH: instance eastnet-northnet[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:30:43.727397: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:30:43.727401: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:30:43.727407: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:30:43.727410: | emitting length of IKEv2 Encryption Payload: 213 Aug 26 13:30:43.727412: | emitting length of ISAKMP Message: 241 Aug 26 13:30:43.727446: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:30:43.727454: | #1 spent 3.39 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:30:43.727464: | suspend processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.727471: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:43.727475: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:30:43.727479: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:30:43.727482: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:30:43.727487: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:30:43.727492: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:30:43.727497: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:30:43.727500: | pstats #2 ikev2.child established Aug 26 13:30:43.727511: "eastnet-northnet"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 13:30:43.727517: | NAT-T: encaps is 'auto' Aug 26 13:30:43.727522: "eastnet-northnet"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xf798fcd6 <0x4920f818 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive} Aug 26 13:30:43.727528: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 13:30:43.727537: | sending 241 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:30:43.727540: | 4d 32 ac ac c7 3d 7a d4 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:43.727543: | 2e 20 23 20 00 00 00 01 00 00 00 f1 29 00 00 d5 Aug 26 13:30:43.727545: | 4b 76 ee 00 34 5d 3a 52 0f ae 0a 4a 04 ed 6e 29 Aug 26 13:30:43.727548: | e3 92 6d 59 30 61 51 d6 9f 00 ee 40 78 e1 08 c7 Aug 26 13:30:43.727550: | 6e 2a 21 6e b5 90 e7 5f 48 f4 9f 9f 01 d7 8f a4 Aug 26 13:30:43.727553: | 99 f7 5f 07 01 dd 3c 8e e4 44 6e d3 1d 47 7c af Aug 26 13:30:43.727555: | a4 51 b1 b9 83 df 26 57 f5 cf dd df 8a fc ca a7 Aug 26 13:30:43.727558: | a4 9c 1d 53 da 99 35 60 4e 56 c5 7f 81 67 0b ed Aug 26 13:30:43.727560: | 0f 49 f0 86 69 8c 74 28 93 2c a6 bf 6f b9 2b fb Aug 26 13:30:43.727566: | 5a ec 22 9c eb 79 d7 88 b7 b7 86 6f b1 ba 63 43 Aug 26 13:30:43.727568: | e4 7b 64 c2 8f 04 8b 3e 8f e2 46 11 66 0d 04 45 Aug 26 13:30:43.727570: | f3 13 af e7 18 35 e6 51 f4 f9 1e a8 79 bc 4a a4 Aug 26 13:30:43.727573: | 16 f1 43 54 bc fd 9d 30 fb f8 de 0e 6d ea a4 a1 Aug 26 13:30:43.727575: | b8 65 9d e3 1d e9 69 a9 31 15 55 fd 95 4e 66 ad Aug 26 13:30:43.727578: | 90 8e ec 7f 5e 30 23 52 76 ce f7 1e 79 62 4c f8 Aug 26 13:30:43.727580: | d3 Aug 26 13:30:43.727636: | releasing whack for #2 (sock=fd@-1) Aug 26 13:30:43.727643: | releasing whack and unpending for parent #1 Aug 26 13:30:43.727649: | unpending state #1 connection "eastnet-northnet"[1] 192.1.3.33 Aug 26 13:30:43.727654: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:30:43.727658: | event_schedule: new EVENT_SA_REKEY-pe@0x5633078bdd48 Aug 26 13:30:43.727668: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 13:30:43.727679: | libevent_malloc: new ptr-libevent@0x5633078bd4c8 size 128 Aug 26 13:30:43.727700: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:30:43.727709: | #1 spent 3.76 milliseconds in resume sending helper answer Aug 26 13:30:43.727717: | stop processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:30:43.727724: | libevent_free: release ptr-libevent@0x7fb3e4000f48 Aug 26 13:30:43.727739: | processing signal PLUTO_SIGCHLD Aug 26 13:30:43.727746: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:43.727750: | spent 0.00578 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:43.727754: | processing signal PLUTO_SIGCHLD Aug 26 13:30:43.727758: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:43.727762: | spent 0.00405 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:43.727765: | processing signal PLUTO_SIGCHLD Aug 26 13:30:43.727769: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:43.727773: | spent 0.00396 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:53.410070: | spent 0.00813 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:30:53.410149: | *received 121 bytes from 192.1.8.22:500 on eth1 (192.1.2.23:500) Aug 26 13:30:53.410166: | 4d 32 ac ac c7 3d 7a d4 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:53.410177: | 2e 20 25 08 00 00 00 02 00 00 00 79 29 00 00 5d Aug 26 13:30:53.410186: | 66 df 54 6c 8c 07 9a ca 39 aa e0 fa c7 d5 70 