Aug 26 13:30:42.528747: FIPS Product: YES Aug 26 13:30:42.528849: FIPS Kernel: NO Aug 26 13:30:42.528852: FIPS Mode: NO Aug 26 13:30:42.528854: NSS DB directory: sql:/etc/ipsec.d Aug 26 13:30:42.529015: Initializing NSS Aug 26 13:30:42.529023: Opening NSS database "sql:/etc/ipsec.d" read-only Aug 26 13:30:42.557101: NSS initialized Aug 26 13:30:42.557117: NSS crypto library initialized Aug 26 13:30:42.557119: FIPS HMAC integrity support [enabled] Aug 26 13:30:42.557121: FIPS mode disabled for pluto daemon Aug 26 13:30:42.584771: FIPS HMAC integrity verification self-test FAILED Aug 26 13:30:42.584881: libcap-ng support [enabled] Aug 26 13:30:42.584891: Linux audit support [enabled] Aug 26 13:30:42.584917: Linux audit activated Aug 26 13:30:42.584924: Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:10144 Aug 26 13:30:42.584928: core dump dir: /tmp Aug 26 13:30:42.584931: secrets file: /etc/ipsec.secrets Aug 26 13:30:42.584933: leak-detective enabled Aug 26 13:30:42.584935: NSS crypto [enabled] Aug 26 13:30:42.584938: XAUTH PAM support [enabled] Aug 26 13:30:42.585011: | libevent is using pluto's memory allocator Aug 26 13:30:42.585021: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Aug 26 13:30:42.585035: | libevent_malloc: new ptr-libevent@0x55676aa66488 size 40 Aug 26 13:30:42.585040: | libevent_malloc: new ptr-libevent@0x55676aa65cd8 size 40 Aug 26 13:30:42.585043: | libevent_malloc: new ptr-libevent@0x55676aa65dd8 size 40 Aug 26 13:30:42.585046: | creating event base Aug 26 13:30:42.585049: | libevent_malloc: new ptr-libevent@0x55676aae8328 size 56 Aug 26 13:30:42.585055: | libevent_malloc: new ptr-libevent@0x55676aa94e78 size 664 Aug 26 13:30:42.585066: | libevent_malloc: new ptr-libevent@0x55676aae8398 size 24 Aug 26 13:30:42.585069: | libevent_malloc: new ptr-libevent@0x55676aae83e8 size 384 Aug 26 13:30:42.585079: | libevent_malloc: new ptr-libevent@0x55676aae82e8 size 16 Aug 26 13:30:42.585082: | libevent_malloc: new ptr-libevent@0x55676aa65908 size 40 Aug 26 13:30:42.585085: | libevent_malloc: new ptr-libevent@0x55676aa65d38 size 48 Aug 26 13:30:42.585091: | libevent_realloc: new ptr-libevent@0x55676aa94b08 size 256 Aug 26 13:30:42.585094: | libevent_malloc: new ptr-libevent@0x55676aae8598 size 16 Aug 26 13:30:42.585100: | libevent_free: release ptr-libevent@0x55676aae8328 Aug 26 13:30:42.585104: | libevent initialized Aug 26 13:30:42.585108: | libevent_realloc: new ptr-libevent@0x55676aae8328 size 64 Aug 26 13:30:42.585111: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Aug 26 13:30:42.585131: | init_nat_traversal() initialized with keep_alive=0s Aug 26 13:30:42.585134: NAT-Traversal support [enabled] Aug 26 13:30:42.585137: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Aug 26 13:30:42.585143: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Aug 26 13:30:42.585146: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Aug 26 13:30:42.585178: | global one-shot timer EVENT_REVIVE_CONNS initialized Aug 26 13:30:42.585182: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Aug 26 13:30:42.585186: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Aug 26 13:30:42.585238: Encryption algorithms: Aug 26 13:30:42.585247: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Aug 26 13:30:42.585252: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Aug 26 13:30:42.585256: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Aug 26 13:30:42.585260: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Aug 26 13:30:42.585264: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Aug 26 13:30:42.585273: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Aug 26 13:30:42.585278: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Aug 26 13:30:42.585282: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Aug 26 13:30:42.585286: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Aug 26 13:30:42.585300: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Aug 26 13:30:42.585307: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Aug 26 13:30:42.585313: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Aug 26 13:30:42.585322: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Aug 26 13:30:42.585331: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Aug 26 13:30:42.585345: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Aug 26 13:30:42.585352: NULL IKEv1: ESP IKEv2: ESP [] Aug 26 13:30:42.585356: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Aug 26 13:30:42.585363: Hash algorithms: Aug 26 13:30:42.585366: MD5 IKEv1: IKE IKEv2: Aug 26 13:30:42.585370: SHA1 IKEv1: IKE IKEv2: FIPS sha Aug 26 13:30:42.585373: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Aug 26 13:30:42.585376: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Aug 26 13:30:42.585380: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Aug 26 13:30:42.585393: PRF algorithms: Aug 26 13:30:42.585397: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Aug 26 13:30:42.585400: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Aug 26 13:30:42.585404: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Aug 26 13:30:42.585407: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Aug 26 13:30:42.585411: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Aug 26 13:30:42.585414: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Aug 26 13:30:42.585442: Integrity algorithms: Aug 26 13:30:42.585446: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Aug 26 13:30:42.585450: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Aug 26 13:30:42.585454: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Aug 26 13:30:42.585458: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Aug 26 13:30:42.585463: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Aug 26 13:30:42.585466: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Aug 26 13:30:42.585470: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Aug 26 13:30:42.585473: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Aug 26 13:30:42.585476: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Aug 26 13:30:42.585489: DH algorithms: Aug 26 13:30:42.585493: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Aug 26 13:30:42.585496: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Aug 26 13:30:42.585499: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Aug 26 13:30:42.585506: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Aug 26 13:30:42.585509: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Aug 26 13:30:42.585512: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Aug 26 13:30:42.585515: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Aug 26 13:30:42.585519: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Aug 26 13:30:42.585522: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Aug 26 13:30:42.585525: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Aug 26 13:30:42.585528: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Aug 26 13:30:42.585531: testing CAMELLIA_CBC: Aug 26 13:30:42.585534: Camellia: 16 bytes with 128-bit key Aug 26 13:30:42.585658: Camellia: 16 bytes with 128-bit key Aug 26 13:30:42.585689: Camellia: 16 bytes with 256-bit key Aug 26 13:30:42.585721: Camellia: 16 bytes with 256-bit key Aug 26 13:30:42.585749: testing AES_GCM_16: Aug 26 13:30:42.585753: empty string Aug 26 13:30:42.585780: one block Aug 26 13:30:42.585808: two blocks Aug 26 13:30:42.585837: two blocks with associated data Aug 26 13:30:42.585864: testing AES_CTR: Aug 26 13:30:42.585868: Encrypting 16 octets using AES-CTR with 128-bit key Aug 26 13:30:42.585895: Encrypting 32 octets using AES-CTR with 128-bit key Aug 26 13:30:42.585925: Encrypting 36 octets using AES-CTR with 128-bit key Aug 26 13:30:42.585955: Encrypting 16 octets using AES-CTR with 192-bit key Aug 26 13:30:42.585984: Encrypting 32 octets using AES-CTR with 192-bit key Aug 26 13:30:42.586014: Encrypting 36 octets using AES-CTR with 192-bit key Aug 26 13:30:42.586047: Encrypting 16 octets using AES-CTR with 256-bit key Aug 26 13:30:42.586075: Encrypting 32 octets using AES-CTR with 256-bit key Aug 26 13:30:42.586103: Encrypting 36 octets using AES-CTR with 256-bit key Aug 26 13:30:42.586133: testing AES_CBC: Aug 26 13:30:42.586137: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Aug 26 13:30:42.586169: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Aug 26 13:30:42.586202: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Aug 26 13:30:42.586233: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Aug 26 13:30:42.586269: testing AES_XCBC: Aug 26 13:30:42.586273: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Aug 26 13:30:42.586400: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Aug 26 13:30:42.586528: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Aug 26 13:30:42.586606: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Aug 26 13:30:42.586733: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Aug 26 13:30:42.586861: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Aug 26 13:30:42.586995: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Aug 26 13:30:42.587221: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Aug 26 13:30:42.587367: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Aug 26 13:30:42.587521: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Aug 26 13:30:42.587771: testing HMAC_MD5: Aug 26 13:30:42.587777: RFC 2104: MD5_HMAC test 1 Aug 26 13:30:42.587970: RFC 2104: MD5_HMAC test 2 Aug 26 13:30:42.588134: RFC 2104: MD5_HMAC test 3 Aug 26 13:30:42.588367: 8 CPU cores online Aug 26 13:30:42.588375: starting up 7 crypto helpers Aug 26 13:30:42.588406: started thread for crypto helper 0 Aug 26 13:30:42.588410: | starting up helper thread 0 Aug 26 13:30:42.588427: | status value returned by setting the priority of this thread (crypto helper 0) 22 Aug 26 13:30:42.588430: | crypto helper 0 waiting (nothing to do) Aug 26 13:30:42.588438: started thread for crypto helper 1 Aug 26 13:30:42.588458: started thread for crypto helper 2 Aug 26 13:30:42.588460: | starting up helper thread 2 Aug 26 13:30:42.588468: | status value returned by setting the priority of this thread (crypto helper 2) 22 Aug 26 13:30:42.588471: | crypto helper 2 waiting (nothing to do) Aug 26 13:30:42.588655: | starting up helper thread 1 Aug 26 13:30:42.589396: | status value returned by setting the priority of this thread (crypto helper 1) 22 Aug 26 13:30:42.589399: | crypto helper 1 waiting (nothing to do) Aug 26 13:30:42.589406: started thread for crypto helper 3 Aug 26 13:30:42.589406: | starting up helper thread 3 Aug 26 13:30:42.589422: | status value returned by setting the priority of this thread (crypto helper 3) 22 Aug 26 13:30:42.589424: | crypto helper 3 waiting (nothing to do) Aug 26 13:30:42.589438: started thread for crypto helper 4 Aug 26 13:30:42.589461: started thread for crypto helper 5 Aug 26 13:30:42.589466: | starting up helper thread 4 Aug 26 13:30:42.589467: | starting up helper thread 5 Aug 26 13:30:42.589484: started thread for crypto helper 6 Aug 26 13:30:42.589493: | status value returned by setting the priority of this thread (crypto helper 5) 22 Aug 26 13:30:42.589479: | status value returned by setting the priority of this thread (crypto helper 4) 22 Aug 26 13:30:42.589496: | crypto helper 5 waiting (nothing to do) Aug 26 13:30:42.589501: | crypto helper 4 waiting (nothing to do) Aug 26 13:30:42.589496: | checking IKEv1 state table Aug 26 13:30:42.589504: | starting up helper thread 6 Aug 26 13:30:42.589518: | status value returned by setting the priority of this thread (crypto helper 6) 22 Aug 26 13:30:42.589518: | MAIN_R0: category: half-open IKE SA flags: 0: Aug 26 13:30:42.589530: | -> MAIN_R1 EVENT_SO_DISCARD Aug 26 13:30:42.589534: | MAIN_I1: category: half-open IKE SA flags: 0: Aug 26 13:30:42.589524: | crypto helper 6 waiting (nothing to do) Aug 26 13:30:42.589538: | -> MAIN_I2 EVENT_RETRANSMIT Aug 26 13:30:42.589547: | MAIN_R1: category: open IKE SA flags: 200: Aug 26 13:30:42.589550: | -> MAIN_R2 EVENT_RETRANSMIT Aug 26 13:30:42.589552: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:42.589554: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:42.589556: | MAIN_I2: category: open IKE SA flags: 0: Aug 26 13:30:42.589558: | -> MAIN_I3 EVENT_RETRANSMIT Aug 26 13:30:42.589560: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:42.589563: | -> UNDEFINED EVENT_RETRANSMIT Aug 26 13:30:42.589565: | MAIN_R2: category: open IKE SA flags: 0: Aug 26 13:30:42.589568: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:30:42.589570: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:30:42.589573: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:30:42.589575: | MAIN_I3: category: open IKE SA flags: 0: Aug 26 13:30:42.589577: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:30:42.589580: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:30:42.589582: | -> UNDEFINED EVENT_SA_REPLACE Aug 26 13:30:42.589585: | MAIN_R3: category: established IKE SA flags: 200: Aug 26 13:30:42.589587: | -> UNDEFINED EVENT_NULL Aug 26 13:30:42.589590: | MAIN_I4: category: established IKE SA flags: 0: Aug 26 13:30:42.589592: | -> UNDEFINED EVENT_NULL Aug 26 13:30:42.589594: | AGGR_R0: category: half-open IKE SA flags: 0: Aug 26 13:30:42.589597: | -> AGGR_R1 EVENT_SO_DISCARD Aug 26 13:30:42.589599: | AGGR_I1: category: half-open IKE SA flags: 0: Aug 26 13:30:42.589601: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:30:42.589604: | -> AGGR_I2 EVENT_SA_REPLACE Aug 26 13:30:42.589606: | AGGR_R1: category: open IKE SA flags: 200: Aug 26 13:30:42.589608: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:30:42.589610: | -> AGGR_R2 EVENT_SA_REPLACE Aug 26 13:30:42.589612: | AGGR_I2: category: established IKE SA flags: 200: Aug 26 13:30:42.589615: | -> UNDEFINED EVENT_NULL Aug 26 13:30:42.589617: | AGGR_R2: category: established IKE SA flags: 0: Aug 26 13:30:42.589619: | -> UNDEFINED EVENT_NULL Aug 26 13:30:42.589621: | QUICK_R0: category: established CHILD SA flags: 0: Aug 26 13:30:42.589623: | -> QUICK_R1 EVENT_RETRANSMIT Aug 26 13:30:42.589629: | QUICK_I1: category: established CHILD SA flags: 0: Aug 26 13:30:42.589632: | -> QUICK_I2 EVENT_SA_REPLACE Aug 26 13:30:42.589635: | QUICK_R1: category: established CHILD SA flags: 0: Aug 26 13:30:42.589637: | -> QUICK_R2 EVENT_SA_REPLACE Aug 26 13:30:42.589640: | QUICK_I2: category: established CHILD SA flags: 200: Aug 26 13:30:42.589642: | -> UNDEFINED EVENT_NULL Aug 26 13:30:42.589645: | QUICK_R2: category: established CHILD SA flags: 0: Aug 26 13:30:42.589647: | -> UNDEFINED EVENT_NULL Aug 26 13:30:42.589650: | INFO: category: informational flags: 0: Aug 26 13:30:42.589652: | -> UNDEFINED EVENT_NULL Aug 26 13:30:42.589655: | INFO_PROTECTED: category: informational flags: 0: Aug 26 13:30:42.589657: | -> UNDEFINED EVENT_NULL Aug 26 13:30:42.589659: | XAUTH_R0: category: established IKE SA flags: 0: Aug 26 13:30:42.589661: | -> XAUTH_R1 EVENT_NULL Aug 26 13:30:42.589664: | XAUTH_R1: category: established IKE SA flags: 0: Aug 26 13:30:42.589666: | -> MAIN_R3 EVENT_SA_REPLACE Aug 26 13:30:42.589668: | MODE_CFG_R0: category: informational flags: 0: Aug 26 13:30:42.589670: | -> MODE_CFG_R1 EVENT_SA_REPLACE Aug 26 13:30:42.589673: | MODE_CFG_R1: category: established IKE SA flags: 0: Aug 26 13:30:42.589675: | -> MODE_CFG_R2 EVENT_SA_REPLACE Aug 26 13:30:42.589678: | MODE_CFG_R2: category: established IKE SA flags: 0: Aug 26 13:30:42.589680: | -> UNDEFINED EVENT_NULL Aug 26 13:30:42.589683: | MODE_CFG_I1: category: established IKE SA flags: 0: Aug 26 13:30:42.589685: | -> MAIN_I4 EVENT_SA_REPLACE Aug 26 13:30:42.589688: | XAUTH_I0: category: established IKE SA flags: 0: Aug 26 13:30:42.589690: | -> XAUTH_I1 EVENT_RETRANSMIT Aug 26 13:30:42.589693: | XAUTH_I1: category: established IKE SA flags: 0: Aug 26 13:30:42.589696: | -> MAIN_I4 EVENT_RETRANSMIT Aug 26 13:30:42.589702: | checking IKEv2 state table Aug 26 13:30:42.589709: | PARENT_I0: category: ignore flags: 0: Aug 26 13:30:42.589712: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Aug 26 13:30:42.589716: | PARENT_I1: category: half-open IKE SA flags: 0: Aug 26 13:30:42.589719: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Aug 26 13:30:42.589722: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Aug 26 13:30:42.589725: | PARENT_I2: category: open IKE SA flags: 0: Aug 26 13:30:42.589728: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Aug 26 13:30:42.589731: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Aug 26 13:30:42.589734: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Aug 26 13:30:42.589737: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Aug 26 13:30:42.589740: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Aug 26 13:30:42.589744: | PARENT_I3: category: established IKE SA flags: 0: Aug 26 13:30:42.589746: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Aug 26 13:30:42.589750: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Aug 26 13:30:42.589752: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Aug 26 13:30:42.589755: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Aug 26 13:30:42.589758: | PARENT_R0: category: half-open IKE SA flags: 0: Aug 26 13:30:42.589761: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Aug 26 13:30:42.589764: | PARENT_R1: category: half-open IKE SA flags: 0: Aug 26 13:30:42.589767: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Aug 26 13:30:42.589770: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Aug 26 13:30:42.589773: | PARENT_R2: category: established IKE SA flags: 0: Aug 26 13:30:42.589776: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Aug 26 13:30:42.589781: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Aug 26 13:30:42.589785: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Aug 26 13:30:42.589788: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Aug 26 13:30:42.589791: | V2_CREATE_I0: category: established IKE SA flags: 0: Aug 26 13:30:42.589794: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Aug 26 13:30:42.589798: | V2_CREATE_I: category: established IKE SA flags: 0: Aug 26 13:30:42.589801: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Aug 26 13:30:42.589804: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Aug 26 13:30:42.589807: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Aug 26 13:30:42.589810: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Aug 26 13:30:42.589813: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Aug 26 13:30:42.589815: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Aug 26 13:30:42.589816: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Aug 26 13:30:42.589818: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Aug 26 13:30:42.589820: | V2_CREATE_R: category: established IKE SA flags: 0: Aug 26 13:30:42.589822: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Aug 26 13:30:42.589824: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Aug 26 13:30:42.589825: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Aug 26 13:30:42.589827: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Aug 26 13:30:42.589829: | V2_IPSEC_I: category: established CHILD SA flags: 0: Aug 26 13:30:42.589831: | V2_IPSEC_R: category: established CHILD SA flags: 0: Aug 26 13:30:42.589833: | IKESA_DEL: category: established IKE SA flags: 0: Aug 26 13:30:42.589834: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Aug 26 13:30:42.589836: | CHILDSA_DEL: category: informational flags: 0: Aug 26 13:30:42.589902: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 Aug 26 13:30:42.590353: | Hard-wiring algorithms Aug 26 13:30:42.590365: | adding AES_CCM_16 to kernel algorithm db Aug 26 13:30:42.590370: | adding AES_CCM_12 to kernel algorithm db Aug 26 13:30:42.590372: | adding AES_CCM_8 to kernel algorithm db Aug 26 13:30:42.590375: | adding 3DES_CBC to kernel algorithm db