54 Aug 26 13:30:53.410194: | 78 36 58 b1 a4 c2 4d de b9 ec d7 68 6d ee 7c b0 Aug 26 13:30:53.410203: | b9 9a 13 18 bd 1d 19 8b 05 46 72 59 13 7b f4 10 Aug 26 13:30:53.410211: | 38 77 81 af fb 71 63 45 09 c7 3f f2 04 3d b9 ff Aug 26 13:30:53.410220: | dd 7f d5 76 06 89 6e b0 ba a9 0c 9a 7e eb 47 48 Aug 26 13:30:53.410229: | ee 00 89 91 68 51 a5 88 d3 Aug 26 13:30:53.410247: | start processing: from 192.1.8.22:500 (in process_md() at demux.c:378) Aug 26 13:30:53.410260: | **parse ISAKMP Message: Aug 26 13:30:53.410270: | initiator cookie: Aug 26 13:30:53.410278: | 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:53.410287: | responder cookie: Aug 26 13:30:53.410318: | 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:53.410329: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:30:53.410339: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:53.410349: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:30:53.410364: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:30:53.410374: | Message ID: 2 (0x2) Aug 26 13:30:53.410383: | length: 121 (0x79) Aug 26 13:30:53.410395: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:30:53.410407: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:30:53.410420: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:30:53.410456: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:30:53.410469: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:30:53.410489: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:30:53.410501: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:30:53.410515: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 13:30:53.410524: | unpacking clear payload Aug 26 13:30:53.410533: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:30:53.410543: | ***parse IKEv2 Encryption Payload: Aug 26 13:30:53.410557: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:53.410569: | flags: none (0x0) Aug 26 13:30:53.410580: | length: 93 (0x5d) Aug 26 13:30:53.410589: | processing payload: ISAKMP_NEXT_v2SK (len=89) Aug 26 13:30:53.410605: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 13:30:53.410616: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:30:53.410670: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:30:53.410684: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:53.410694: | **parse IKEv2 Notify Payload: Aug 26 13:30:53.410703: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:53.410711: | flags: none (0x0) Aug 26 13:30:53.410719: | length: 8 (0x8) Aug 26 13:30:53.410728: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:53.410736: | SPI size: 0 (0x0) Aug 26 13:30:53.410746: | Notify Message Type: v2N_UPDATE_SA_ADDRESSES (0x4010) Aug 26 13:30:53.410755: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:30:53.410763: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:53.410772: | **parse IKEv2 Notify Payload: Aug 26 13:30:53.410781: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:53.410791: | flags: none (0x0) Aug 26 13:30:53.410800: | length: 28 (0x1c) Aug 26 13:30:53.410809: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:53.410817: | SPI size: 0 (0x0) Aug 26 13:30:53.410826: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:53.410835: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:53.410844: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:53.410853: | **parse IKEv2 Notify Payload: Aug 26 13:30:53.410862: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:53.410870: | flags: none (0x0) Aug 26 13:30:53.410878: | length: 28 (0x1c) Aug 26 13:30:53.410886: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:53.410894: | SPI size: 0 (0x0) Aug 26 13:30:53.410904: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:53.410913: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:53.410923: | selected state microcode R2: process Informational Request Aug 26 13:30:53.410932: | Now let's proceed with state specific processing Aug 26 13:30:53.410941: | calling processor R2: process Informational Request Aug 26 13:30:53.410955: | an informational request should send a response Aug 26 13:30:53.410965: | Need to process v2N_UPDATE_SA_ADDRESSES Aug 26 13:30:53.410974: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 13:30:53.410982: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 13:30:53.411003: | #2 pst=#1 MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 13:30:53.411028: | responder migrate kernel SA esp.f798fcd6@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_OUT Aug 26 13:30:53.411203: | responder migrate kernel SA esp.4920f818@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_IN Aug 26 13:30:53.411317: | responder