Aug 26 13:30:42.590378: | adding CAMELLIA_CBC to kernel algorithm db Aug 26 13:30:42.590381: | adding AES_GCM_16 to kernel algorithm db Aug 26 13:30:42.590384: | adding AES_GCM_12 to kernel algorithm db Aug 26 13:30:42.590387: | adding AES_GCM_8 to kernel algorithm db Aug 26 13:30:42.590390: | adding AES_CTR to kernel algorithm db Aug 26 13:30:42.590393: | adding AES_CBC to kernel algorithm db Aug 26 13:30:42.590395: | adding SERPENT_CBC to kernel algorithm db Aug 26 13:30:42.590397: | adding TWOFISH_CBC to kernel algorithm db Aug 26 13:30:42.590400: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Aug 26 13:30:42.590402: | adding NULL to kernel algorithm db Aug 26 13:30:42.590405: | adding CHACHA20_POLY1305 to kernel algorithm db Aug 26 13:30:42.590408: | adding HMAC_MD5_96 to kernel algorithm db Aug 26 13:30:42.590410: | adding HMAC_SHA1_96 to kernel algorithm db Aug 26 13:30:42.590413: | adding HMAC_SHA2_512_256 to kernel algorithm db Aug 26 13:30:42.590416: | adding HMAC_SHA2_384_192 to kernel algorithm db Aug 26 13:30:42.590418: | adding HMAC_SHA2_256_128 to kernel algorithm db Aug 26 13:30:42.590421: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Aug 26 13:30:42.590424: | adding AES_XCBC_96 to kernel algorithm db Aug 26 13:30:42.590426: | adding AES_CMAC_96 to kernel algorithm db Aug 26 13:30:42.590429: | adding NONE to kernel algorithm db Aug 26 13:30:42.590456: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Aug 26 13:30:42.590464: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Aug 26 13:30:42.590467: | setup kernel fd callback Aug 26 13:30:42.590471: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55676aaedba8 Aug 26 13:30:42.590476: | libevent_malloc: new ptr-libevent@0x55676aad13b8 size 128 Aug 26 13:30:42.590480: | libevent_malloc: new ptr-libevent@0x55676aaed108 size 16 Aug 26 13:30:42.590487: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55676aaecff8 Aug 26 13:30:42.590492: | libevent_malloc: new ptr-libevent@0x55676aa97d78 size 128 Aug 26 13:30:42.590495: | libevent_malloc: new ptr-libevent@0x55676aaedaf8 size 16 Aug 26 13:30:42.590757: | global one-shot timer EVENT_CHECK_CRLS initialized Aug 26 13:30:42.590767: selinux support is enabled. Aug 26 13:30:42.591003: | unbound context created - setting debug level to 5 Aug 26 13:30:42.591034: | /etc/hosts lookups activated Aug 26 13:30:42.591048: | /etc/resolv.conf usage activated Aug 26 13:30:42.591283: | outgoing-port-avoid set 0-65535 Aug 26 13:30:42.591333: | outgoing-port-permit set 32768-60999 Aug 26 13:30:42.591340: | Loading dnssec root key from:/var/lib/unbound/root.key Aug 26 13:30:42.591344: | No additional dnssec trust anchors defined via dnssec-trusted= option Aug 26 13:30:42.591348: | Setting up events, loop start Aug 26 13:30:42.591351: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55676aaedb38 Aug 26 13:30:42.591355: | libevent_malloc: new ptr-libevent@0x55676aaf9df8 size 128 Aug 26 13:30:42.591359: | libevent_malloc: new ptr-libevent@0x55676ab05108 size 16 Aug 26 13:30:42.591367: | libevent_realloc: new ptr-libevent@0x55676ab05148 size 256 Aug 26 13:30:42.591371: | libevent_malloc: new ptr-libevent@0x55676ab05278 size 8 Aug 26 13:30:42.591375: | libevent_realloc: new ptr-libevent@0x55676aa977a8 size 144 Aug 26 13:30:42.591378: | libevent_malloc: new ptr-libevent@0x55676aa98fe8 size 152 Aug 26 13:30:42.591381: | libevent_malloc: new ptr-libevent@0x55676ab052b8 size 16 Aug 26 13:30:42.591386: | signal event handler PLUTO_SIGCHLD installed Aug 26 13:30:42.591389: | libevent_malloc: new ptr-libevent@0x55676ab052f8 size 8 Aug 26 13:30:42.591392: | libevent_malloc: new ptr-libevent@0x55676ab05338 size 152 Aug 26 13:30:42.591396: | signal event handler PLUTO_SIGTERM installed Aug 26 13:30:42.591399: | libevent_malloc: new ptr-libevent@0x55676ab05408 size 8 Aug 26 13:30:42.591402: | libevent_malloc: new ptr-libevent@0x55676ab05448 size 152 Aug 26 13:30:42.591405: | signal event handler PLUTO_SIGHUP installed Aug 26 13:30:42.591408: | libevent_malloc: new ptr-libevent@0x55676ab05518 size 8 Aug 26 13:30:42.591411: | libevent_realloc: release ptr-libevent@0x55676aa977a8 Aug 26 13:30:42.591415: | libevent_realloc: new ptr-libevent@0x55676ab05558 size 256 Aug 26 13:30:42.591418: | libevent_malloc: new ptr-libevent@0x55676ab05688 size 152 Aug 26 13:30:42.591422: | signal event handler PLUTO_SIGSYS installed Aug 26 13:30:42.591765: | created addconn helper (pid:10233) using fork+execve Aug 26 13:30:42.591783: | forked child 10233 Aug 26 13:30:42.591838: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:42.592245: listening for IKE messages Aug 26 13:30:42.592633: | Inspecting interface lo Aug 26 13:30:42.592646: | found lo with address 127.0.0.1 Aug 26 13:30:42.592649: | Inspecting interface eth0 Aug 26 13:30:42.592654: | found eth0 with address 192.0.2.254 Aug 26 13:30:42.592659: | Inspecting interface eth1 Aug 26 13:30:42.592663: | found eth1 with address 192.1.2.23 Aug 26 13:30:42.592744: Kernel supports NIC esp-hw-offload Aug 26 13:30:42.592757: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Aug 26 13:30:42.592780: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:30:42.592786: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:30:42.592790: adding interface eth1/eth1 192.1.2.23:4500 Aug 26 13:30:42.592821: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Aug 26 13:30:42.592842: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:30:42.592846: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:30:42.592850: adding interface eth0/eth0 192.0.2.254:4500 Aug 26 13:30:42.592874: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Aug 26 13:30:42.592897: | NAT-Traversal: Trying sockopt style NAT-T Aug 26 13:30:42.592902: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Aug 26 13:30:42.592906: adding interface lo/lo 127.0.0.1:4500 Aug 26 13:30:42.592971: | no interfaces to sort Aug 26 13:30:42.592977: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:30:42.592986: | add_fd_read_event_handler: new ethX-pe@0x55676ab05bd8 Aug 26 13:30:42.592990: | libevent_malloc: new ptr-libevent@0x55676aaf9d48 size 128 Aug 26 13:30:42.592994: | libevent_malloc: new ptr-libevent@0x55676ab05c48 size 16 Aug 26 13:30:42.593002: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:30:42.593005: | add_fd_read_event_handler: new ethX-pe@0x55676ab05c88 Aug 26 13:30:42.593010: | libevent_malloc: new ptr-libevent@0x55676aa963c8 size 128 Aug 26 13:30:42.593014: | libevent_malloc: new ptr-libevent@0x55676ab05cf8 size 16 Aug 26 13:30:42.593019: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:30:42.593022: | add_fd_read_event_handler: new ethX-pe@0x55676ab05d38 Aug 26 13:30:42.593025: | libevent_malloc: new ptr-libevent@0x55676aa962c8 size 128 Aug 26 13:30:42.593028: | libevent_malloc: new ptr-libevent@0x55676ab05da8 size 16 Aug 26 13:30:42.593033: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:30:42.593036: | add_fd_read_event_handler: new ethX-pe@0x55676ab05de8 Aug 26 13:30:42.593041: | libevent_malloc: new ptr-libevent@0x55676aa976a8 size 128 Aug 26 13:30:42.593044: | libevent_malloc: new ptr-libevent@0x55676ab05e58 size 16 Aug 26 13:30:42.593049: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:30:42.593052: | add_fd_read_event_handler: new ethX-pe@0x55676ab05e98 Aug 26 13:30:42.593057: | libevent_malloc: new ptr-libevent@0x55676aa664e8 size 128 Aug 26 13:30:42.593060: | libevent_malloc: new ptr-libevent@0x55676ab05f08 size 16 Aug 26 13:30:42.593067: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:30:42.593070: | add_fd_read_event_handler: new ethX-pe@0x55676ab05f48 Aug 26 13:30:42.593073: | libevent_malloc: new ptr-libevent@0x55676aa661d8 size 128 Aug 26 13:30:42.593075: | libevent_malloc: new ptr-libevent@0x55676ab05fb8 size 16 Aug 26 13:30:42.593081: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:30:42.593086: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:30:42.593089: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:30:42.593111: loading secrets from "/etc/ipsec.secrets" Aug 26 13:30:42.593124: | Processing PSK at line 1: passed Aug 26 13:30:42.593128: | certs and keys locked by 'process_secret' Aug 26 13:30:42.593133: | certs and keys unlocked by 'process_secret' Aug 26 13:30:42.593143: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:42.593151: | spent 1.32 milliseconds in whack Aug 26 13:30:42.622954: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:42.622986: listening for IKE messages Aug 26 13:30:42.623027: | Inspecting interface lo Aug 26 13:30:42.623036: | found lo with address 127.0.0.1 Aug 26 13:30:42.623040: | Inspecting interface eth0 Aug 26 13:30:42.623045: | found eth0 with address 192.0.2.254 Aug 26 13:30:42.623048: | Inspecting interface eth1 Aug 26 13:30:42.623052: | found eth1 with address 192.1.2.23 Aug 26 13:30:42.623115: | no interfaces to sort Aug 26 13:30:42.623126: | libevent_free: release ptr-libevent@0x55676aaf9d48 Aug 26 13:30:42.623130: | free_event_entry: release EVENT_NULL-pe@0x55676ab05bd8 Aug 26 13:30:42.623139: | add_fd_read_event_handler: new ethX-pe@0x55676ab05bd8 Aug 26 13:30:42.623143: | libevent_malloc: new ptr-libevent@0x55676aaf9d48 size 128 Aug 26 13:30:42.623152: | setup callback for interface lo 127.0.0.1:4500 fd 22 Aug 26 13:30:42.623157: | libevent_free: release ptr-libevent@0x55676aa963c8 Aug 26 13:30:42.623160: | free_event_entry: release EVENT_NULL-pe@0x55676ab05c88 Aug 26 13:30:42.623163: | add_fd_read_event_handler: new ethX-pe@0x55676ab05c88 Aug 26 13:30:42.623165: | libevent_malloc: new ptr-libevent@0x55676aa963c8 size 128 Aug 26 13:30:42.623169: | setup callback for interface lo 127.0.0.1:500 fd 21 Aug 26 13:30:42.623173: | libevent_free: release ptr-libevent@0x55676aa962c8 Aug 26 13:30:42.623176: | free_event_entry: release EVENT_NULL-pe@0x55676ab05d38 Aug 26 13:30:42.623179: | add_fd_read_event_handler: new ethX-pe@0x55676ab05d38 Aug 26 13:30:42.623181: | libevent_malloc: new ptr-libevent@0x55676aa962c8 size 128 Aug 26 13:30:42.623186: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Aug 26 13:30:42.623190: | libevent_free: release ptr-libevent@0x55676aa976a8 Aug 26 13:30:42.623193: | free_event_entry: release EVENT_NULL-pe@0x55676ab05de8 Aug 26 13:30:42.623196: | add_fd_read_event_handler: new ethX-pe@0x55676ab05de8 Aug 26 13:30:42.623199: | libevent_malloc: new ptr-libevent@0x55676aa976a8 size 128 Aug 26 13:30:42.623203: | setup callback for interface eth0 192.0.2.254:500 fd 19 Aug 26 13:30:42.623207: | libevent_free: release ptr-libevent@0x55676aa664e8 Aug 26 13:30:42.623210: | free_event_entry: release EVENT_NULL-pe@0x55676ab05e98 Aug 26 13:30:42.623213: | add_fd_read_event_handler: new ethX-pe@0x55676ab05e98 Aug 26 13:30:42.623215: | libevent_malloc: new ptr-libevent@0x55676aa664e8 size 128 Aug 26 13:30:42.623220: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Aug 26 13:30:42.623224: | libevent_free: release ptr-libevent@0x55676aa661d8 Aug 26 13:30:42.623226: | free_event_entry: release EVENT_NULL-pe@0x55676ab05f48 Aug 26 13:30:42.623229: | add_fd_read_event_handler: new ethX-pe@0x55676ab05f48 Aug 26 13:30:42.623232: | libevent_malloc: new ptr-libevent@0x55676aa661d8 size 128 Aug 26 13:30:42.623236: | setup callback for interface eth1 192.1.2.23:500 fd 17 Aug 26 13:30:42.623240: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:30:42.623242: forgetting secrets Aug 26 13:30:42.623251: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:30:42.623265: loading secrets from "/etc/ipsec.secrets" Aug 26 13:30:42.623274: | Processing PSK at line 1: passed Aug 26 13:30:42.623278: | certs and keys locked by 'process_secret' Aug 26 13:30:42.623280: | certs and keys unlocked by 'process_secret' Aug 26 13:30:42.623293: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:42.623304: | spent 0.357 milliseconds in whack Aug 26 13:30:42.623742: | processing signal PLUTO_SIGCHLD Aug 26 13:30:42.623754: | waitpid returned pid 10233 (exited with status 0) Aug 26 13:30:42.623759: | reaped addconn helper child (status 0) Aug 26 13:30:42.623764: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:42.623770: | spent 0.0183 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:42.674106: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:30:42.674129: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:30:42.674134: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:30:42.674138: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:30:42.674141: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Aug 26 13:30:42.674146: | FOR_EACH_CONNECTION_... in conn_by_name Aug 26 13:30:42.674186: | Added new connection eastnet-northnet with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 13:30:42.674272: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Aug 26 13:30:42.674282: | from whack: got --esp=aes_gcm Aug 26 13:30:42.674295: | ESP/AH string values: AES_GCM_16-NONE Aug 26 13:30:42.674303: | counting wild cards for (none) is 15 Aug 26 13:30:42.674309: | counting wild cards for 192.1.2.23 is 0 Aug 26 13:30:42.674316: | based upon policy, the connection is a template. Aug 26 13:30:42.674324: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Aug 26 13:30:42.674328: | new hp@0x55676ab07df8 Aug 26 13:30:42.674332: added connection description "eastnet-northnet" Aug 26 13:30:42.674346: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Aug 26 13:30:42.674356: | 192.0.2.0/24===192.1.2.23<192.1.2.23>...%any===192.0.3.0/24 Aug 26 13:30:42.674365: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:30:42.674373: | spent 0.274 milliseconds in whack Aug 26 13:30:44.399689: | spent 0.00246 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:30:44.399716: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 13:30:44.399719: | 43 1d e9 7d 41 27 07 f3 00 00 00 00 00 00 00 00 Aug 26 13:30:44.399721: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Aug 26 13:30:44.399722: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Aug 26 13:30:44.399724: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Aug 26 13:30:44.399726: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Aug 26 13:30:44.399727: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Aug 26 13:30:44.399729: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Aug 26 13:30:44.399730: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Aug 26 13:30:44.399745: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Aug 26 13:30:44.399746: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Aug 26 13:30:44.399748: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Aug 26 13:30:44.399749: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Aug 26 13:30:44.399751: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Aug 26 13:30:44.399752: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Aug 26 13:30:44.399753: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Aug 26 13:30:44.399755: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Aug 26 13:30:44.399756: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Aug 26 13:30:44.399758: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Aug 26 13:30:44.399759: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Aug 26 13:30:44.399761: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Aug 26 13:30:44.399762: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Aug 26 13:30:44.399764: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Aug 26 13:30:44.399765: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Aug 26 13:30:44.399767: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Aug 26 13:30:44.399768: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Aug 26 13:30:44.399770: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Aug 26 13:30:44.399771: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Aug 26 13:30:44.399773: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Aug 26 13:30:44.399774: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Aug 26 13:30:44.399776: | 28 00 01 08 00 0e 00 00 0a 83 ea 7d ff 3b ff 60 Aug 26 13:30:44.399777: | 93 66 4f e4 2a 01 bf 0f 5c 4d 7b 5d bc 96 dc fc Aug 26 13:30:44.399778: | f7 9c 19 f4 64 cd 8e 78 b9 b1 d2 1c 01 60 ab 89 Aug 26 13:30:44.399780: | bd 73 12 d6 51 4c 6c 0a a5 06 74 a2 14 fd 36 92 Aug 26 13:30:44.399781: | c3 a2 7e bd b5 c7 ca 75 1d 73 9d bc f1 8b 86 2d Aug 26 13:30:44.399785: | 0d a3 41 73 82 ef 31 08 e3 05 be 39 34 c5 7a a5 Aug 26 13:30:44.399787: | cd 88 28 9e 6b 7f 85 f9 c8 07 41 a6 2b c1 bc 04 Aug 26 13:30:44.399788: | 88 6b b6 15 8c be fb 36 71 e6 98 10 17 c2 4d 1b Aug 26 13:30:44.399790: | 0e 80 41 3d 85 2b 49 99 b4 ad 84 73 51 59 e3 94 Aug 26 13:30:44.399791: | d9 4d 8a 3f 9b 5f 1d 75 3f fc e8 f8 1a 6f a8 56 Aug 26 13:30:44.399793: | ff 88 27 73 be ef ec 6f 63 f9 d4 56 4e 6a e7 96 Aug 26 13:30:44.399794: | c8 48 be e2 de 4f d2 e9 da 20 a1 a9 64 e5 39 79 Aug 26 13:30:44.399796: | 1e ea 69 db b5 6a ba 8f 6e 8b a4 70 13 26 9f 91 Aug 26 13:30:44.399797: | 9e b6 99 20 29 ad b8 83 2f db 7d 8e be ac 54 5c Aug 26 13:30:44.399799: | ac 3a bc 2a 82 98 5b f1 0a 1c 9c 31 f8 c7 47 50 Aug 26 13:30:44.399800: | 99 44 9f 9c c0 18 58 9a f3 15 ba ec 5c 5c 39 11 Aug 26 13:30:44.399802: | ed 33 8d ea c8 a2 5a 82 29 00 00 24 8f 46 06 29 Aug 26 13:30:44.399803: | 10 55 85 f0 4c c9 81 5a 32 40 7c b3 d5 3c 26 9d Aug 26 13:30:44.399805: | a2 8b 9f 8a be 99 79 f6 dd 85 56 99 29 00 00 08 Aug 26 13:30:44.399806: | 00 00 40 2e 29 00 00 1c 00 00 40 04 b0 2f 80 7a Aug 26 13:30:44.399808: | 86 71 80 ff 37 cc dc f1 c3 ff 0c e4 1d f2 09 aa Aug 26 13:30:44.399809: | 00 00 00 1c 00 00 40 05 4b b0 52 d0 66 a3 e8 87 Aug 26 13:30:44.399811: | ff 33 ab 39 0c 38 66 75 67 6b 66 5d Aug 26 13:30:44.399815: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 13:30:44.399817: | **parse ISAKMP Message: Aug 26 13:30:44.399819: | initiator cookie: Aug 26 13:30:44.399821: | 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:44.399822: | responder cookie: Aug 26 13:30:44.399824: | 00 00 00 00 00 00 00 00 Aug 26 13:30:44.399825: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:30:44.399827: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:44.399829: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:30:44.399831: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:30:44.399832: | Message ID: 0 (0x0) Aug 26 13:30:44.399834: | length: 828 (0x33c) Aug 26 13:30:44.399836: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Aug 26 13:30:44.399838: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Aug 26 13:30:44.399840: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Aug 26 13:30:44.399842: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:30:44.399845: | ***parse IKEv2 Security Association Payload: Aug 26 13:30:44.399846: | next payload type: ISAKMP_NEXT_v2KE (0x22) Aug 26 13:30:44.399848: | flags: none (0x0) Aug 26 13:30:44.399849: | length: 436 (0x1b4) Aug 26 13:30:44.399851: | processing payload: ISAKMP_NEXT_v2SA (len=432) Aug 26 13:30:44.399853: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Aug 26 13:30:44.399855: | ***parse IKEv2 Key Exchange Payload: Aug 26 13:30:44.399856: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Aug 26 13:30:44.399858: | flags: none (0x0) Aug 26 13:30:44.399859: | length: 264 (0x108) Aug 26 13:30:44.399861: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:44.399862: | processing payload: ISAKMP_NEXT_v2KE (len=256) Aug 26 13:30:44.399864: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Aug 26 13:30:44.399865: | ***parse IKEv2 Nonce Payload: Aug 26 13:30:44.399867: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:44.399868: | flags: none (0x0) Aug 26 13:30:44.399870: | length: 36 (0x24) Aug 26 13:30:44.399872: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Aug 26 13:30:44.399873: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:44.399875: | ***parse IKEv2 Notify Payload: Aug 26 13:30:44.399876: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:44.399878: | flags: none (0x0) Aug 26 13:30:44.399879: | length: 8 (0x8) Aug 26 13:30:44.399881: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:44.399882: | SPI size: 0 (0x0) Aug 26 13:30:44.399884: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:30:44.399887: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:30:44.399889: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:44.399890: | ***parse IKEv2 Notify Payload: Aug 26 13:30:44.399892: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:44.399893: | flags: none (0x0) Aug 26 13:30:44.399895: | length: 28 (0x1c) Aug 26 13:30:44.399896: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:44.399898: | SPI size: 0 (0x0) Aug 26 13:30:44.399899: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:44.399901: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:44.399902: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:44.399904: | ***parse IKEv2 Notify Payload: Aug 26 13:30:44.399905: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.399907: | flags: none (0x0) Aug 26 13:30:44.399908: | length: 28 (0x1c) Aug 26 13:30:44.399910: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:44.399911: | SPI size: 0 (0x0) Aug 26 13:30:44.399913: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:44.399914: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:44.399916: | DDOS disabled and no cookie sent, continuing Aug 26 13:30:44.399920: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:30:44.399922: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:30:44.399924: | find_next_host_connection returns empty Aug 26 13:30:44.399926: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Aug 26 13:30:44.399929: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:44.399931: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Aug 26 13:30:44.399934: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 13:30:44.399935: | find_next_host_connection returns empty Aug 26 13:30:44.399938: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Aug 26 13:30:44.399940: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:30:44.399942: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:30:44.399944: | find_next_host_connection returns empty Aug 26 13:30:44.399946: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Aug 26 13:30:44.399949: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:44.399950: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Aug 26 13:30:44.399952: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 13:30:44.399954: | find_next_host_connection returns empty Aug 26 13:30:44.399956: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Aug 26 13:30:44.399959: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:30:44.399960: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:30:44.399962: | find_next_host_connection returns empty Aug 26 13:30:44.399964: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Aug 26 13:30:44.399967: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:44.399968: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:30:44.399970: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Aug 26 13:30:44.399972: | find_next_host_connection returns eastnet-northnet Aug 26 13:30:44.399973: | find_next_host_connection policy=PSK+IKEV2_ALLOW Aug 26 13:30:44.399975: | find_next_host_connection returns empty Aug 26 13:30:44.399978: | rw_instantiate Aug 26 13:30:44.399982: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Aug 26 13:30:44.399984: | new hp@0x55676ab09d58 Aug 26 13:30:44.399988: | rw_instantiate() instantiated "eastnet-northnet"[1] 192.1.3.33 for 192.1.3.33 Aug 26 13:30:44.399991: | found connection: eastnet-northnet[1] 192.1.3.33 with policy PSK+IKEV2_ALLOW Aug 26 13:30:44.399994: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Aug 26 13:30:44.400013: | creating state object #1 at 0x55676ab0a2a8 Aug 26 13:30:44.400015: | State DB: adding IKEv2 state #1 in UNDEFINED Aug 26 13:30:44.400021: | pstats #1 ikev2.ike started Aug 26 13:30:44.400023: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Aug 26 13:30:44.400025: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Aug 26 13:30:44.400029: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:30:44.400034: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:30:44.400036: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:30:44.400040: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:30:44.400042: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Aug 26 13:30:44.400044: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Aug 26 13:30:44.400047: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Aug 26 13:30:44.400049: | #1 in state PARENT_R0: processing SA_INIT request Aug 26 13:30:44.400051: | selected state microcode Respond to IKE_SA_INIT Aug 26 13:30:44.400053: | Now let's proceed with state specific processing Aug 26 13:30:44.400054: | calling processor Respond to IKE_SA_INIT Aug 26 13:30:44.400061: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:30:44.400063: | constructing local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals) Aug 26 13:30:44.400068: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:44.400074: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:44.400076: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:44.400079: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:44.400082: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:44.400085: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:44.400088: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Aug 26 13:30:44.400091: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:44.400097: "eastnet-northnet"[1] 192.1.3.33: constructed local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Aug 26 13:30:44.400101: | Comparing remote proposals against IKE responder 4 local proposals Aug 26 13:30:44.400105: | local proposal 1 type ENCR has 1 transforms Aug 26 13:30:44.400106: | local proposal 1 type PRF has 2 transforms Aug 26 13:30:44.400108: | local proposal 1 type INTEG has 1 transforms Aug 26 13:30:44.400110: | local proposal 1 type DH has 8 transforms Aug 26 13:30:44.400111: | local proposal 1 type ESN has 0 transforms Aug 26 13:30:44.400114: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:30:44.400115: | local proposal 2 type ENCR has 1 transforms Aug 26 13:30:44.400117: | local proposal 2 type PRF has 2 transforms Aug 26 13:30:44.400118: | local proposal 2 type INTEG has 1 transforms Aug 26 13:30:44.400120: | local proposal 2 type DH has 8 transforms Aug 26 13:30:44.400122: | local proposal 2 type ESN has 0 transforms Aug 26 13:30:44.400123: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Aug 26 13:30:44.400125: | local proposal 3 type ENCR has 1 transforms Aug 26 13:30:44.400127: | local proposal 3 type PRF has 2 transforms Aug 26 13:30:44.400128: | local proposal 3 type INTEG has 2 transforms Aug 26 13:30:44.400130: | local proposal 3 type DH has 8 transforms Aug 26 13:30:44.400131: | local proposal 3 type ESN has 0 transforms Aug 26 13:30:44.400133: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:30:44.400135: | local proposal 4 type ENCR has 1 transforms Aug 26 13:30:44.400136: | local proposal 4 type PRF has 2 transforms Aug 26 13:30:44.400138: | local proposal 4 type INTEG has 2 transforms Aug 26 13:30:44.400139: | local proposal 4 type DH has 8 transforms Aug 26 13:30:44.400141: | local proposal 4 type ESN has 0 transforms Aug 26 13:30:44.400143: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Aug 26 13:30:44.400145: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:44.400146: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:30:44.400148: | length: 100 (0x64) Aug 26 13:30:44.400150: | prop #: 1 (0x1) Aug 26 13:30:44.400151: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:44.400153: | spi size: 0 (0x0) Aug 26 13:30:44.400154: | # transforms: 11 (0xb) Aug 26 13:30:44.400157: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Aug 26 13:30:44.400159: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400160: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400162: | length: 12 (0xc) Aug 26 13:30:44.400163: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:44.400165: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:44.400167: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:44.400169: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:44.400170: | length/value: 256 (0x100) Aug 26 13:30:44.400173: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:30:44.400175: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400176: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400178: | length: 8 (0x8) Aug 26 13:30:44.400180: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:44.400181: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:44.400184: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Aug 26 13:30:44.400187: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Aug 26 13:30:44.400189: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Aug 26 13:30:44.400191: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Aug 26 13:30:44.400192: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400194: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400195: | length: 8 (0x8) Aug 26 13:30:44.400197: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:44.400199: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:44.400200: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400202: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400203: | length: 8 (0x8) Aug 26 13:30:44.400205: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400207: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:44.400209: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Aug 26 13:30:44.400211: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Aug 26 13:30:44.400213: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Aug 26 13:30:44.400215: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Aug 26 13:30:44.400216: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400218: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400219: | length: 8 (0x8) Aug 26 13:30:44.400221: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400223: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:44.400224: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400226: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400227: | length: 8 (0x8) Aug 26 13:30:44.400229: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400231: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:44.400232: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400234: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400235: | length: 8 (0x8) Aug 26 13:30:44.400237: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400239: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:44.400240: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400242: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400243: | length: 8 (0x8) Aug 26 13:30:44.400245: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400246: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:44.400248: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400250: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400251: | length: 8 (0x8) Aug 26 13:30:44.400253: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400254: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:44.400256: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400258: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400259: | length: 8 (0x8) Aug 26 13:30:44.400261: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400262: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:44.400264: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400266: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:44.400267: | length: 8 (0x8) Aug 26 13:30:44.400269: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400270: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:44.400273: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Aug 26 13:30:44.400277: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Aug 26 13:30:44.400279: | remote proposal 1 matches local proposal 1 Aug 26 13:30:44.400281: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:44.400282: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:30:44.400284: | length: 100 (0x64) Aug 26 13:30:44.400285: | prop #: 2 (0x2) Aug 26 13:30:44.400287: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:44.400294: | spi size: 0 (0x0) Aug 26 13:30:44.400297: | # transforms: 11 (0xb) Aug 26 13:30:44.400300: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:30:44.400302: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400304: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400323: | length: 12 (0xc) Aug 26 13:30:44.400324: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:44.400326: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:44.400328: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:44.400329: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:44.400331: | length/value: 128 (0x80) Aug 26 13:30:44.400333: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400334: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400336: | length: 8 (0x8) Aug 26 13:30:44.400338: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:44.400339: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:44.400341: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400343: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400344: | length: 8 (0x8) Aug 26 13:30:44.400346: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:44.400347: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:44.400349: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400351: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400352: | length: 8 (0x8) Aug 26 13:30:44.400354: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400355: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:44.400370: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400371: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400373: | length: 8 (0x8) Aug 26 13:30:44.400374: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400376: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:44.400378: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400379: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400381: | length: 8 (0x8) Aug 26 13:30:44.400382: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400384: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:44.400385: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400387: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400388: | length: 8 (0x8) Aug 26 13:30:44.400390: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400391: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:44.400393: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400395: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400396: | length: 8 (0x8) Aug 26 13:30:44.400398: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400399: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:44.400401: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400402: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400404: | length: 8 (0x8) Aug 26 13:30:44.400405: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400407: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:44.400409: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400413: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400414: | length: 8 (0x8) Aug 26 13:30:44.400416: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400418: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:44.400419: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400421: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:44.400422: | length: 8 (0x8) Aug 26 13:30:44.400424: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400426: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:44.400428: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Aug 26 13:30:44.400430: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Aug 26 13:30:44.400432: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:44.400433: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Aug 26 13:30:44.400435: | length: 116 (0x74) Aug 26 13:30:44.400436: | prop #: 3 (0x3) Aug 26 13:30:44.400438: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:44.400439: | spi size: 0 (0x0) Aug 26 13:30:44.400441: | # transforms: 13 (0xd) Aug 26 13:30:44.400443: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:30:44.400445: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400446: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400448: | length: 12 (0xc) Aug 26 13:30:44.400449: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:44.400451: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:44.400452: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:44.400454: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:44.400456: | length/value: 256 (0x100) Aug 26 13:30:44.400457: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400459: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400461: | length: 8 (0x8) Aug 26 13:30:44.400462: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:44.400464: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:44.400465: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400467: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400468: | length: 8 (0x8) Aug 26 13:30:44.400470: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:44.400472: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:44.400473: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400475: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400476: | length: 8 (0x8) Aug 26 13:30:44.400478: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:44.400479: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:30:44.400481: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400483: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400484: | length: 8 (0x8) Aug 26 13:30:44.400486: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:44.400487: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:44.400489: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400491: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400492: | length: 8 (0x8) Aug 26 13:30:44.400494: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400495: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:44.400497: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400498: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400500: | length: 8 (0x8) Aug 26 13:30:44.400502: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400503: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:44.400505: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400506: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400508: | length: 8 (0x8) Aug 26 13:30:44.400512: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400514: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:44.400515: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400517: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400518: | length: 8 (0x8) Aug 26 13:30:44.400520: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400521: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:44.400523: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400525: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400526: | length: 8 (0x8) Aug 26 13:30:44.400528: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400529: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:44.400531: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400532: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400534: | length: 8 (0x8) Aug 26 13:30:44.400535: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400537: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:44.400539: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400540: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400542: | length: 8 (0x8) Aug 26 13:30:44.400543: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400545: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:44.400546: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400548: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:44.400549: | length: 8 (0x8) Aug 26 13:30:44.400551: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400552: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:44.400555: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:30:44.400557: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:30:44.400558: | ****parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:44.400560: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:44.400561: | length: 116 (0x74) Aug 26 13:30:44.400563: | prop #: 4 (0x4) Aug 26 13:30:44.400564: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:44.400566: | spi size: 0 (0x0) Aug 26 13:30:44.400567: | # transforms: 13 (0xd) Aug 26 13:30:44.400569: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Aug 26 13:30:44.400571: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400573: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400574: | length: 12 (0xc) Aug 26 13:30:44.400576: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:44.400577: | IKEv2 transform ID: AES_CBC (0xc) Aug 26 13:30:44.400579: | ******parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:44.400581: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:44.400582: | length/value: 128 (0x80) Aug 26 13:30:44.400584: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400585: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400587: | length: 8 (0x8) Aug 26 13:30:44.400588: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:44.400590: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:44.400592: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400593: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400595: | length: 8 (0x8) Aug 26 13:30:44.400596: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:44.400598: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Aug 26 13:30:44.400600: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400601: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400603: | length: 8 (0x8) Aug 26 13:30:44.400604: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:44.400607: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Aug 26 13:30:44.400608: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400610: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400611: | length: 8 (0x8) Aug 26 13:30:44.400613: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Aug 26 13:30:44.400615: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Aug 26 13:30:44.400616: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400618: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400619: | length: 8 (0x8) Aug 26 13:30:44.400621: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400623: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:44.400624: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400626: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400627: | length: 8 (0x8) Aug 26 13:30:44.400629: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400630: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Aug 26 13:30:44.400632: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400634: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400635: | length: 8 (0x8) Aug 26 13:30:44.400637: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400638: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Aug 26 13:30:44.400640: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400642: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400643: | length: 8 (0x8) Aug 26 13:30:44.400645: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400646: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Aug 26 13:30:44.400648: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400649: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400651: | length: 8 (0x8) Aug 26 13:30:44.400653: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400654: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Aug 26 13:30:44.400656: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400657: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400659: | length: 8 (0x8) Aug 26 13:30:44.400660: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400662: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Aug 26 13:30:44.400664: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400665: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.400667: | length: 8 (0x8) Aug 26 13:30:44.400668: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400670: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Aug 26 13:30:44.400672: | *****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.400673: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:44.400675: | length: 8 (0x8) Aug 26 13:30:44.400676: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.400678: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Aug 26 13:30:44.400680: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Aug 26 13:30:44.400682: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Aug 26 13:30:44.400686: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Aug 26 13:30:44.400689: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Aug 26 13:30:44.400691: | converting proposal to internal trans attrs Aug 26 13:30:44.400694: | natd_hash: rcookie is zero Aug 26 13:30:44.400702: | natd_hash: hasher=0x55676965b800(20) Aug 26 13:30:44.400704: | natd_hash: icookie= 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:44.400705: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:30:44.400707: | natd_hash: ip= c0 01 02 17 Aug 26 13:30:44.400708: | natd_hash: port=500 Aug 26 13:30:44.400710: | natd_hash: hash= 4b b0 52 d0 66 a3 e8 87 ff 33 ab 39 0c 38 66 75 Aug 26 13:30:44.400711: | natd_hash: hash= 67 6b 66 5d Aug 26 13:30:44.400713: | natd_hash: rcookie is zero Aug 26 13:30:44.400716: | natd_hash: hasher=0x55676965b800(20) Aug 26 13:30:44.400718: | natd_hash: icookie= 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:44.400719: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Aug 26 13:30:44.400721: | natd_hash: ip= c0 01 03 21 Aug 26 13:30:44.400722: | natd_hash: port=500 Aug 26 13:30:44.400724: | natd_hash: hash= b0 2f 80 7a 86 71 80 ff 37 cc dc f1 c3 ff 0c e4 Aug 26 13:30:44.400725: | natd_hash: hash= 1d f2 09 aa Aug 26 13:30:44.400727: | NAT_TRAVERSAL encaps using auto-detect Aug 26 13:30:44.400728: | NAT_TRAVERSAL this end is NOT behind NAT Aug 26 13:30:44.400730: | NAT_TRAVERSAL that end is NOT behind NAT Aug 26 13:30:44.400732: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Aug 26 13:30:44.400737: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Aug 26 13:30:44.400741: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55676ab09e88 Aug 26 13:30:44.400759: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:30:44.400762: | libevent_malloc: new ptr-libevent@0x55676ab0c608 size 128 Aug 26 13:30:44.400770: | #1 spent 0.71 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Aug 26 13:30:44.400775: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:44.400777: | crypto helper 0 resuming Aug 26 13:30:44.400778: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Aug 26 13:30:44.400793: | suspending state #1 and saving MD Aug 26 13:30:44.400798: | #1 is busy; has a suspended MD Aug 26 13:30:44.400793: | crypto helper 0 starting work-order 1 for state #1 Aug 26 13:30:44.400804: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:30:44.400810: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Aug 26 13:30:44.400813: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:30:44.400817: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:30:44.400821: | #1 spent 1.11 milliseconds in ikev2_process_packet() Aug 26 13:30:44.400824: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 13:30:44.400826: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:30:44.400828: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:30:44.400830: | spent 1.12 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:30:44.401672: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000863 seconds Aug 26 13:30:44.401684: | (#1) spent 0.87 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Aug 26 13:30:44.401686: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Aug 26 13:30:44.401688: | scheduling resume sending helper answer for #1 Aug 26 13:30:44.401693: | libevent_malloc: new ptr-libevent@0x7fc108002888 size 128 Aug 26 13:30:44.401700: | crypto helper 0 waiting (nothing to do) Aug 26 13:30:44.401729: | processing resume sending helper answer for #1 Aug 26 13:30:44.401740: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:30:44.401756: | crypto helper 0 replies to request ID 1 Aug 26 13:30:44.401758: | calling continuation function 0x556769586b50 Aug 26 13:30:44.401760: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Aug 26 13:30:44.401786: | **emit ISAKMP Message: Aug 26 13:30:44.401788: | initiator cookie: Aug 26 13:30:44.401790: | 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:44.401791: | responder cookie: Aug 26 13:30:44.401793: | 65 3b 61 57 7c 53 07 1f Aug 26 13:30:44.401795: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:30:44.401797: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:44.401798: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Aug 26 13:30:44.401800: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:30:44.401802: | Message ID: 0 (0x0) Aug 26 13:30:44.401804: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:30:44.401806: | Emitting ikev2_proposal ... Aug 26 13:30:44.401808: | ***emit IKEv2 Security Association Payload: Aug 26 13:30:44.401809: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.401811: | flags: none (0x0) Aug 26 13:30:44.401813: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:30:44.401815: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.401817: | ****emit IKEv2 Proposal Substructure Payload: Aug 26 13:30:44.401819: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:44.401821: | prop #: 1 (0x1) Aug 26 13:30:44.401822: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Aug 26 13:30:44.401824: | spi size: 0 (0x0) Aug 26 13:30:44.401825: | # transforms: 3 (0x3) Aug 26 13:30:44.401827: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:30:44.401829: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:30:44.401831: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.401832: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:44.401834: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:44.401836: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:44.401838: | ******emit IKEv2 Attribute Substructure Payload: Aug 26 13:30:44.401840: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:44.401841: | length/value: 256 (0x100) Aug 26 13:30:44.401843: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:30:44.401845: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:30:44.401846: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.401848: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Aug 26 13:30:44.401849: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Aug 26 13:30:44.401851: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.401853: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:44.401855: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:44.401857: | *****emit IKEv2 Transform Substructure Payload: Aug 26 13:30:44.401858: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:44.401860: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Aug 26 13:30:44.401861: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:44.401865: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.401867: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:44.401869: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:44.401871: | emitting length of IKEv2 Proposal Substructure Payload: 36 Aug 26 13:30:44.401872: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:30:44.401874: | emitting length of IKEv2 Security Association Payload: 40 Aug 26 13:30:44.401876: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:30:44.401878: | ***emit IKEv2 Key Exchange Payload: Aug 26 13:30:44.401880: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.401881: | flags: none (0x0) Aug 26 13:30:44.401883: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Aug 26 13:30:44.401885: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Aug 26 13:30:44.401902: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.401904: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Aug 26 13:30:44.401906: | ikev2 g^x d4 b5 40 e5 39 1a d8 f8 21 67 fe 11 6a 7c 60 d1 Aug 26 13:30:44.401907: | ikev2 g^x 74 3b ae cb 64 ed 96 ee bd 88 a5 e1 8d 56 15 8c Aug 26 13:30:44.401909: | ikev2 g^x 85 1f 2d 23 70 d2 1e 7a 9a d8 1d 69 02 68 e8 78 Aug 26 13:30:44.401911: | ikev2 g^x 0c 8c 5f be b6 16 60 4a 57 79 76 22 d1 eb 4d e6 Aug 26 13:30:44.401912: | ikev2 g^x 77 ba e7 fa 7f 7a bf fa 97 6b 80 55 8e 8b bb bd Aug 26 13:30:44.401914: | ikev2 g^x 9a 82 cc 67 45 85 ef f1 f4 be d9 90 4c 1e 7b ac Aug 26 13:30:44.401915: | ikev2 g^x 55 c2 68 22 2d 91 41 c4 d1 56 f8 c5 67 19 a8 ff Aug 26 13:30:44.401917: | ikev2 g^x 4c 27 2b cc b5 86 11 da cc 92 9e e0 71 d5 91 8e Aug 26 13:30:44.401918: | ikev2 g^x 08 ad 16 75 cf c6 be 58 a5 0e 35 97 4e 03 76 e0 Aug 26 13:30:44.401920: | ikev2 g^x 27 c2 a3 07 a9 ab 7a 3e 0a c6 4a 46 00 25 6d ac Aug 26 13:30:44.401921: | ikev2 g^x 52 86 e1 75 83 a1 0d 12 9e 2b bf a9 6d 6d 1a 83 Aug 26 13:30:44.401923: | ikev2 g^x 9f ca 56 2e 44 72 13 86 47 bc d6 5b 79 ea 7c a7 Aug 26 13:30:44.401924: | ikev2 g^x 46 f6 df 78 1c 20 a4 a8 f7 59 d8 6c aa 72 8d a9 Aug 26 13:30:44.401926: | ikev2 g^x 55 12 75 37 f9 09 d9 31 dd 3a d4 2c 5a 79 80 c6 Aug 26 13:30:44.401927: | ikev2 g^x 29 ad 17 5a 32 22 38 9e f2 2f b4 02 2f 2f a4 a4 Aug 26 13:30:44.401929: | ikev2 g^x 5d 34 16 40 18 76 32 f4 b1 d5 e3 44 37 03 7d ac Aug 26 13:30:44.401931: | emitting length of IKEv2 Key Exchange Payload: 264 Aug 26 13:30:44.401932: | ***emit IKEv2 Nonce Payload: Aug 26 13:30:44.401934: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:44.401936: | flags: none (0x0) Aug 26 13:30:44.401938: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Aug 26 13:30:44.401940: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Aug 26 13:30:44.401941: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.401943: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Aug 26 13:30:44.401945: | IKEv2 nonce bb dd d5 86 a3 26 91 73 12 f2 bd e5 b4 bc 3d 6f Aug 26 13:30:44.401947: | IKEv2 nonce 8d 34 be 53 52 63 2f 96 b7 65 4a be c9 d3 70 3c Aug 26 13:30:44.401948: | emitting length of IKEv2 Nonce Payload: 36 Aug 26 13:30:44.401950: | Adding a v2N Payload Aug 26 13:30:44.401952: | ***emit IKEv2 Notify Payload: Aug 26 13:30:44.401954: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.401956: | flags: none (0x0) Aug 26 13:30:44.401958: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:44.401959: | SPI size: 0 (0x0) Aug 26 13:30:44.401961: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Aug 26 13:30:44.401963: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:44.401965: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.401967: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:30:44.401969: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:30:44.401977: | natd_hash: hasher=0x55676965b800(20) Aug 26 13:30:44.401979: | natd_hash: icookie= 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:44.401980: | natd_hash: rcookie= 65 3b 61 57 7c 53 07 1f Aug 26 13:30:44.401982: | natd_hash: ip= c0 01 02 17 Aug 26 13:30:44.401983: | natd_hash: port=500 Aug 26 13:30:44.401985: | natd_hash: hash= 7e e7 46 19 e5 0f 2a ef e9 d6 b9 4b ed 55 81 75 Aug 26 13:30:44.401999: | natd_hash: hash= 3f d2 0f a3 Aug 26 13:30:44.402001: | Adding a v2N Payload Aug 26 13:30:44.402002: | ***emit IKEv2 Notify Payload: Aug 26 13:30:44.402004: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.402005: | flags: none (0x0) Aug 26 13:30:44.402007: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:44.402008: | SPI size: 0 (0x0) Aug 26 13:30:44.402010: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:44.402012: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:44.402014: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.402016: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:44.402017: | Notify data 7e e7 46 19 e5 0f 2a ef e9 d6 b9 4b ed 55 81 75 Aug 26 13:30:44.402019: | Notify data 3f d2 0f a3 Aug 26 13:30:44.402020: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:44.402024: | natd_hash: hasher=0x55676965b800(20) Aug 26 13:30:44.402026: | natd_hash: icookie= 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:44.402027: | natd_hash: rcookie= 65 3b 61 57 7c 53 07 1f Aug 26 13:30:44.402028: | natd_hash: ip= c0 01 03 21 Aug 26 13:30:44.402030: | natd_hash: port=500 Aug 26 13:30:44.402031: | natd_hash: hash= 23 9c 1f c4 43 17 dc 0c ae 73 95 64 2e a5 26 8f Aug 26 13:30:44.402033: | natd_hash: hash= 83 c2 59 6e Aug 26 13:30:44.402034: | Adding a v2N Payload Aug 26 13:30:44.402036: | ***emit IKEv2 Notify Payload: Aug 26 13:30:44.402037: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.402039: | flags: none (0x0) Aug 26 13:30:44.402040: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:44.402042: | SPI size: 0 (0x0) Aug 26 13:30:44.402043: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:44.402045: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:44.402047: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.402049: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:44.402050: | Notify data 23 9c 1f c4 43 17 dc 0c ae 73 95 64 2e a5 26 8f Aug 26 13:30:44.402052: | Notify data 83 c2 59 6e Aug 26 13:30:44.402053: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:44.402055: | emitting length of ISAKMP Message: 432 Aug 26 13:30:44.402060: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:44.402062: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Aug 26 13:30:44.402064: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Aug 26 13:30:44.402068: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Aug 26 13:30:44.402070: | Message ID: updating counters for #1 to 0 after switching state Aug 26 13:30:44.402073: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Aug 26 13:30:44.402076: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Aug 26 13:30:44.402080: "eastnet-northnet"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Aug 26 13:30:44.402083: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 13:30:44.402102: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:30:44.402104: | 43 1d e9 7d 41 27 07 f3 65 3b 61 57 7c 53 07 1f Aug 26 13:30:44.402106: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Aug 26 13:30:44.402107: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Aug 26 13:30:44.402109: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Aug 26 13:30:44.402110: | 04 00 00 0e 28 00 01 08 00 0e 00 00 d4 b5 40 e5 Aug 26 13:30:44.402112: | 39 1a d8 f8 21 67 fe 11 6a 7c 60 d1 74 3b ae cb Aug 26 13:30:44.402113: | 64 ed 96 ee bd 88 a5 e1 8d 56 15 8c 85 1f 2d 23 Aug 26 13:30:44.402115: | 70 d2 1e 7a 9a d8 1d 69 02 68 e8 78 0c 8c 5f be Aug 26 13:30:44.402116: | b6 16 60 4a 57 79 76 22 d1 eb 4d e6 77 ba e7 fa Aug 26 13:30:44.402118: | 7f 7a bf fa 97 6b 80 55 8e 