migrate kernel SA esp.4920f818@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_FWD Aug 26 13:30:53.411380: "eastnet-northnet"[1] 192.1.3.33 #1: success MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 13:30:53.411401: | free hp@0x5633078ba308 Aug 26 13:30:53.411420: | connect_to_host_pair: 192.1.2.23:500 192.1.8.22:500 -> hp@(nil): none Aug 26 13:30:53.411429: | new hp@0x5633078ba308 Aug 26 13:30:53.411451: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:30:53.411467: "eastnet-northnet"[1] 192.1.8.22 #1: MOBIKE request: updating IPsec SA by request Aug 26 13:30:53.411540: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:30:53.411555: | **emit ISAKMP Message: Aug 26 13:30:53.411564: | initiator cookie: Aug 26 13:30:53.411571: | 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:53.411579: | responder cookie: Aug 26 13:30:53.411586: | 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:53.411594: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:30:53.411603: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:53.411611: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:30:53.411620: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:30:53.411627: | Message ID: 2 (0x2) Aug 26 13:30:53.411636: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:30:53.411647: | ***emit IKEv2 Encryption Payload: Aug 26 13:30:53.411658: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:53.411667: | flags: none (0x0) Aug 26 13:30:53.411678: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:30:53.411689: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:30:53.411700: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:30:53.411738: | adding NATD payloads to MOBIKE response Aug 26 13:30:53.411750: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:30:53.411807: | natd_hash: hasher=0x5633060a4800(20) Aug 26 13:30:53.411820: | natd_hash: icookie= 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:53.411829: | natd_hash: rcookie= 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:53.411838: | natd_hash: ip= c0 01 02 17 Aug 26 13:30:53.411848: | natd_hash: port=500 Aug 26 13:30:53.411856: | natd_hash: hash= f3 d5 eb 5d 4e b6 fb f3 c3 09 a2 2a 1f 18 87 bd Aug 26 13:30:53.411865: | natd_hash: hash= 6d 16 15 14 Aug 26 13:30:53.411875: | Adding a v2N Payload Aug 26 13:30:53.411883: | ****emit IKEv2 Notify Payload: Aug 26 13:30:53.411893: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:53.411904: | flags: none (0x0) Aug 26 13:30:53.411915: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:53.411924: | SPI size: 0 (0x0) Aug 26 13:30:53.411933: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:53.411963: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:53.411974: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:30:53.411984: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:53.411995: | Notify data f3 d5 eb 5d 4e b6 fb f3 c3 09 a2 2a 1f 18 87 bd Aug 26 13:30:53.412004: | Notify data 6d 16 15 14 Aug 26 13:30:53.412013: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:53.412037: | natd_hash: hasher=0x5633060a4800(20) Aug 26 13:30:53.412050: | natd_hash: icookie= 4d 32 ac ac c7 3d 7a d4 Aug 26 13:30:53.412057: | natd_hash: rcookie= 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:53.412066: | natd_hash: ip= c0 01 08 16 Aug 26 13:30:53.412073: | natd_hash: port=500 Aug 26 13:30:53.412082: | natd_hash: hash= c6 96 80 75 e5 78 a0 78 34 8f b0 06 7a 52 e4 07 Aug 26 13:30:53.412091: | natd_hash: hash= cb 25 e5 63 Aug 26 13:30:53.412099: | Adding a v2N Payload Aug 26 13:30:53.412118: | ****emit IKEv2 Notify Payload: Aug 26 13:30:53.412127: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:53.412135: | flags: none (0x0) Aug 26 13:30:53.412144: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:53.412153: | SPI size: 0 (0x0) Aug 26 13:30:53.412161: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:53.412171: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:53.412198: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:30:53.412211: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:53.412220: | Notify data c6 96 80 75 e5 78 a0 78 34 8f b0 06 7a 52 e4 07 Aug 26 13:30:53.412229: | Notify data cb 25 e5 63 Aug 26 13:30:53.412239: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:53.412250: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:30:53.412262: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:30:53.412272: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:30:53.412283: | emitting length of IKEv2 Encryption Payload: 85 Aug 26 13:30:53.412329: | emitting length of ISAKMP Message: 113 Aug 26 13:30:53.412372: | sending 113 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 13:30:53.412384: | 4d 32 ac ac c7 3d 7a d4 15 7e 08 72 b6 ba 33 73 Aug 26 13:30:53.412393: | 2e 20 25 20 00 00 00 02 00 00 00 71 29 00 00 55 Aug 26 13:30:53.412400: | d0 31 0d 3b d8 c9 6d 4e e4 de 56 f6 79 50 bc e9 Aug 26 13:30:53.412407: | fd ed 3c 3b 5f 46 ca 78 b2 f0 a0 9a 9f 40 a3 3e Aug 26 13:30:53.412415: | d6 0d 32 a5 83 44 2a 7b fa 4d 40 2a 74 45 db 36 Aug 26 13:30:53.412422: | d8 fe 5e d1 3d cc 7d 2b 3c b8 4d 8d 88 70 cd 58 Aug 26 13:30:53.412429: | e3 21 7f 55 ba 53 32 5c a0 74 05 5b e2 e7 97 4f Aug 26 13:30:53.412437: | 08 Aug 26 13:30:53.412541: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 13:30:53.412564: | Message ID: sent #1 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 13:30:53.412585: | #1 spent 1.54 milliseconds in processing: R2: process Informational Request in ikev2_process_state_packet() Aug 26 13:30:53.412606: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:53.412620: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:30:53.412630: | Message ID: updating counters for #1 to 2 after switching state Aug 26 13:30:53.412644: | Message ID: recv #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=1->2 wip.initiator=-1 wip.responder=2->-1 Aug 26 13:30:53.412659: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1 Aug 26 13:30:53.412669: | STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:30:53.412688: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:30:53.412702: | #1 spent 2.49 milliseconds in ikev2_process_packet() Aug 26 13:30:53.412717: | stop processing: from 192.1.8.22:500 (in process_md() at demux.c:380) Aug 26 13:30:53.412729: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:30:53.412739: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:30:53.412759: | spent 2.55 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:30:59.895683: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:59.895704: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:30:59.895707: | FOR_EACH_STATE_... in sort_states Aug 26 13:30:59.895715: | get_sa_info esp.4920f818@192.1.2.23 Aug 26 13:30:59.895979: | get_sa_info esp.f798fcd6@192.1.8.22 Aug 26 13:30:59.895998: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:59.896004: | spent 0.33 milliseconds in whack Aug 26 13:31:00.226515: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:31:00.226752: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:31:00.226756: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:31:00.226843: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:31:00.226846: | FOR_EACH_STATE_... in sort_states Aug 26 13:31:00.226857: | get_sa_info esp.4920f818@192.1.2.23 Aug 26 13:31:00.226872: | get_sa_info esp.f798fcd6@192.1.8.22 Aug 26 13:31:00.226890: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:31:00.226896: | spent 0.389 milliseconds in whack Aug 26 13:31:01.548840: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:31:01.548863: shutting down Aug 26 13:31:01.548870: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:31:01.548872: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:31:01.548874: forgetting secrets Aug 26 13:31:01.548880: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:31:01.548885: | start processing: connection "eastnet-northnet"[1] 192.1.8.22 (in delete_connection() at connections.c:189) Aug 26 13:31:01.548889: "eastnet-northnet"[1] 192.1.8.22: deleting connection "eastnet-northnet"[1] 192.1.8.22 instance with peer 192.1.8.22 {isakmp=#1/ipsec=#2} Aug 26 13:31:01.548891: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:31:01.548893: | pass 0 Aug 26 13:31:01.548895: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:01.548896: | state #2 Aug 26 13:31:01.548899: | suspend processing: connection "eastnet-northnet"[1] 192.1.8.22 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:31:01.548903: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:31:01.548905: | pstats #2 ikev2.child deleted completed Aug 26 13:31:01.548909: | [RE]START processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 13:31:01.548912: "eastnet-northnet"[1] 192.1.8.22 #2: deleting state (STATE_V2_IPSEC_R) aged 17.860s and sending notification Aug 26 13:31:01.548914: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:31:01.548918: | get_sa_info esp.f798fcd6@192.1.8.22 Aug 26 13:31:01.548930: | get_sa_info esp.4920f818@192.1.2.23 Aug 26 13:31:01.548936: "eastnet-northnet"[1] 192.1.8.22 #2: ESP traffic information: in=168B out=168B Aug 26 13:31:01.548939: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:31:01.548941: | Opening output