8b bb bd 9a 82 cc 67 Aug 26 13:30:44.402119: | 45 85 ef f1 f4 be d9 90 4c 1e 7b ac 55 c2 68 22 Aug 26 13:30:44.402121: | 2d 91 41 c4 d1 56 f8 c5 67 19 a8 ff 4c 27 2b cc Aug 26 13:30:44.402122: | b5 86 11 da cc 92 9e e0 71 d5 91 8e 08 ad 16 75 Aug 26 13:30:44.402124: | cf c6 be 58 a5 0e 35 97 4e 03 76 e0 27 c2 a3 07 Aug 26 13:30:44.402125: | a9 ab 7a 3e 0a c6 4a 46 00 25 6d ac 52 86 e1 75 Aug 26 13:30:44.402127: | 83 a1 0d 12 9e 2b bf a9 6d 6d 1a 83 9f ca 56 2e Aug 26 13:30:44.402128: | 44 72 13 86 47 bc d6 5b 79 ea 7c a7 46 f6 df 78 Aug 26 13:30:44.402130: | 1c 20 a4 a8 f7 59 d8 6c aa 72 8d a9 55 12 75 37 Aug 26 13:30:44.402131: | f9 09 d9 31 dd 3a d4 2c 5a 79 80 c6 29 ad 17 5a Aug 26 13:30:44.402133: | 32 22 38 9e f2 2f b4 02 2f 2f a4 a4 5d 34 16 40 Aug 26 13:30:44.402134: | 18 76 32 f4 b1 d5 e3 44 37 03 7d ac 29 00 00 24 Aug 26 13:30:44.402136: | bb dd d5 86 a3 26 91 73 12 f2 bd e5 b4 bc 3d 6f Aug 26 13:30:44.402137: | 8d 34 be 53 52 63 2f 96 b7 65 4a be c9 d3 70 3c Aug 26 13:30:44.402139: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Aug 26 13:30:44.402140: | 7e e7 46 19 e5 0f 2a ef e9 d6 b9 4b ed 55 81 75 Aug 26 13:30:44.402142: | 3f d2 0f a3 00 00 00 1c 00 00 40 05 23 9c 1f c4 Aug 26 13:30:44.402143: | 43 17 dc 0c ae 73 95 64 2e a5 26 8f 83 c2 59 6e Aug 26 13:30:44.402184: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:30:44.402188: | libevent_free: release ptr-libevent@0x55676ab0c608 Aug 26 13:30:44.402190: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55676ab09e88 Aug 26 13:30:44.402192: | event_schedule: new EVENT_SO_DISCARD-pe@0x55676ab09e88 Aug 26 13:30:44.402195: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Aug 26 13:30:44.402197: | libevent_malloc: new ptr-libevent@0x55676ab0d758 size 128 Aug 26 13:30:44.402200: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:30:44.402204: | #1 spent 0.424 milliseconds in resume sending helper answer Aug 26 13:30:44.402208: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:30:44.402210: | libevent_free: release ptr-libevent@0x7fc108002888 Aug 26 13:30:44.404170: | spent 0.0023 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:30:44.404191: | *received 245 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Aug 26 13:30:44.404196: | 43 1d e9 7d 41 27 07 f3 65 3b 61 57 7c 53 07 1f Aug 26 13:30:44.404198: | 2e 20 23 08 00 00 00 01 00 00 00 f5 23 00 00 d9 Aug 26 13:30:44.404201: | bb 4b 99 ed b9 b5 35 fc cb c9 ce 8e 7f ee 44 ed Aug 26 13:30:44.404203: | b7 84 46 8a 89 bd de 4e 26 7d 91 bc 7d 6a 9d 3d Aug 26 13:30:44.404205: | cb df 15 5f 20 7d d6 4a 28 e1 a8 19 47 14 3a 6e Aug 26 13:30:44.404208: | 38 d3 94 59 d7 37 ce f2 08 e2 69 37 97 88 7a d7 Aug 26 13:30:44.404210: | c5 12 ee e5 e9 23 40 29 ce 80 d0 14 64 d8 8b cb Aug 26 13:30:44.404212: | 5a 70 1f 9a ff 72 74 98 a7 ed 11 f1 86 fe f4 c2 Aug 26 13:30:44.404215: | 18 36 ae c7 f9 9e a6 ef d4 28 49 1e 98 0a ec 46 Aug 26 13:30:44.404217: | ad 60 94 ca 8e b7 21 a4 08 99 23 88 7a cc 67 1f Aug 26 13:30:44.404219: | e9 c3 f6 3a 41 50 f9 1c 3e 7e 7c d9 1e 57 c3 cc Aug 26 13:30:44.404222: | f6 a3 0c f6 0c e9 b7 0e 7a ff 32 7a 96 85 c0 f9 Aug 26 13:30:44.404224: | f6 63 4f 96 fa 2c b7 a0 41 18 b8 be 33 df 3e a4 Aug 26 13:30:44.404243: | 46 aa 59 fb 9b 21 fe 08 1b 90 09 dc 78 16 73 42 Aug 26 13:30:44.404246: | bd c0 7f f1 a6 6a c6 59 1b 94 46 1d 4b 64 f9 c0 Aug 26 13:30:44.404248: | c4 bf a8 a5 98 Aug 26 13:30:44.404254: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Aug 26 13:30:44.404257: | **parse ISAKMP Message: Aug 26 13:30:44.404260: | initiator cookie: Aug 26 13:30:44.404263: | 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:44.404265: | responder cookie: Aug 26 13:30:44.404268: | 65 3b 61 57 7c 53 07 1f Aug 26 13:30:44.404271: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:30:44.404274: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:44.404277: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:30:44.404280: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:30:44.404283: | Message ID: 1 (0x1) Aug 26 13:30:44.404285: | length: 245 (0xf5) Aug 26 13:30:44.404303: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Aug 26 13:30:44.404309: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Aug 26 13:30:44.404313: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Aug 26 13:30:44.404333: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:30:44.404336: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:30:44.404341: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:30:44.404343: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Aug 26 13:30:44.404347: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Aug 26 13:30:44.404349: | unpacking clear payload Aug 26 13:30:44.404351: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:30:44.404354: | ***parse IKEv2 Encryption Payload: Aug 26 13:30:44.404357: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Aug 26 13:30:44.404359: | flags: none (0x0) Aug 26 13:30:44.404361: | length: 217 (0xd9) Aug 26 13:30:44.404364: | processing payload: ISAKMP_NEXT_v2SK (len=213) Aug 26 13:30:44.404368: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Aug 26 13:30:44.404371: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:30:44.404374: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:30:44.404377: | Now let's proceed with state specific processing Aug 26 13:30:44.404379: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Aug 26 13:30:44.404382: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Aug 26 13:30:44.404389: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Aug 26 13:30:44.404395: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Aug 26 13:30:44.404398: | state #1 requesting EVENT_SO_DISCARD to be deleted Aug 26 13:30:44.404401: | libevent_free: release ptr-libevent@0x55676ab0d758 Aug 26 13:30:44.404405: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55676ab09e88 Aug 26 13:30:44.404409: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55676ab09e88 Aug 26 13:30:44.404428: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Aug 26 13:30:44.404431: | libevent_malloc: new ptr-libevent@0x7fc108002888 size 128 Aug 26 13:30:44.404442: | #1 spent 0.0575 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Aug 26 13:30:44.404447: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:44.404448: | crypto helper 2 resuming Aug 26 13:30:44.404449: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Aug 26 13:30:44.404464: | crypto helper 2 starting work-order 2 for state #1 Aug 26 13:30:44.404466: | suspending state #1 and saving MD Aug 26 13:30:44.404472: | crypto helper 2 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Aug 26 13:30:44.404474: | #1 is busy; has a suspended MD Aug 26 13:30:44.404483: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3269) Aug 26 13:30:44.404486: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451 Aug 26 13:30:44.404490: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:30:44.404493: | #1 spent 0.286 milliseconds in ikev2_process_packet() Aug 26 13:30:44.404496: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Aug 26 13:30:44.404498: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:30:44.404500: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:30:44.404502: | spent 0.295 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:30:44.405040: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Aug 26 13:30:44.405481: | crypto helper 2 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001009 seconds Aug 26 13:30:44.405496: | (#1) spent 0.981 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Aug 26 13:30:44.405500: | crypto helper 2 sending results from work-order 2 for state #1 to event queue Aug 26 13:30:44.405504: | scheduling resume sending helper answer for #1 Aug 26 13:30:44.405508: | libevent_malloc: new ptr-libevent@0x7fc100000f48 size 128 Aug 26 13:30:44.405515: | crypto helper 2 waiting (nothing to do) Aug 26 13:30:44.405551: | processing resume sending helper answer for #1 Aug 26 13:30:44.405560: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Aug 26 13:30:44.405564: | crypto helper 2 replies to request ID 2 Aug 26 13:30:44.405566: | calling continuation function 0x556769586b50 Aug 26 13:30:44.405568: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Aug 26 13:30:44.405570: | #1 in state PARENT_R1: received v2I1, sent v2R1 Aug 26 13:30:44.405579: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Aug 26 13:30:44.405581: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Aug 26 13:30:44.405583: | **parse IKEv2 Identification - Initiator - Payload: Aug 26 13:30:44.405585: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Aug 26 13:30:44.405587: | flags: none (0x0) Aug 26 13:30:44.405589: | length: 12 (0xc) Aug 26 13:30:44.405590: | ID type: ID_IPV4_ADDR (0x1) Aug 26 13:30:44.405592: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Aug 26 13:30:44.405596: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Aug 26 13:30:44.405598: | **parse IKEv2 Authentication Payload: Aug 26 13:30:44.405599: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:30:44.405601: | flags: none (0x0) Aug 26 13:30:44.405602: | length: 72 (0x48) Aug 26 13:30:44.405604: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:30:44.405606: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Aug 26 13:30:44.405607: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Aug 26 13:30:44.405609: | **parse IKEv2 Security Association Payload: Aug 26 13:30:44.405610: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Aug 26 13:30:44.405612: | flags: none (0x0) Aug 26 13:30:44.405613: | length: 48 (0x30) Aug 26 13:30:44.405615: | processing payload: ISAKMP_NEXT_v2SA (len=44) Aug 26 13:30:44.405616: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Aug 26 13:30:44.405618: | **parse IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:30:44.405620: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Aug 26 13:30:44.405621: | flags: none (0x0) Aug 26 13:30:44.405623: | length: 24 (0x18) Aug 26 13:30:44.405624: | number of TS: 1 (0x1) Aug 26 13:30:44.405626: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Aug 26 13:30:44.405627: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Aug 26 13:30:44.405629: | **parse IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:30:44.405630: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:44.405632: | flags: none (0x0) Aug 26 13:30:44.405633: | length: 24 (0x18) Aug 26 13:30:44.405635: | number of TS: 1 (0x1) Aug 26 13:30:44.405636: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Aug 26 13:30:44.405638: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:44.405640: | **parse IKEv2 Notify Payload: Aug 26 13:30:44.405641: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.405643: | flags: none (0x0) Aug 26 13:30:44.405644: | length: 8 (0x8) Aug 26 13:30:44.405646: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:44.405647: | SPI size: 0 (0x0) Aug 26 13:30:44.405649: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 13:30:44.405651: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:30:44.405653: | selected state microcode Responder: process IKE_AUTH request Aug 26 13:30:44.405654: | Now let's proceed with state specific processing Aug 26 13:30:44.405656: | calling processor Responder: process IKE_AUTH request Aug 26 13:30:44.405661: "eastnet-northnet"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N} Aug 26 13:30:44.405665: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:30:44.405667: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Aug 26 13:30:44.405669: | peer ID c0 01 03 21 Aug 26 13:30:44.405672: | refine_host_connection for IKEv2: starting with "eastnet-northnet"[1] 192.1.3.33 Aug 26 13:30:44.405676: | match_id a=192.1.3.33 Aug 26 13:30:44.405677: | b=192.1.3.33 Aug 26 13:30:44.405679: | results matched Aug 26 13:30:44.405683: | refine_host_connection: checking "eastnet-northnet"[1] 192.1.3.33 against "eastnet-northnet"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Aug 26 13:30:44.405684: | Warning: not switching back to template of current instance Aug 26 13:30:44.405686: | No IDr payload received from peer Aug 26 13:30:44.405689: | refine_host_connection: checked eastnet-northnet[1] 192.1.3.33 against eastnet-northnet[1] 192.1.3.33, now for see if best Aug 26 13:30:44.405692: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:44.405694: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:44.405697: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 13:30:44.405699: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:44.405702: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:44.405704: | line 1: match=002 Aug 26 13:30:44.405706: | match 002 beats previous best_match 000 match=0x55676aa61c48 (line=1) Aug 26 13:30:44.405708: | concluding with best_match=002 best=0x55676aa61c48 (lineno=1) Aug 26 13:30:44.405709: | returning because exact peer id match Aug 26 13:30:44.405711: | offered CA: '%none' Aug 26 13:30:44.405714: "eastnet-northnet"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.33' Aug 26 13:30:44.405716: | received v2N_MOBIKE_SUPPORTED while it did not sent Aug 26 13:30:44.405729: | verifying AUTH payload Aug 26 13:30:44.405732: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Aug 26 13:30:44.405735: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:44.405738: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:44.405740: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 13:30:44.405742: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:44.405744: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:44.405745: | line 1: match=002 Aug 26 13:30:44.405747: | match 002 beats previous best_match 000 match=0x55676aa61c48 (line=1) Aug 26 13:30:44.405749: | concluding with best_match=002 best=0x55676aa61c48 (lineno=1) Aug 26 13:30:44.405787: "eastnet-northnet"[1] 192.1.3.33 #1: Authenticated using authby=secret Aug 26 13:30:44.405791: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Aug 26 13:30:44.405794: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:30:44.405796: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Aug 26 13:30:44.405799: | libevent_free: release ptr-libevent@0x7fc108002888 Aug 26 13:30:44.405801: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55676ab09e88 Aug 26 13:30:44.405802: | event_schedule: new EVENT_SA_REKEY-pe@0x55676ab09e88 Aug 26 13:30:44.405805: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Aug 26 13:30:44.405807: | libevent_malloc: new ptr-libevent@0x55676ab0c818 size 128 Aug 26 13:30:44.405882: | pstats #1 ikev2.ike established Aug 26 13:30:44.405888: | **emit ISAKMP Message: Aug 26 13:30:44.405890: | initiator cookie: Aug 26 13:30:44.405892: | 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:44.405893: | responder cookie: Aug 26 13:30:44.405895: | 65 3b 61 57 7c 53 07 1f Aug 26 13:30:44.405897: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:30:44.405898: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:44.405900: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Aug 26 13:30:44.405902: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:30:44.405903: | Message ID: 1 (0x1) Aug 26 13:30:44.405906: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:30:44.405907: | IKEv2 CERT: send a certificate? Aug 26 13:30:44.405910: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Aug 26 13:30:44.405915: | ***emit IKEv2 Encryption Payload: Aug 26 13:30:44.405920: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.405922: | flags: none (0x0) Aug 26 13:30:44.405926: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:30:44.405930: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.405933: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:30:44.405941: | Adding a v2N Payload Aug 26 13:30:44.405945: | ****emit IKEv2 Notify Payload: Aug 26 13:30:44.405948: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.405950: | flags: none (0x0) Aug 26 13:30:44.405953: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:44.405956: | SPI size: 0 (0x0) Aug 26 13:30:44.405959: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Aug 26 13:30:44.405965: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:44.405969: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.405972: | emitting length of IKEv2 Notify Payload: 8 Aug 26 13:30:44.405975: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:30:44.405988: | ****emit IKEv2 Identification - Responder - Payload: Aug 26 13:30:44.405992: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.405995: | flags: none (0x0) Aug 26 13:30:44.405998: | ID type: ID_IPV4_ADDR (0x1) Aug 26 13:30:44.406002: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Aug 26 13:30:44.406006: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.406010: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Aug 26 13:30:44.406013: | my identity c0 01 02 17 Aug 26 13:30:44.406016: | emitting length of IKEv2 Identification - Responder - Payload: 12 Aug 26 13:30:44.406023: | assembled IDr payload Aug 26 13:30:44.406026: | CHILD SA proposals received Aug 26 13:30:44.406029: | going to assemble AUTH payload Aug 26 13:30:44.406032: | ****emit IKEv2 Authentication Payload: Aug 26 13:30:44.406035: | next payload type: ISAKMP_NEXT_v2SA (0x21) Aug 26 13:30:44.406038: | flags: none (0x0) Aug 26 13:30:44.406040: | auth method: IKEv2_AUTH_SHARED (0x2) Aug 26 13:30:44.406044: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Aug 26 13:30:44.406048: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Aug 26 13:30:44.406050: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.406052: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Aug 26 13:30:44.406055: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:44.406058: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Aug 26 13:30:44.406060: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Aug 26 13:30:44.406062: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:44.406064: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Aug 26 13:30:44.406066: | line 1: match=002 Aug 26 13:30:44.406068: | match 002 beats previous best_match 000 match=0x55676aa61c48 (line=1) Aug 26 13:30:44.406069: | concluding with best_match=002 best=0x55676aa61c48 (lineno=1) Aug 26 13:30:44.406104: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Aug 26 13:30:44.406107: | PSK auth e4 c1 9b bf f6 8e 12 2a fc 7b 91 30 c9 7c ce 01 Aug 26 13:30:44.406109: | PSK auth a2 91 82 5f b3 65 8f a4 d3 42 50 86 14 85 d7 b2 Aug 26 13:30:44.406110: | PSK auth dc 30 c7 ff 0a 37 34 42 4e 59 78 1e 47 ed ae 5d Aug 26 13:30:44.406111: | PSK auth ab c5 72 2d bf 44 ed b0 7e d7 8b b2 52 62 2f 94 Aug 26 13:30:44.406113: | emitting length of IKEv2 Authentication Payload: 72 Aug 26 13:30:44.406120: | creating state object #2 at 0x55676ab0e7e8 Aug 26 13:30:44.406122: | State DB: adding IKEv2 state #2 in UNDEFINED Aug 26 13:30:44.406125: | pstats #2 ikev2.child started Aug 26 13:30:44.406127: | duplicating state object #1 "eastnet-northnet"[1] 192.1.3.33 as #2 for IPSEC SA Aug 26 13:30:44.406131: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) Aug 26 13:30:44.406134: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Aug 26 13:30:44.406139: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Aug 26 13:30:44.406142: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Aug 26 13:30:44.406143: | Child SA TS Request has ike->sa == md->st; so using parent connection Aug 26 13:30:44.406145: | TSi: parsing 1 traffic selectors Aug 26 13:30:44.406147: | ***parse IKEv2 Traffic Selector: Aug 26 13:30:44.406149: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:44.406151: | IP Protocol ID: 0 (0x0) Aug 26 13:30:44.406152: | length: 16 (0x10) Aug 26 13:30:44.406154: | start port: 0 (0x0) Aug 26 13:30:44.406155: | end port: 65535 (0xffff) Aug 26 