PBS informational exchange delete request Aug 26 13:31:01.548943: | **emit ISAKMP Message: Aug 26 13:31:01.548945: | initiator cookie: Aug 26 13:31:01.548947: | 4d 32 ac ac c7 3d 7a d4 Aug 26 13:31:01.548948: | responder cookie: Aug 26 13:31:01.548950: | 15 7e 08 72 b6 ba 33 73 Aug 26 13:31:01.548952: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:31:01.548954: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:31:01.548956: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:31:01.548957: | flags: none (0x0) Aug 26 13:31:01.548961: | Message ID: 0 (0x0) Aug 26 13:31:01.548964: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:31:01.548966: | ***emit IKEv2 Encryption Payload: Aug 26 13:31:01.548968: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:01.548970: | flags: none (0x0) Aug 26 13:31:01.548972: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:31:01.548974: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:01.548976: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:31:01.548984: | ****emit IKEv2 Delete Payload: Aug 26 13:31:01.548986: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:01.548987: | flags: none (0x0) Aug 26 13:31:01.548989: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:31:01.548991: | SPI size: 4 (0x4) Aug 26 13:31:01.548992: | number of SPIs: 1 (0x1) Aug 26 13:31:01.548994: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:31:01.548996: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:01.548998: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:31:01.549000: | local spis 49 20 f8 18 Aug 26 13:31:01.549002: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:31:01.549003: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:31:01.549005: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:31:01.549007: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:31:01.549009: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:31:01.549011: | emitting length of ISAKMP Message: 69 Aug 26 13:31:01.549030: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #2) Aug 26 13:31:01.549033: | 4d 32 ac ac c7 3d 7a d4 15 7e 08 72 b6 ba 33 73 Aug 26 13:31:01.549035: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:31:01.549036: | 1d 4d bd 31 f5 99 48 11 f3 9a ab d4 8f 32 94 fe Aug 26 13:31:01.549038: | 8d f9 38 d9 fd 80 f8 85 ca db e7 0b 7f ee 0c 62 Aug 26 13:31:01.549039: | e2 19 d1 34 02 Aug 26 13:31:01.549082: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 13:31:01.549085: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 13:31:01.549088: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:31:01.549090: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:31:01.549093: | libevent_free: release ptr-libevent@0x5633078bd4c8 Aug 26 13:31:01.549095: | free_event_entry: release EVENT_SA_REKEY-pe@0x5633078bdd48 Aug 26 13:31:01.549148: | running updown command "ipsec _updown" for verb down Aug 26 13:31:01.549152: | command executing down-client Aug 26 13:31:01.549171: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826243' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ Aug 26 13:31:01.549175: | popen cmd is 1061 chars long Aug 26 13:31:01.549177: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet': Aug 26 13:31:01.549179: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Aug 26 13:31:01.549181: | cmd( 160):MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Aug 26 13:31:01.549183: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Aug 26 13:31:01.549184: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID=: Aug 26 13:31:01.549186: | cmd( 400):'192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Aug 26 13:31:01.549188: | cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Aug 26 13:31:01.549189: | cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826243' PLUTO_CONN_P: Aug 26 13:31:01.549191: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_: Aug 26 13:31:01.549193: | cmd( 720):NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Aug 26 13:31:01.549194: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Aug 26 13:31:01.549196: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Aug 26 13:31:01.549198: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xf798fcd6 SPI_OUT=0x4920f8: Aug 26 13:31:01.549199: | cmd(1040):18 ipsec _updown 2>&1: Aug 26 13:31:01.556528: | shunt_eroute() called for connection 'eastnet-northnet' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:31:01.556550: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:31:01.556555: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:01.556561: | IPsec Sa SPD priority set to 1042407 Aug 26 13:31:01.556602: | delete esp.f798fcd6@192.1.8.22 Aug 26 13:31:01.556625: | netlink response for Del SA esp.f798fcd6@192.1.8.22 included non-error error Aug 26 13:31:01.556632: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:01.556639: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:31:01.556678: | raw_eroute result=success Aug 26 13:31:01.556683: | delete esp.4920f818@192.1.2.23 Aug 26 13:31:01.556699: | netlink response for Del SA esp.4920f818@192.1.2.23 included non-error error Aug 26 13:31:01.556714: | stop processing: connection "eastnet-northnet"[1] 192.1.8.22 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:31:01.556719: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:31:01.556722: | in connection_discard for connection eastnet-northnet Aug 26 13:31:01.556726: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 13:31:01.556733: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:31:01.556745: | stop processing: state #2 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 13:31:01.556760: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:31:01.556763: | state #1 Aug 26 13:31:01.556766: | pass 1 Aug 26 13:31:01.556769: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:01.556771: | state #1 Aug 26 13:31:01.556777: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:31:01.556781: | pstats #1 ikev2.ike deleted completed Aug 26 13:31:01.556789: | #1 spent 11 milliseconds in total Aug 26 13:31:01.556799: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 13:31:01.556805: "eastnet-northnet"[1] 192.1.8.22 #1: deleting state (STATE_PARENT_R2) aged 17.876s and sending notification Aug 26 13:31:01.556809: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 13:31:01.556867: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 13:31:01.556873: | Opening output PBS informational exchange delete request Aug 26 13:31:01.556876: | **emit ISAKMP Message: Aug 26 13:31:01.556879: | initiator cookie: Aug 26 13:31:01.556882: | 4d 32 ac ac c7 3d 7a d4 Aug 26 13:31:01.556885: | responder cookie: Aug 26 13:31:01.556887: | 15 7e 08 72 b6 ba 33 73 Aug 26 13:31:01.556891: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:31:01.556894: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:31:01.556897: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:31:01.556902: | flags: none (0x0) Aug 26 13:31:01.556905: | Message ID: 1 (0x1) Aug 26 13:31:01.556908: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:31:01.556911: | ***emit IKEv2 Encryption Payload: Aug 26 13:31:01.556915: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:01.556918: | flags: none (0x0) Aug 26 13:31:01.556922: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:31:01.556925: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:01.556930: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:31:01.556947: | ****emit IKEv2 Delete Payload: Aug 26 13:31:01.556951: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:01.556954: | flags: none (0x0) Aug 26 13:31:01.556957: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:31:01.556960: | SPI size: 0 (0x0) Aug 26 13:31:01.556963: | number of SPIs: 0 (0x0) Aug 26 13:31:01.556966: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:31:01.556969: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:01.556973: | emitting length of IKEv2 Delete Payload: 8 Aug 26 13:31:01.556976: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:31:01.556980: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:31:01.556983: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:31:01.556986: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 13:31:01.556989: | emitting length of ISAKMP Message: 65 Aug 26 13:31:01.557022: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 13:31:01.557027: | 4d 32 ac ac c7 3d 7a d4 15 7e 08 72 b6 ba 33 73 Aug 26 13:31:01.557030: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 13:31:01.557032: | 2f af 37 1c 3c bc 64 a8 7e fc 64 d8 62 0a e5 0f Aug 26 13:31:01.557035: | f6 f5 c9 d2 bf 66 bf f4 a7 cd 0b 41 c8 95 c7 67 Aug 26 13:31:01.557037: | da Aug 26 13:31:01.557090: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 13:31:01.557095: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 13:31:01.557101: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Aug 26 13:31:01.557107: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Aug 26 13:31:01.557112: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:31:01.557121: | libevent_free: release ptr-libevent@0x5633078bcdc8 Aug 26 13:31:01.557123: | free_event_entry: release EVENT_SA_REKEY-pe@0x5633078ba438 Aug 26 13:31:01.557127: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:31:01.557129: | in connection_discard for connection eastnet-northnet Aug 26 13:31:01.557131: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 13:31:01.557133: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 13:31:01.557162: | stop processing: state #1 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 13:31:01.557186: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:31:01.557190: | shunt_eroute() called for connection 'eastnet-northnet' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:31:01.557192: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:31:01.557194: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:01.557209: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:01.557216: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:31:01.557219: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:31:01.557221: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:31:01.557222: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:31:01.557224: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:31:01.557227: | route owner of "eastnet-northnet" unrouted: NULL Aug 26 13:31:01.557228: | running updown command "ipsec _updown" for verb unroute Aug 26 13:31:01.557230: | command executing unroute-client Aug 26 13:31:01.557248: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH Aug 26 13:31:01.557250: | popen cmd is 1042 chars long Aug 26 13:31:01.557252: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 13:31:01.557254: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 13:31:01.557256: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 13:31:01.557258: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 13:31:01.557259: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER: Aug 26 13:31:01.557261: | cmd( 400):_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Aug 26 13:31:01.557263: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Aug 26 13:31:01.557264: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Aug 26 13:31:01.557266: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' P: Aug 26 13:31:01.557268: | cmd( 720):LUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Aug 26 13:31:01.557271: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Aug 26 13:31:01.557273: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Aug 26 13:31:01.557274: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: Aug 26 13:31:01.557276: | cmd(1040):&1: Aug 26 13:31:01.566661: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:01.566683: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:01.566688: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:01.566690: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:01.566693: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:01.566698: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:01.566712: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:01.572778: | free hp@0x5633078ba308 Aug 26 13:31:01.572793: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 13:31:01.572798: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:31:01.572811: | start processing: connection "eastnet-northnet" (in delete_connection() at connections.c:189) Aug 26 13:31:01.572815: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:31:01.572818: | pass 0 Aug 26 13:31:01.572821: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:01.572824: | pass 1 Aug 26 13:31:01.572826: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:01.572830: | free hp@0x5633078b83a8 Aug 26 13:31:01.572834: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 13:31:01.572838: | stop processing: connection "eastnet-northnet" (in discard_connection() at connections.c:249) Aug 26 13:31:01.572849: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:31:01.572853: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:31:01.572865: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:31:01.572870: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:31:01.572873: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 13:31:01.572877: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 13:31:01.572880: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 13:31:01.572884: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 13:31:01.572888: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:31:01.572902: | libevent_free: release ptr-libevent@0x5633078aa4a8 Aug 26 13:31:01.572906: | free_event_entry: release EVENT_NULL-pe@0x5633078b6198 Aug 26 13:31:01.572919: | libevent_free: release ptr-libevent@0x563307846378 Aug 26 13:31:01.572923: | free_event_entry: release EVENT_NULL-pe@0x5633078b6248 Aug 26 13:31:01.572932: | libevent_free: release ptr-libevent@0x563307848218 Aug 26 13:31:01.572935: | free_event_entry: release EVENT_NULL-pe@0x5633078b62f8 Aug 26 13:31:01.572944: | libevent_free: release ptr-libevent@0x563307845368 Aug 26 13:31:01.572947: | free_event_entry: release EVENT_NULL-pe@0x5633078b63a8 Aug 26 13:31:01.572955: | libevent_free: release ptr-libevent@0x56330781bb78 Aug 26 13:31:01.572959: | free_event_entry: release EVENT_NULL-pe@0x5633078b6458 Aug 26 13:31:01.572966: | libevent_free: release ptr-libevent@0x5633078161d8 Aug 26 13:31:01.572969: | free_event_entry: release EVENT_NULL-pe@0x5633078b6508 Aug 26 13:31:01.572975: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:31:01.573439: | libevent_free: release ptr-libevent@0x5633078aa558 Aug 26 13:31:01.573447: | free_event_entry: release EVENT_NULL-pe@0x56330789e318 Aug 26 13:31:01.573453: | libevent_free: release ptr-libevent@0x563307848118 Aug 26 13:31:01.573458: | free_event_entry: release EVENT_NULL-pe@0x56330789d7d8 Aug 26 13:31:01.573462: | libevent_free: release ptr-libevent@0x563307881bd8 Aug 26 13:31:01.573465: | free_event_entry: release EVENT_NULL-pe@0x56330789e388 Aug 26 13:31:01.573471: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:31:01.573474: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:31:01.573476: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:31:01.573478: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:31:01.573481: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:31:01.573483: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:31:01.573485: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:31:01.573487: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:31:01.573490: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:31:01.573495: | libevent_free: release ptr-libevent@0x5633078458c8 Aug 26 13:31:01.573498: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:31:01.573501: | libevent_free: release ptr-libevent@0x5633078b58e8 Aug 26 13:31:01.573503: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:31:01.573506: | libevent_free: release ptr-libevent@0x5633078b59f8 Aug 26 13:31:01.573509: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:31:01.573511: | libevent_free: release ptr-libevent@0x5633078b5c38 Aug 26 13:31:01.573514: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:31:01.573516: | releasing event base Aug 26 13:31:01.573528: | libevent_free: release ptr-libevent@0x5633078b5b08 Aug 26 13:31:01.573532: | libevent_free: release ptr-libevent@0x563307898bc8 Aug 26 13:31:01.573535: | libevent_free: release ptr-libevent@0x563307898b78 Aug 26 13:31:01.573538: | libevent_free: release ptr-libevent@0x563307898b08 Aug 26 13:31:01.573540: | libevent_free: release ptr-libevent@0x563307898ac8 Aug 26 13:31:01.573543: | libevent_free: release ptr-libevent@0x5633078b57e8 Aug 26 13:31:01.573546: | libevent_free: release ptr-libevent@0x5633078b5868 Aug 26 13:31:01.573548: | libevent_free: release ptr-libevent@0x563307898d78 Aug 26 13:31:01.573551: | libevent_free: release ptr-libevent@0x56330789d8e8 Aug 26 13:31:01.573553: | libevent_free: release ptr-libevent@0x56330789e2d8 Aug 26 13:31:01.573555: | libevent_free: release ptr-libevent@0x5633078b6578 Aug 26 13:31:01.573557: | libevent_free: release ptr-libevent@0x5633078b64c8 Aug 26 13:31:01.573559: | libevent_free: release ptr-libevent@0x5633078b6418 Aug 26 13:31:01.573562: | libevent_free: release ptr-libevent@0x5633078b6368 Aug 26 13:31:01.573564: | libevent_free: release ptr-libevent@0x5633078b62b8 Aug 26 13:31:01.573566: | libevent_free: release ptr-libevent@0x5633078b6208 Aug 26 13:31:01.573568: | libevent_free: release ptr-libevent@0x563307845a28 Aug 26 13:31:01.573570: | libevent_free: release ptr-libevent@0x5633078b59b8 Aug 26 13:31:01.573572: | libevent_free: release ptr-libevent@0x5633078b58a8 Aug 26 13:31:01.573575: | libevent_free: release ptr-libevent@0x5633078b5828 Aug 26 13:31:01.573577: | libevent_free: release ptr-libevent@0x5633078b5ac8 Aug 26 13:31:01.573579: | libevent_free: release ptr-libevent@0x563307844bb8 Aug 26 13:31:01.573582: | libevent_free: release ptr-libevent@0x563307815908 Aug 26 13:31:01.573585: | libevent_free: release ptr-libevent@0x563307815d38 Aug 26 13:31:01.573587: | libevent_free: release ptr-libevent@0x563307844f28 Aug 26 13:31:01.573589: | releasing global libevent data Aug 26 13:31:01.573592: | libevent_free: release ptr-libevent@0x563307816538 Aug 26 13:31:01.573594: | libevent_free: release ptr-libevent@0x563307815cd8 Aug 26 13:31:01.573597: | libevent_free: release ptr-libevent@0x563307815dd8 Aug 26 13:31:01.573634: leak detective found no leaks