13:30:44.406157: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:30:44.406159: | TS low c0 00 03 00 Aug 26 13:30:44.406160: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:30:44.406162: | TS high c0 00 03 ff Aug 26 13:30:44.406164: | TSi: parsed 1 traffic selectors Aug 26 13:30:44.406165: | TSr: parsing 1 traffic selectors Aug 26 13:30:44.406167: | ***parse IKEv2 Traffic Selector: Aug 26 13:30:44.406168: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:44.406170: | IP Protocol ID: 0 (0x0) Aug 26 13:30:44.406171: | length: 16 (0x10) Aug 26 13:30:44.406173: | start port: 0 (0x0) Aug 26 13:30:44.406174: | end port: 65535 (0xffff) Aug 26 13:30:44.406176: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Aug 26 13:30:44.406177: | TS low c0 00 02 00 Aug 26 13:30:44.406179: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Aug 26 13:30:44.406180: | TS high c0 00 02 ff Aug 26 13:30:44.406182: | TSr: parsed 1 traffic selectors Aug 26 13:30:44.406183: | looking for best SPD in current connection Aug 26 13:30:44.406187: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:30:44.406190: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:44.406194: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:30:44.406196: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:30:44.406198: | TSi[0] port match: YES fitness 65536 Aug 26 13:30:44.406200: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:30:44.406202: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:44.406204: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:44.406207: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:30:44.406209: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:30:44.406211: | TSr[0] port match: YES fitness 65536 Aug 26 13:30:44.406212: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:30:44.406214: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:44.406216: | best fit so far: TSi[0] TSr[0] Aug 26 13:30:44.406217: | found better spd route for TSi[0],TSr[0] Aug 26 13:30:44.406219: | looking for better host pair Aug 26 13:30:44.406222: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Aug 26 13:30:44.406225: | checking hostpair 192.0.2.0/24 -> 192.0.3.0/24 is found Aug 26 13:30:44.406226: | investigating connection "eastnet-northnet" as a better match Aug 26 13:30:44.406229: | match_id a=192.1.3.33 Aug 26 13:30:44.406230: | b=192.1.3.33 Aug 26 13:30:44.406232: | results matched Aug 26 13:30:44.406235: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0/0 R=192.0.2.0/24:0/0 to their: Aug 26 13:30:44.406238: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:44.406241: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Aug 26 13:30:44.406244: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Aug 26 13:30:44.406245: | TSi[0] port match: YES fitness 65536 Aug 26 13:30:44.406247: | narrow protocol end=*0 == TSi[0]=*0: 0 Aug 26 13:30:44.406249: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:44.406251: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Aug 26 13:30:44.406254: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Aug 26 13:30:44.406256: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Aug 26 13:30:44.406258: | TSr[0] port match: YES fitness 65536 Aug 26 13:30:44.406259: | narrow protocol end=*0 == TSr[0]=*0: 0 Aug 26 13:30:44.406261: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Aug 26 13:30:44.406263: | best fit so far: TSi[0] TSr[0] Aug 26 13:30:44.406264: | did not find a better connection using host pair Aug 26 13:30:44.406266: | printing contents struct traffic_selector Aug 26 13:30:44.406267: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:30:44.406269: | ipprotoid: 0 Aug 26 13:30:44.406270: | port range: 0-65535 Aug 26 13:30:44.406272: | ip range: 192.0.2.0-192.0.2.255 Aug 26 13:30:44.406274: | printing contents struct traffic_selector Aug 26 13:30:44.406275: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Aug 26 13:30:44.406277: | ipprotoid: 0 Aug 26 13:30:44.406278: | port range: 0-65535 Aug 26 13:30:44.406280: | ip range: 192.0.3.0-192.0.3.255 Aug 26 13:30:44.406283: | constructing ESP/AH proposals with all DH removed for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals) Aug 26 13:30:44.406286: | converting proposal AES_GCM_16-NONE to ikev2 ... Aug 26 13:30:44.406292: | forcing IKEv2 PROTO_v2_ESP aes_gcm_16 ENCRYPT transform low-to-high key lengths: 128 256 Aug 26 13:30:44.406297: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_128,AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:30:44.406301: "eastnet-northnet"[1] 192.1.3.33: constructed local ESP/AH proposals for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_128,AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Aug 26 13:30:44.406303: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Aug 26 13:30:44.406323: | local proposal 1 type ENCR has 2 transforms Aug 26 13:30:44.406325: | local proposal 1 type PRF has 0 transforms Aug 26 13:30:44.406329: | local proposal 1 type INTEG has 1 transforms Aug 26 13:30:44.406331: | local proposal 1 type DH has 1 transforms Aug 26 13:30:44.406333: | local proposal 1 type ESN has 1 transforms Aug 26 13:30:44.406335: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Aug 26 13:30:44.406337: | ***parse IKEv2 Proposal Substructure Payload: Aug 26 13:30:44.406338: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:44.406340: | length: 44 (0x2c) Aug 26 13:30:44.406342: | prop #: 1 (0x1) Aug 26 13:30:44.406343: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:30:44.406345: | spi size: 4 (0x4) Aug 26 13:30:44.406346: | # transforms: 3 (0x3) Aug 26 13:30:44.406349: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Aug 26 13:30:44.406363: | remote SPI af 0b 77 03 Aug 26 13:30:44.406365: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Aug 26 13:30:44.406367: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.406369: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.406370: | length: 12 (0xc) Aug 26 13:30:44.406372: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:44.406373: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:44.406375: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:44.406377: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:44.406379: | length/value: 128 (0x80) Aug 26 13:30:44.406382: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_128) matches local proposal 1 type 1 (ENCR) transform 0 Aug 26 13:30:44.406384: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.406386: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.406388: | length: 12 (0xc) Aug 26 13:30:44.406389: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:44.406391: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:44.406392: | *****parse IKEv2 Attribute Substructure Payload: Aug 26 13:30:44.406394: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:44.406396: | length/value: 256 (0x100) Aug 26 13:30:44.406397: | ****parse IKEv2 Transform Substructure Payload: Aug 26 13:30:44.406399: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:44.406400: | length: 8 (0x8) Aug 26 13:30:44.406402: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:30:44.406404: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:30:44.406406: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Aug 26 13:30:44.406408: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Aug 26 13:30:44.406411: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Aug 26 13:30:44.406413: | remote proposal 1 matches local proposal 1 Aug 26 13:30:44.406416: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=af0b7703;ENCR=AES_GCM_C_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] Aug 26 13:30:44.406419: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=af0b7703;ENCR=AES_GCM_C_128;ESN=DISABLED Aug 26 13:30:44.406421: | converting proposal to internal trans attrs Aug 26 13:30:44.406435: | netlink_get_spi: allocated 0x698128bb for esp.0@192.1.2.23 Aug 26 13:30:44.406437: | Emitting ikev2_proposal ... Aug 26 13:30:44.406439: | ****emit IKEv2 Security Association Payload: Aug 26 13:30:44.406440: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.406442: | flags: none (0x0) Aug 26 13:30:44.406444: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Aug 26 13:30:44.406446: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.406448: | *****emit IKEv2 Proposal Substructure Payload: Aug 26 13:30:44.406450: | last proposal: v2_PROPOSAL_LAST (0x0) Aug 26 13:30:44.406451: | prop #: 1 (0x1) Aug 26 13:30:44.406453: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Aug 26 13:30:44.406454: | spi size: 4 (0x4) Aug 26 13:30:44.406456: | # transforms: 2 (0x2) Aug 26 13:30:44.406458: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Aug 26 13:30:44.406460: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Aug 26 13:30:44.406461: | our spi 69 81 28 bb Aug 26 13:30:44.406463: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:30:44.406465: | last transform: v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.406466: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Aug 26 13:30:44.406468: | IKEv2 transform ID: AES_GCM_C (0x14) Aug 26 13:30:44.406470: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:44.406471: | *******emit IKEv2 Attribute Substructure Payload: Aug 26 13:30:44.406473: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Aug 26 13:30:44.406475: | length/value: 128 (0x80) Aug 26 13:30:44.406476: | emitting length of IKEv2 Transform Substructure Payload: 12 Aug 26 13:30:44.406478: | ******emit IKEv2 Transform Substructure Payload: Aug 26 13:30:44.406480: | last transform: v2_TRANSFORM_LAST (0x0) Aug 26 13:30:44.406481: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Aug 26 13:30:44.406484: | IKEv2 transform ID: ESN_DISABLED (0x0) Aug 26 13:30:44.406486: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Aug 26 13:30:44.406488: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Aug 26 13:30:44.406490: | emitting length of IKEv2 Transform Substructure Payload: 8 Aug 26 13:30:44.406491: | emitting length of IKEv2 Proposal Substructure Payload: 32 Aug 26 13:30:44.406493: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Aug 26 13:30:44.406495: | emitting length of IKEv2 Security Association Payload: 36 Aug 26 13:30:44.406497: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Aug 26 13:30:44.406498: | received v2N_MOBIKE_SUPPORTED Aug 26 13:30:44.406500: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Aug 26 13:30:44.406502: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.406503: | flags: none (0x0) Aug 26 13:30:44.406505: | number of TS: 1 (0x1) Aug 26 13:30:44.406507: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Aug 26 13:30:44.406509: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.406510: | *****emit IKEv2 Traffic Selector: Aug 26 13:30:44.406512: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:44.406514: | IP Protocol ID: 0 (0x0) Aug 26 13:30:44.406515: | start port: 0 (0x0) Aug 26 13:30:44.406517: | end port: 65535 (0xffff) Aug 26 13:30:44.406519: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:30:44.406520: | ipv4 start c0 00 03 00 Aug 26 13:30:44.406522: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:30:44.406523: | ipv4 end c0 00 03 ff Aug 26 13:30:44.406525: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:30:44.406526: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Aug 26 13:30:44.406528: | ****emit IKEv2 Traffic Selector - Responder - Payload: Aug 26 13:30:44.406530: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:44.406531: | flags: none (0x0) Aug 26 13:30:44.406533: | number of TS: 1 (0x1) Aug 26 13:30:44.406535: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Aug 26 13:30:44.406536: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Aug 26 13:30:44.406538: | *****emit IKEv2 Traffic Selector: Aug 26 13:30:44.406540: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Aug 26 13:30:44.406541: | IP Protocol ID: 0 (0x0) Aug 26 13:30:44.406543: | start port: 0 (0x0) Aug 26 13:30:44.406544: | end port: 65535 (0xffff) Aug 26 13:30:44.406546: | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector Aug 26 13:30:44.406547: | ipv4 start c0 00 02 00 Aug 26 13:30:44.406549: | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector Aug 26 13:30:44.406550: | ipv4 end c0 00 02 ff Aug 26 13:30:44.406552: | emitting length of IKEv2 Traffic Selector: 16 Aug 26 13:30:44.406553: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Aug 26 13:30:44.406555: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Aug 26 13:30:44.406557: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=16 .salt_size=4 keymat_len=20 Aug 26 13:30:44.406621: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Aug 26 13:30:44.406625: | install_ipsec_sa() for #2: inbound and outbound Aug 26 13:30:44.406628: | could_route called for eastnet-northnet (kind=CK_INSTANCE) Aug 26 13:30:44.406631: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:30:44.406633: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:44.406635: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:44.406636: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:44.406638: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:44.406641: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 13:30:44.406644: | looking for alg with encrypt: AES_GCM_16 keylen: 128 integ: NONE Aug 26 13:30:44.406646: | encrypt AES_GCM_16 keylen=128 transid=20, key_size=16, encryptalg=20 Aug 26 13:30:44.406648: | AES_GCM_16 requires 4 salt bytes Aug 26 13:30:44.406649: | st->st_esp.keymat_len=20 is encrypt_keymat_size=20 + integ_keymat_size=0 Aug 26 13:30:44.406652: | setting IPsec SA replay-window to 32 Aug 26 13:30:44.406654: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 13:30:44.406656: | netlink: enabling tunnel mode Aug 26 13:30:44.406658: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:30:44.406660: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:30:44.406714: | netlink response for Add SA esp.af0b7703@192.1.3.33 included non-error error Aug 26 13:30:44.406717: | set up outgoing SA, ref=0/0 Aug 26 13:30:44.406719: | looking for alg with encrypt: AES_GCM_16 keylen: 128 integ: NONE Aug 26 13:30:44.406720: | encrypt AES_GCM_16 keylen=128 transid=20, key_size=16, encryptalg=20 Aug 26 13:30:44.406722: | AES_GCM_16 requires 4 salt bytes Aug 26 13:30:44.406724: | st->st_esp.keymat_len=20 is encrypt_keymat_size=20 + integ_keymat_size=0 Aug 26 13:30:44.406726: | setting IPsec SA replay-window to 32 Aug 26 13:30:44.406728: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Aug 26 13:30:44.406729: | netlink: enabling tunnel mode Aug 26 13:30:44.406731: | netlink: setting IPsec SA replay-window to 32 using old-style req Aug 26 13:30:44.406732: | netlink: esp-hw-offload not set for IPsec SA Aug 26 13:30:44.406762: | netlink response for Add SA esp.698128bb@192.1.2.23 included non-error error Aug 26 13:30:44.406767: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:30:44.406775: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Aug 26 13:30:44.406779: | IPsec Sa SPD priority set to 1042407 Aug 26 13:30:44.406801: | raw_eroute result=success Aug 26 13:30:44.406805: | set up incoming SA, ref=0/0 Aug 26 13:30:44.406808: | sr for #2: unrouted Aug 26 13:30:44.406811: | route_and_eroute() for proto 0, and source port 0 dest port 0 Aug 26 13:30:44.406814: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:30:44.406817: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:44.406821: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:44.406824: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:30:44.406828: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:30:44.406833: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Aug 26 13:30:44.406838: | route_and_eroute with c: eastnet-northnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Aug 26 13:30:44.406842: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:30:44.406850: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Aug 26 13:30:44.406854: | IPsec Sa SPD priority set to 1042407 Aug 26 13:30:44.406868: | raw_eroute result=success Aug 26 13:30:44.406873: | running updown command "ipsec _updown" for verb up Aug 26 13:30:44.406876: | command executing up-client Aug 26 13:30:44.406910: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI Aug 26 13:30:44.406917: | popen cmd is 1048 chars long Aug 26 13:30:44.406922: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' P: Aug 26 13:30:44.406926: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY: Aug 26 13:30:44.406929: | cmd( 160):_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Aug 26 13:30:44.406933: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Aug 26 13:30:44.406936: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='1: Aug 26 13:30:44.406940: | cmd( 400):92.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Aug 26 13:30:44.406944: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Aug 26 13:30:44.406947: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Aug 26 13:30:44.406951: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_C: Aug 26 13:30:44.406955: | cmd( 720):ONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Aug 26 13:30:44.406958: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Aug 26 13:30:44.406962: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Aug 26 13:30:44.406966: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xaf0b7703 SPI_OUT=0x698128bb ipsec _upd: Aug 26 13:30:44.406968: | cmd(1040):own 2>&1: Aug 26 13:30:44.417189: | route_and_eroute: firewall_notified: true Aug 26 13:30:44.417204: | running updown command "ipsec _updown" for verb prepare Aug 26 13:30:44.417207: | command executing prepare-client Aug 26 13:30:44.417231: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Aug 26 13:30:44.417234: | popen cmd is 1053 chars long Aug 26 13:30:44.417237: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 13:30:44.417239: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 13:30:44.417240: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 13:30:44.417245: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 13:30:44.417247: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Aug 26 13:30:44.417249: | cmd( 400):ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Aug 26 13:30:44.417250: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Aug 26 13:30:44.417252: | cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=: Aug 26 13:30:44.417254: | cmd( 640):'PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PL: Aug 26 13:30:44.417256: | cmd( 720):UTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Aug 26 13:30:44.417257: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Aug 26 13:30:44.417259: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Aug 26 13:30:44.417261: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xaf0b7703 SPI_OUT=0x698128bb ipsec: Aug 26 13:30:44.417262: | cmd(1040): _updown 2>&1: Aug 26 13:30:44.424455: | running updown command "ipsec _updown" for verb route Aug 26 13:30:44.424468: | command executing route-client Aug 26 13:30:44.424491: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Aug 26 13:30:44.424494: | popen cmd is 1051 chars long Aug 26 13:30:44.424496: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet: Aug 26 13:30:44.424498: | cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO: Aug 26 13:30:44.424500: | cmd( 160):_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: Aug 26 13:30:44.424501: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Aug 26 13:30:44.424503: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Aug 26 13:30:44.424504: | cmd( 400):='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Aug 26 13:30:44.424506: | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Aug 26 13:30:44.424508: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: Aug 26 13:30:44.424509: | cmd( 640):SK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUT: Aug 26 13:30:44.424511: | cmd( 720):O_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Aug 26 13:30:44.424513: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Aug 26 13:30:44.424514: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Aug 26 13:30:44.424516: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xaf0b7703 SPI_OUT=0x698128bb ipsec _: Aug 26 13:30:44.424517: | cmd(1040):updown 2>&1: Aug 26 13:30:44.436580: | route_and_eroute: instance "eastnet-northnet"[1] 192.1.3.33, setting eroute_owner {spd=0x55676ab097a8,sr=0x55676ab097a8} to #2 (was #0) (newest_ipsec_sa=#0) Aug 26 13:30:44.436667: | #1 spent 1.44 milliseconds in install_ipsec_sa() Aug 26 13:30:44.436675: | ISAKMP_v2_IKE_AUTH: instance eastnet-northnet[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Aug 26 13:30:44.436679: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:30:44.436683: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:30:44.436687: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:30:44.436690: | emitting length of IKEv2 Encryption Payload: 205 Aug 26 13:30:44.436693: | emitting length of ISAKMP Message: 233 Aug 26 13:30:44.436741: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Aug 26 13:30:44.436747: | #1 spent 2.48 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Aug 26 13:30:44.436756: | suspend processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:44.436763: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:44.436768: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Aug 26 13:30:44.436771: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Aug 26 13:30:44.436775: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Aug 26 13:30:44.436779: | Message ID: updating counters for #2 to 1 after switching state Aug 26 13:30:44.436798: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Aug 26 13:30:44.436803: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Aug 26 13:30:44.436806: | pstats #2 ikev2.child established Aug 26 13:30:44.436816: "eastnet-northnet"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Aug 26 13:30:44.436821: | NAT-T: encaps is 'auto' Aug 26 13:30:44.436826: "eastnet-northnet"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xaf0b7703 <0x698128bb xfrm=AES_GCM_16_128-NONE NATOA=none NATD=none DPD=passive} Aug 26 13:30:44.436831: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Aug 26 13:30:44.436839: | sending 233 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Aug 26 13:30:44.436842: | 43 1d e9 7d 41 27 07 f3 65 3b 61 57 7c 53 07 1f Aug 26 13:30:44.436845: | 2e 20 23 20 00 00 00 01 00 00 00 e9 29 00 00 cd Aug 26 13:30:44.436847: | d4 cf 26 90 88 0b 6b b6 c4 12 a1 07 c6 58 73 d1 Aug 26 13:30:44.436849: | b0 7d cb 73 ac 99 62 71 2e a0 a1 91 36 0b 82 a0 Aug 26 13:30:44.436852: | d3 19 ed 45 3c bc a2 04 51 ad 88 d2 a1 ad 44 3f Aug 26 13:30:44.436854: | 8f fa 05 9d 4e d8 ec 2c ce 1f 0a d4 4c 33 08 23 Aug 26 13:30:44.436857: | f9 45 6a c6 b5 42 c0 4b 5c 6c ed 87 81 a1 f8 ba Aug 26 13:30:44.436859: | ce e0 9e 98 de 1c c5 66 84 df b1 01 4d c9 76 17 Aug 26 13:30:44.436861: | b7 53 8b 28 bc ce b8 64 f2 c4 38 85 0c 22 06 6f Aug 26 13:30:44.436864: | 6a 52 fc 95 dc 70 85 f7 98 46 a3 2a a6 6b 22 55 Aug 26 13:30:44.436866: | fd 08 57 6c d8 14 e7 e2 34 27 24 f0 46 44 b1 e4 Aug 26 13:30:44.436868: | e8 33 68 02 d1 9a 5b dc e1 35 21 e9 9e ef 23 6b Aug 26 13:30:44.436871: | 3c ab 0a 98 b4 2c 5c 75 fb 50 71 03 b6 c1 10 7f Aug 26 13:30:44.436873: | b4 f6 be 5b 50 94 46 3e 8b ee 82 c8 f5 a0 5e 08 Aug 26 13:30:44.436875: | 5d 4d 5f 93 bc 03 46 ac 54 Aug 26 13:30:44.436924: | releasing whack for #2 (sock=fd@-1) Aug 26 13:30:44.436930: | releasing whack and unpending for parent #1 Aug 26 13:30:44.436934: | unpending state #1 connection "eastnet-northnet"[1] 192.1.3.33 Aug 26 13:30:44.436939: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Aug 26 13:30:44.436942: | event_schedule: new EVENT_SA_REKEY-pe@0x7fc108002b78 Aug 26 13:30:44.436946: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Aug 26 13:30:44.436950: | libevent_malloc: new ptr-libevent@0x55676ab0ce68 size 128 Aug 26 13:30:44.436963: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Aug 26 13:30:44.436970: | #1 spent 2.77 milliseconds in resume sending helper answer Aug 26 13:30:44.436977: | stop processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Aug 26 13:30:44.436981: | libevent_free: release ptr-libevent@0x7fc100000f48 Aug 26 13:30:44.436995: | processing signal PLUTO_SIGCHLD Aug 26 13:30:44.437001: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:44.437005: | spent 0.00524 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:44.437008: | processing signal PLUTO_SIGCHLD Aug 26 13:30:44.437011: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:44.437015: | spent 0.00367 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:44.437018: | processing signal PLUTO_SIGCHLD Aug 26 13:30:44.437021: | waitpid returned ECHILD (no child processes left) Aug 26 13:30:44.437025: | spent 0.00341 milliseconds in signal handler PLUTO_SIGCHLD Aug 26 13:30:51.131414: | spent 0.00459 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Aug 26 13:30:51.131451: | *received 121 bytes from 192.1.8.22:500 on eth1 (192.1.2.23:500) Aug 26 13:30:51.131456: | 43 1d e9 7d 41 27 07 f3 65 3b 61 57 7c 53 07 1f Aug 26 13:30:51.131460: | 2e 20 25 08 00 00 00 02 00 00 00 79 29 00 00 5d Aug 26 13:30:51.131463: | 16 41 07 6b a5 8f b1 8a d1 04 6d da a0 75 86 22 Aug 26 13:30:51.131466: | 10 fa 21 f9 12 a4 f3 00 3a d7 2e 3b 96 83 dd a9 Aug 26 13:30:51.131469: | b2 42 70 b4 ab 98 4a df 63 77 15 75 55 27 fc e2 Aug 26 13:30:51.131471: | f9 8e 8d 2f 64 f1 35 66 cd cb 70 04 33 c8 8f 68 Aug 26 13:30:51.131474: | 28 c8 ed 99 1a f8 ad 16 d5 82 c9 1d b5 83 27 5f Aug 26 13:30:51.131477: | 4e c2 9f ef 5f f9 8a 3b 3e Aug 26 13:30:51.131483: | start processing: from 192.1.8.22:500 (in process_md() at demux.c:378) Aug 26 13:30:51.131488: | **parse ISAKMP Message: Aug 26 13:30:51.131492: | initiator cookie: Aug 26 13:30:51.131495: | 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:51.131498: | responder cookie: Aug 26 13:30:51.131501: | 65 3b 61 57 7c 53 07 1f Aug 26 13:30:51.131504: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Aug 26 13:30:51.131508: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:51.131511: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:30:51.131518: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Aug 26 13:30:51.131521: | Message ID: 2 (0x2) Aug 26 13:30:51.131525: | length: 121 (0x79) Aug 26 13:30:51.131529: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Aug 26 13:30:51.131533: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Aug 26 13:30:51.131538: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Aug 26 13:30:51.131548: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Aug 26 13:30:51.131552: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Aug 26 13:30:51.131559: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Aug 26 13:30:51.131563: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Aug 26 13:30:51.131569: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Aug 26 13:30:51.131572: | unpacking clear payload Aug 26 13:30:51.131579: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Aug 26 13:30:51.131583: | ***parse IKEv2 Encryption Payload: Aug 26 13:30:51.131587: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:51.131590: | flags: none (0x0) Aug 26 13:30:51.131593: | length: 93 (0x5d) Aug 26 13:30:51.131596: | processing payload: ISAKMP_NEXT_v2SK (len=89) Aug 26 13:30:51.131602: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Aug 26 13:30:51.131606: | #1 in state PARENT_R2: received v2I2, PARENT SA established Aug 26 13:30:51.131630: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Aug 26 13:30:51.131634: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:51.131638: | **parse IKEv2 Notify Payload: Aug 26 13:30:51.131641: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:51.131644: | flags: none (0x0) Aug 26 13:30:51.131647: | length: 8 (0x8) Aug 26 13:30:51.131650: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:51.131654: | SPI size: 0 (0x0) Aug 26 13:30:51.131657: | Notify Message Type: v2N_UPDATE_SA_ADDRESSES (0x4010) Aug 26 13:30:51.131660: | processing payload: ISAKMP_NEXT_v2N (len=0) Aug 26 13:30:51.131663: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:51.131667: | **parse IKEv2 Notify Payload: Aug 26 13:30:51.131670: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 26 13:30:51.131673: | flags: none (0x0) Aug 26 13:30:51.131675: | length: 28 (0x1c) Aug 26 13:30:51.131678: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:51.131681: | SPI size: 0 (0x0) Aug 26 13:30:51.131685: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:51.131688: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:51.131691: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Aug 26 13:30:51.131694: | **parse IKEv2 Notify Payload: Aug 26 13:30:51.131697: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:51.131700: | flags: none (0x0) Aug 26 13:30:51.131703: | length: 28 (0x1c) Aug 26 13:30:51.131706: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:51.131709: | SPI size: 0 (0x0) Aug 26 13:30:51.131712: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:51.131715: | processing payload: ISAKMP_NEXT_v2N (len=20) Aug 26 13:30:51.131718: | selected state microcode R2: process Informational Request Aug 26 13:30:51.131721: | Now let's proceed with state specific processing Aug 26 13:30:51.131725: | calling processor R2: process Informational Request Aug 26 13:30:51.131729: | an informational request should send a response Aug 26 13:30:51.131733: | Need to process v2N_UPDATE_SA_ADDRESSES Aug 26 13:30:51.131736: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 13:30:51.131739: | TODO: Need to process NAT DETECTION payload if we are initiator Aug 26 13:30:51.131746: | #2 pst=#1 MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 13:30:51.131755: | responder migrate kernel SA esp.af0b7703@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_OUT Aug 26 13:30:51.131852: | responder migrate kernel SA esp.698128bb@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_IN Aug 26 13:30:51.131896: | responder migrate kernel SA esp.698128bb@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_FWD Aug 26 13:30:51.131914: "eastnet-northnet"[1] 192.1.3.33 #1: success MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Aug 26 13:30:51.131922: | free hp@0x55676ab09d58 Aug 26 13:30:51.131929: | connect_to_host_pair: 192.1.2.23:500 192.1.8.22:500 -> hp@(nil): none Aug 26 13:30:51.131932: | new hp@0x55676ab09d58 Aug 26 13:30:51.131941: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) Aug 26 13:30:51.131945: "eastnet-northnet"[1] 192.1.8.22 #1: MOBIKE request: updating IPsec SA by request Aug 26 13:30:51.131980: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Aug 26 13:30:51.131988: | **emit ISAKMP Message: Aug 26 13:30:51.131991: | initiator cookie: Aug 26 13:30:51.131994: | 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:51.131998: | responder cookie: Aug 26 13:30:51.132000: | 65 3b 61 57 7c 53 07 1f Aug 26 13:30:51.132004: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:30:51.132007: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:30:51.132011: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:30:51.132014: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 26 13:30:51.132017: | Message ID: 2 (0x2) Aug 26 13:30:51.132021: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:30:51.132025: | ***emit IKEv2 Encryption Payload: Aug 26 13:30:51.132028: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:51.132031: | flags: none (0x0) Aug 26 13:30:51.132035: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:30:51.132039: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:30:51.132043: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:30:51.132058: | adding NATD payloads to MOBIKE response Aug 26 13:30:51.132062: | NAT-Traversal support [enabled] add v2N payloads. Aug 26 13:30:51.132076: | natd_hash: hasher=0x55676965b800(20) Aug 26 13:30:51.132080: | natd_hash: icookie= 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:51.132083: | natd_hash: rcookie= 65 3b 61 57 7c 53 07 1f Aug 26 13:30:51.132086: | natd_hash: ip= c0 01 02 17 Aug 26 13:30:51.132089: | natd_hash: port=500 Aug 26 13:30:51.132093: | natd_hash: hash= 7e e7 46 19 e5 0f 2a ef e9 d6 b9 4b ed 55 81 75 Aug 26 13:30:51.132096: | natd_hash: hash= 3f d2 0f a3 Aug 26 13:30:51.132099: | Adding a v2N Payload Aug 26 13:30:51.132102: | ****emit IKEv2 Notify Payload: Aug 26 13:30:51.132106: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:51.132109: | flags: none (0x0) Aug 26 13:30:51.132112: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:51.132115: | SPI size: 0 (0x0) Aug 26 13:30:51.132118: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Aug 26 13:30:51.132122: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:51.132126: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:30:51.132130: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:51.132134: | Notify data 7e e7 46 19 e5 0f 2a ef e9 d6 b9 4b ed 55 81 75 Aug 26 13:30:51.132137: | Notify data 3f d2 0f a3 Aug 26 13:30:51.132140: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:51.132150: | natd_hash: hasher=0x55676965b800(20) Aug 26 13:30:51.132153: | natd_hash: icookie= 43 1d e9 7d 41 27 07 f3 Aug 26 13:30:51.132156: | natd_hash: rcookie= 65 3b 61 57 7c 53 07 1f Aug 26 13:30:51.132159: | natd_hash: ip= c0 01 08 16 Aug 26 13:30:51.132162: | natd_hash: port=500 Aug 26 13:30:51.132165: | natd_hash: hash= 2b cb 55 16 bc f7 ca 06 7a 97 b6 d9 40 56 1c 84 Aug 26 13:30:51.132168: | natd_hash: hash= 2d 0a a7 b9 Aug 26 13:30:51.132171: | Adding a v2N Payload Aug 26 13:30:51.132175: | ****emit IKEv2 Notify Payload: Aug 26 13:30:51.132178: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:30:51.132181: | flags: none (0x0) Aug 26 13:30:51.132184: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 26 13:30:51.132187: | SPI size: 0 (0x0) Aug 26 13:30:51.132190: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Aug 26 13:30:51.132194: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Aug 26 13:30:51.132198: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Aug 26 13:30:51.132204: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Aug 26 13:30:51.132207: | Notify data 2b cb 55 16 bc f7 ca 06 7a 97 b6 d9 40 56 1c 84 Aug 26 13:30:51.132210: | Notify data 2d 0a a7 b9 Aug 26 13:30:51.132213: | emitting length of IKEv2 Notify Payload: 28 Aug 26 13:30:51.132217: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:30:51.132221: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:30:51.132225: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:30:51.132228: | emitting length of IKEv2 Encryption Payload: 85 Aug 26 13:30:51.132232: | emitting length of ISAKMP Message: 113 Aug 26 13:30:51.132248: | sending 113 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 13:30:51.132252: | 43 1d e9 7d 41 27 07 f3 65 3b 61 57 7c 53 07 1f Aug 26 13:30:51.132255: | 2e 20 25 20 00 00 00 02 00 00 00 71 29 00 00 55 Aug 26 13:30:51.132258: | 09 17 2d 5e ff c0 33 a6 a5 b9 13 92 5a ec 7d cb Aug 26 13:30:51.132261: | 59 36 4c 14 73 46 b1 0d 32 c6 8c d8 87 f4 da 86 Aug 26 13:30:51.132264: | 24 8a 19 1f a2 92 65 79 5e 17 cb 34 0c 97 14 20 Aug 26 13:30:51.132267: | 83 83 25 5d 0b bf 51 f6 75 4b fe 6e 02 59 63 30 Aug 26 13:30:51.132270: | e4 1f 4c b7 8f e5 32 c5 4d d8 0a ba 75 d7 69 29 Aug 26 13:30:51.132272: | 97 Aug 26 13:30:51.132322: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 13:30:51.132334: | Message ID: sent #1 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Aug 26 13:30:51.132346: | #1 spent 0.587 milliseconds in processing: R2: process Informational Request in ikev2_process_state_packet() Aug 26 13:30:51.132354: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in complete_v2_state_transition() at ikev2.c:3379) Aug 26 13:30:51.132358: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Aug 26 13:30:51.132362: | Message ID: updating counters for #1 to 2 after switching state Aug 26 13:30:51.132368: | Message ID: recv #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=1->2 wip.initiator=-1 wip.responder=2->-1 Aug 26 13:30:51.132373: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1 Aug 26 13:30:51.132377: | STATE_PARENT_R2: received v2I2, PARENT SA established Aug 26 13:30:51.132384: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in ikev2_process_packet() at ikev2.c:2018) Aug 26 13:30:51.132390: | #1 spent 0.927 milliseconds in ikev2_process_packet() Aug 26 13:30:51.132395: | stop processing: from 192.1.8.22:500 (in process_md() at demux.c:380) Aug 26 13:30:51.132399: | processing: STOP state #0 (in process_md() at demux.c:382) Aug 26 13:30:51.132403: | processing: STOP connection NULL (in process_md() at demux.c:383) Aug 26 13:30:51.132408: | spent 0.946 milliseconds in comm_handle_cb() reading and processing packet Aug 26 13:31:02.602352: | processing global timer EVENT_SHUNT_SCAN Aug 26 13:31:02.602369: | expiring aged bare shunts from shunt table Aug 26 13:31:02.602375: | spent 0.00429 milliseconds in global timer EVENT_SHUNT_SCAN Aug 26 13:31:04.575355: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:31:04.575381: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Aug 26 13:31:04.575385: | FOR_EACH_STATE_... in sort_states Aug 26 13:31:04.575393: | get_sa_info esp.698128bb@192.1.2.23 Aug 26 13:31:04.575415: | get_sa_info esp.af0b7703@192.1.8.22 Aug 26 13:31:04.575435: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:31:04.575443: | spent 0.0983 milliseconds in whack Aug 26 13:31:04.820938: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:31:04.821623: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:31:04.821649: | FOR_EACH_CONNECTION_... in show_connections_status Aug 26 13:31:04.821987: | FOR_EACH_STATE_... in show_states_status (sort_states) Aug 26 13:31:04.821998: | FOR_EACH_STATE_... in sort_states Aug 26 13:31:04.822040: | get_sa_info esp.698128bb@192.1.2.23 Aug 26 13:31:04.822087: | get_sa_info esp.af0b7703@192.1.8.22 Aug 26 13:31:04.822159: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Aug 26 13:31:04.822180: | spent 1.25 milliseconds in whack Aug 26 13:31:06.138539: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) Aug 26 13:31:06.138559: shutting down Aug 26 13:31:06.138566: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Aug 26 13:31:06.138569: | certs and keys locked by 'free_preshared_secrets' Aug 26 13:31:06.138570: forgetting secrets Aug 26 13:31:06.138577: | certs and keys unlocked by 'free_preshared_secrets' Aug 26 13:31:06.138582: | start processing: connection "eastnet-northnet"[1] 192.1.8.22 (in delete_connection() at connections.c:189) Aug 26 13:31:06.138586: "eastnet-northnet"[1] 192.1.8.22: deleting connection "eastnet-northnet"[1] 192.1.8.22 instance with peer 192.1.8.22 {isakmp=#1/ipsec=#2} Aug 26 13:31:06.138588: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:31:06.138590: | pass 0 Aug 26 13:31:06.138591: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:06.138593: | state #2 Aug 26 13:31:06.138597: | suspend processing: connection "eastnet-northnet"[1] 192.1.8.22 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:31:06.138601: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:31:06.138603: | pstats #2 ikev2.child deleted completed Aug 26 13:31:06.138606: | [RE]START processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 13:31:06.138610: "eastnet-northnet"[1] 192.1.8.22 #2: deleting state (STATE_V2_IPSEC_R) aged 21.732s and sending notification Aug 26 13:31:06.138612: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Aug 26 13:31:06.138616: | get_sa_info esp.af0b7703@192.1.8.22 Aug 26 13:31:06.138628: | get_sa_info esp.698128bb@192.1.2.23 Aug 26 13:31:06.138634: "eastnet-northnet"[1] 192.1.8.22 #2: ESP traffic information: in=336B out=336B Aug 26 13:31:06.138636: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Aug 26 13:31:06.138639: | Opening output PBS informational exchange delete request Aug 26 13:31:06.138641: | **emit ISAKMP Message: Aug 26 13:31:06.138643: | initiator cookie: Aug 26 13:31:06.138645: | 43 1d e9 7d 41 27 07 f3 Aug 26 13:31:06.138646: | responder cookie: Aug 26 13:31:06.138648: | 65 3b 61 57 7c 53 07 1f Aug 26 13:31:06.138650: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:31:06.138652: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:31:06.138654: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:31:06.138656: | flags: none (0x0) Aug 26 13:31:06.138657: | Message ID: 0 (0x0) Aug 26 13:31:06.138659: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:31:06.138661: | ***emit IKEv2 Encryption Payload: Aug 26 13:31:06.138663: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:06.138665: | flags: none (0x0) Aug 26 13:31:06.138667: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:31:06.138671: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:06.138674: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:31:06.138682: | ****emit IKEv2 Delete Payload: Aug 26 13:31:06.138683: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:06.138685: | flags: none (0x0) Aug 26 13:31:06.138687: | protocol ID: PROTO_v2_ESP (0x3) Aug 26 13:31:06.138688: | SPI size: 4 (0x4) Aug 26 13:31:06.138690: | number of SPIs: 1 (0x1) Aug 26 13:31:06.138692: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:31:06.138694: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:06.138696: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Aug 26 13:31:06.138698: | local spis 69 81 28 bb Aug 26 13:31:06.138700: | emitting length of IKEv2 Delete Payload: 12 Aug 26 13:31:06.138702: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:31:06.138704: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:31:06.138706: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:31:06.138708: | emitting length of IKEv2 Encryption Payload: 41 Aug 26 13:31:06.138709: | emitting length of ISAKMP Message: 69 Aug 26 13:31:06.138730: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #2) Aug 26 13:31:06.138732: | 43 1d e9 7d 41 27 07 f3 65 3b 61 57 7c 53 07 1f Aug 26 13:31:06.138733: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Aug 26 13:31:06.138735: | 38 ed 5e 98 b4 17 88 e7 7b 4b 9a 06 3f 53 57 7f Aug 26 13:31:06.138737: | 15 ba 43 ff 6f 6d 72 12 41 fb 0a a4 b6 db f9 72 Aug 26 13:31:06.138738: | 9e c7 da 9f b5 Aug 26 13:31:06.138780: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Aug 26 13:31:06.138783: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Aug 26 13:31:06.138786: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Aug 26 13:31:06.138789: | state #2 requesting EVENT_SA_REKEY to be deleted Aug 26 13:31:06.138792: | libevent_free: release ptr-libevent@0x55676ab0ce68 Aug 26 13:31:06.138794: | free_event_entry: release EVENT_SA_REKEY-pe@0x7fc108002b78 Aug 26 13:31:06.138878: | running updown command "ipsec _updown" for verb down Aug 26 13:31:06.138887: | command executing down-client Aug 26 13:31:06.138924: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826244' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ Aug 26 13:31:06.138928: | popen cmd is 1061 chars long Aug 26 13:31:06.138933: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet': Aug 26 13:31:06.138938: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Aug 26 13:31:06.138940: | cmd( 160):MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Aug 26 13:31:06.138942: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Aug 26 13:31:06.138944: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID=: Aug 26 13:31:06.138945: | cmd( 400):'192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Aug 26 13:31:06.138947: | cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Aug 26 13:31:06.138949: | cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826244' PLUTO_CONN_P: Aug 26 13:31:06.138950: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_: Aug 26 13:31:06.138952: | cmd( 720):NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Aug 26 13:31:06.138954: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Aug 26 13:31:06.138955: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Aug 26 13:31:06.138957: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xaf0b7703 SPI_OUT=0x698128: Aug 26 13:31:06.138959: | cmd(1040):bb ipsec _updown 2>&1: Aug 26 13:31:06.147257: | shunt_eroute() called for connection 'eastnet-northnet' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 Aug 26 13:31:06.147273: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:31:06.147277: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:06.147281: | IPsec Sa SPD priority set to 1042407 Aug 26 13:31:06.147320: | delete esp.af0b7703@192.1.8.22 Aug 26 13:31:06.147336: | netlink response for Del SA esp.af0b7703@192.1.8.22 included non-error error Aug 26 13:31:06.147339: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:06.147344: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Aug 26 13:31:06.147361: | raw_eroute result=success Aug 26 13:31:06.147368: | delete esp.698128bb@192.1.2.23 Aug 26 13:31:06.147382: | netlink response for Del SA esp.698128bb@192.1.2.23 included non-error error Aug 26 13:31:06.147399: | stop processing: connection "eastnet-northnet"[1] 192.1.8.22 (BACKGROUND) (in update_state_connection() at connections.c:4076) Aug 26 13:31:06.147405: | start processing: connection NULL (in update_state_connection() at connections.c:4077) Aug 26 13:31:06.147409: | in connection_discard for connection eastnet-northnet Aug 26 13:31:06.147412: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Aug 26 13:31:06.147420: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Aug 26 13:31:06.147429: | stop processing: state #2 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 13:31:06.147444: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:31:06.147448: | state #1 Aug 26 13:31:06.147451: | pass 1 Aug 26 13:31:06.147455: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:06.147458: | state #1 Aug 26 13:31:06.147465: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Aug 26 13:31:06.147470: | pstats #1 ikev2.ike deleted completed Aug 26 13:31:06.147477: | #1 spent 7.37 milliseconds in total Aug 26 13:31:06.147480: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Aug 26 13:31:06.147484: "eastnet-northnet"[1] 192.1.8.22 #1: deleting state (STATE_PARENT_R2) aged 21.747s and sending notification Aug 26 13:31:06.147486: | parent state #1: PARENT_R2(established IKE SA) => delete Aug 26 13:31:06.147525: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Aug 26 13:31:06.147529: | Opening output PBS informational exchange delete request Aug 26 13:31:06.147531: | **emit ISAKMP Message: Aug 26 13:31:06.147533: | initiator cookie: Aug 26 13:31:06.147534: | 43 1d e9 7d 41 27 07 f3 Aug 26 13:31:06.147536: | responder cookie: Aug 26 13:31:06.147537: | 65 3b 61 57 7c 53 07 1f Aug 26 13:31:06.147539: | next payload type: ISAKMP_NEXT_NONE (0x0) Aug 26 13:31:06.147541: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 26 13:31:06.147543: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Aug 26 13:31:06.147546: | flags: none (0x0) Aug 26 13:31:06.147548: | Message ID: 1 (0x1) Aug 26 13:31:06.147550: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Aug 26 13:31:06.147552: | ***emit IKEv2 Encryption Payload: Aug 26 13:31:06.147555: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:06.147558: | flags: none (0x0) Aug 26 13:31:06.147562: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Aug 26 13:31:06.147567: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:06.147571: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Aug 26 13:31:06.147584: | ****emit IKEv2 Delete Payload: Aug 26 13:31:06.147588: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 26 13:31:06.147591: | flags: none (0x0) Aug 26 13:31:06.147595: | protocol ID: PROTO_v2_IKE (0x1) Aug 26 13:31:06.147596: | SPI size: 0 (0x0) Aug 26 13:31:06.147598: | number of SPIs: 0 (0x0) Aug 26 13:31:06.147600: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Aug 26 13:31:06.147602: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Aug 26 13:31:06.147604: | emitting length of IKEv2 Delete Payload: 8 Aug 26 13:31:06.147606: | adding 1 bytes of padding (including 1 byte padding-length) Aug 26 13:31:06.147608: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Aug 26 13:31:06.147610: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Aug 26 13:31:06.147612: | emitting length of IKEv2 Encryption Payload: 37 Aug 26 13:31:06.147614: | emitting length of ISAKMP Message: 65 Aug 26 13:31:06.147635: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Aug 26 13:31:06.147637: | 43 1d e9 7d 41 27 07 f3 65 3b 61 57 7c 53 07 1f Aug 26 13:31:06.147639: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Aug 26 13:31:06.147641: | 2c 9d 75 d0 e7 ce 7b a2 71 be f1 84 c6 ab 06 ff Aug 26 13:31:06.147642: | 37 b9 65 07 0e 91 d2 21 5b a8 2f 72 b6 eb b3 d4 Aug 26 13:31:06.147643: | 5e Aug 26 13:31:06.147680: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Aug 26 13:31:06.147682: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Aug 26 13:31:06.147686: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Aug 26 13:31:06.147690: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Aug 26 13:31:06.147692: | state #1 requesting EVENT_SA_REKEY to be deleted Aug 26 13:31:06.147699: | libevent_free: release ptr-libevent@0x55676ab0c818 Aug 26 13:31:06.147701: | free_event_entry: release EVENT_SA_REKEY-pe@0x55676ab09e88 Aug 26 13:31:06.147705: | State DB: IKEv2 state not found (flush_incomplete_children) Aug 26 13:31:06.147708: | in connection_discard for connection eastnet-northnet Aug 26 13:31:06.147711: | State DB: deleting IKEv2 state #1 in PARENT_R2 Aug 26 13:31:06.147714: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Aug 26 13:31:06.147740: | stop processing: state #1 from 192.1.8.22:500 (in delete_state() at state.c:1143) Aug 26 13:31:06.147761: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Aug 26 13:31:06.147764: | shunt_eroute() called for connection 'eastnet-northnet' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 Aug 26 13:31:06.147766: | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 Aug 26 13:31:06.147768: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:06.147781: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Aug 26 13:31:06.147788: | FOR_EACH_CONNECTION_... in route_owner Aug 26 13:31:06.147790: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:31:06.147792: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:31:06.147794: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Aug 26 13:31:06.147796: | conn eastnet-northnet mark 0/00000000, 0/00000000 Aug 26 13:31:06.147798: | route owner of "eastnet-northnet" unrouted: NULL Aug 26 13:31:06.147800: | running updown command "ipsec _updown" for verb unroute Aug 26 13:31:06.147802: | command executing unroute-client Aug 26 13:31:06.147828: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH Aug 26 13:31:06.147833: | popen cmd is 1042 chars long Aug 26 13:31:06.147837: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Aug 26 13:31:06.147841: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Aug 26 13:31:06.147845: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Aug 26 13:31:06.147848: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Aug 26 13:31:06.147850: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER: Aug 26 13:31:06.147851: | cmd( 400):_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Aug 26 13:31:06.147853: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Aug 26 13:31:06.147855: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Aug 26 13:31:06.147856: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' P: Aug 26 13:31:06.147858: | cmd( 720):LUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Aug 26 13:31:06.147860: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Aug 26 13:31:06.147861: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Aug 26 13:31:06.147863: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: Aug 26 13:31:06.147865: | cmd(1040):&1: Aug 26 13:31:06.156035: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:06.156053: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:06.156055: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:06.156058: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:06.156060: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:06.156061: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:06.156063: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:06.156070: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:06.156113: unroute-client output: Error: Peer netns reference is invalid. Aug 26 13:31:06.160555: | free hp@0x55676ab09d58 Aug 26 13:31:06.160569: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 13:31:06.160572: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Aug 26 13:31:06.160581: | start processing: connection "eastnet-northnet" (in delete_connection() at connections.c:189) Aug 26 13:31:06.160583: | Deleting states for connection - including all other IPsec SA's of this IKE SA Aug 26 13:31:06.160585: | pass 0 Aug 26 13:31:06.160587: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:06.160588: | pass 1 Aug 26 13:31:06.160590: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Aug 26 13:31:06.160592: | free hp@0x55676ab07df8 Aug 26 13:31:06.160593: | flush revival: connection 'eastnet-northnet' wasn't on the list Aug 26 13:31:06.160596: | stop processing: connection "eastnet-northnet" (in discard_connection() at connections.c:249) Aug 26 13:31:06.160605: | crl fetch request list locked by 'free_crl_fetch' Aug 26 13:31:06.160607: | crl fetch request list unlocked by 'free_crl_fetch' Aug 26 13:31:06.160615: shutting down interface lo/lo 127.0.0.1:4500 Aug 26 13:31:06.160617: shutting down interface lo/lo 127.0.0.1:500 Aug 26 13:31:06.160619: shutting down interface eth0/eth0 192.0.2.254:4500 Aug 26 13:31:06.160621: shutting down interface eth0/eth0 192.0.2.254:500 Aug 26 13:31:06.160623: shutting down interface eth1/eth1 192.1.2.23:4500 Aug 26 13:31:06.160625: shutting down interface eth1/eth1 192.1.2.23:500 Aug 26 13:31:06.160628: | FOR_EACH_STATE_... in delete_states_dead_interfaces Aug 26 13:31:06.160637: | libevent_free: release ptr-libevent@0x55676aaf9d48 Aug 26 13:31:06.160640: | free_event_entry: release EVENT_NULL-pe@0x55676ab05bd8 Aug 26 13:31:06.160649: | libevent_free: release ptr-libevent@0x55676aa963c8 Aug 26 13:31:06.160651: | free_event_entry: release EVENT_NULL-pe@0x55676ab05c88 Aug 26 13:31:06.160656: | libevent_free: release ptr-libevent@0x55676aa962c8 Aug 26 13:31:06.160658: | free_event_entry: release EVENT_NULL-pe@0x55676ab05d38 Aug 26 13:31:06.160663: | libevent_free: release ptr-libevent@0x55676aa976a8 Aug 26 13:31:06.160665: | free_event_entry: release EVENT_NULL-pe@0x55676ab05de8 Aug 26 13:31:06.160670: | libevent_free: release ptr-libevent@0x55676aa664e8 Aug 26 13:31:06.160672: | free_event_entry: release EVENT_NULL-pe@0x55676ab05e98 Aug 26 13:31:06.160676: | libevent_free: release ptr-libevent@0x55676aa661d8 Aug 26 13:31:06.160678: | free_event_entry: release EVENT_NULL-pe@0x55676ab05f48 Aug 26 13:31:06.160682: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Aug 26 13:31:06.161090: | libevent_free: release ptr-libevent@0x55676aaf9df8 Aug 26 13:31:06.161097: | free_event_entry: release EVENT_NULL-pe@0x55676aaedb38 Aug 26 13:31:06.161102: | libevent_free: release ptr-libevent@0x55676aa97d78 Aug 26 13:31:06.161105: | free_event_entry: release EVENT_NULL-pe@0x55676aaecff8 Aug 26 13:31:06.161108: | libevent_free: release ptr-libevent@0x55676aad13b8 Aug 26 13:31:06.161110: | free_event_entry: release EVENT_NULL-pe@0x55676aaedba8 Aug 26 13:31:06.161113: | global timer EVENT_REINIT_SECRET uninitialized Aug 26 13:31:06.161115: | global timer EVENT_SHUNT_SCAN uninitialized Aug 26 13:31:06.161116: | global timer EVENT_PENDING_DDNS uninitialized Aug 26 13:31:06.161121: | global timer EVENT_PENDING_PHASE2 uninitialized Aug 26 13:31:06.161122: | global timer EVENT_CHECK_CRLS uninitialized Aug 26 13:31:06.161124: | global timer EVENT_REVIVE_CONNS uninitialized Aug 26 13:31:06.161126: | global timer EVENT_FREE_ROOT_CERTS uninitialized Aug 26 13:31:06.161127: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Aug 26 13:31:06.161129: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Aug 26 13:31:06.161133: | libevent_free: release ptr-libevent@0x55676aa98fe8 Aug 26 13:31:06.161135: | signal event handler PLUTO_SIGCHLD uninstalled Aug 26 13:31:06.161137: | libevent_free: release ptr-libevent@0x55676ab05338 Aug 26 13:31:06.161139: | signal event handler PLUTO_SIGTERM uninstalled Aug 26 13:31:06.161141: | libevent_free: release ptr-libevent@0x55676ab05448 Aug 26 13:31:06.161143: | signal event handler PLUTO_SIGHUP uninstalled Aug 26 13:31:06.161145: | libevent_free: release ptr-libevent@0x55676ab05688 Aug 26 13:31:06.161146: | signal event handler PLUTO_SIGSYS uninstalled Aug 26 13:31:06.161148: | releasing event base Aug 26 13:31:06.161157: | libevent_free: release ptr-libevent@0x55676ab05558 Aug 26 13:31:06.161159: | libevent_free: release ptr-libevent@0x55676aae83e8 Aug 26 13:31:06.161162: | libevent_free: release ptr-libevent@0x55676aae8398 Aug 26 13:31:06.161164: | libevent_free: release ptr-libevent@0x55676aae8328 Aug 26 13:31:06.161166: | libevent_free: release ptr-libevent@0x55676aae82e8 Aug 26 13:31:06.161168: | libevent_free: release ptr-libevent@0x55676ab05108 Aug 26 13:31:06.161169: | libevent_free: release ptr-libevent@0x55676ab052b8 Aug 26 13:31:06.161171: | libevent_free: release ptr-libevent@0x55676aae8598 Aug 26 13:31:06.161172: | libevent_free: release ptr-libevent@0x55676aaed108 Aug 26 13:31:06.161174: | libevent_free: release ptr-libevent@0x55676aaedaf8 Aug 26 13:31:06.161176: | libevent_free: release ptr-libevent@0x55676ab05fb8 Aug 26 13:31:06.161177: | libevent_free: release ptr-libevent@0x55676ab05f08 Aug 26 13:31:06.161179: | libevent_free: release ptr-libevent@0x55676ab05e58 Aug 26 13:31:06.161180: | libevent_free: release ptr-libevent@0x55676ab05da8 Aug 26 13:31:06.161182: | libevent_free: release ptr-libevent@0x55676ab05cf8 Aug 26 13:31:06.161183: | libevent_free: release ptr-libevent@0x55676ab05c48 Aug 26 13:31:06.161185: | libevent_free: release ptr-libevent@0x55676aa94b08 Aug 26 13:31:06.161187: | libevent_free: release ptr-libevent@0x55676ab05408 Aug 26 13:31:06.161188: | libevent_free: release ptr-libevent@0x55676ab052f8 Aug 26 13:31:06.161190: | libevent_free: release ptr-libevent@0x55676ab05278 Aug 26 13:31:06.161191: | libevent_free: release ptr-libevent@0x55676ab05518 Aug 26 13:31:06.161193: | libevent_free: release ptr-libevent@0x55676ab05148 Aug 26 13:31:06.161195: | libevent_free: release ptr-libevent@0x55676aa65908 Aug 26 13:31:06.161197: | libevent_free: release ptr-libevent@0x55676aa65d38 Aug 26 13:31:06.161198: | libevent_free: release ptr-libevent@0x55676aa94e78 Aug 26 13:31:06.161200: | releasing global libevent data Aug 26 13:31:06.161202: | libevent_free: release ptr-libevent@0x55676aa66488 Aug 26 13:31:06.161204: | libevent_free: release ptr-libevent@0x55676aa65cd8 Aug 26 13:31:06.161205: | libevent_free: release ptr-libevent@0x55676aa65dd8 Aug 26 13:31:06.161237: leak detective found no leaks