FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:20651 core dump dir: /var/tmp secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x55d242258128 size 40 | libevent_malloc: new ptr-libevent@0x55d24225ccd8 size 40 | libevent_malloc: new ptr-libevent@0x55d24225cdd8 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x55d2422e1488 size 56 | libevent_malloc: new ptr-libevent@0x55d242285c88 size 664 | libevent_malloc: new ptr-libevent@0x55d2422e14f8 size 24 | libevent_malloc: new ptr-libevent@0x55d2422e1548 size 384 | libevent_malloc: new ptr-libevent@0x55d2422e1448 size 16 | libevent_malloc: new ptr-libevent@0x55d24225c908 size 40 | libevent_malloc: new ptr-libevent@0x55d24225cd38 size 48 | libevent_realloc: new ptr-libevent@0x55d242286788 size 256 | libevent_malloc: new ptr-libevent@0x55d2422e16f8 size 16 | libevent_free: release ptr-libevent@0x55d2422e1488 | libevent initialized | libevent_realloc: new ptr-libevent@0x55d2422e1488 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | starting up helper thread 2 started thread for crypto helper 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 started thread for crypto helper 6 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | crypto helper 1 waiting (nothing to do) | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | crypto helper 2 waiting (nothing to do) | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | crypto helper 3 waiting (nothing to do) | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | crypto helper 4 waiting (nothing to do) | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | crypto helper 5 waiting (nothing to do) | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | crypto helper 6 waiting (nothing to do) | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55d2422e6158 | libevent_malloc: new ptr-libevent@0x55d2422ca528 size 128 | libevent_malloc: new ptr-libevent@0x55d2422e6268 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55d2422e6c98 | libevent_malloc: new ptr-libevent@0x55d242287188 size 128 | libevent_malloc: new ptr-libevent@0x55d2422e6c58 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55d2422e6d08 | libevent_malloc: new ptr-libevent@0x55d2422f2f18 size 128 | libevent_malloc: new ptr-libevent@0x55d2422fe1e8 size 16 | libevent_realloc: new ptr-libevent@0x55d242285918 size 256 | libevent_malloc: new ptr-libevent@0x55d2422fe228 size 8 | libevent_realloc: new ptr-libevent@0x55d24227eb68 size 144 | libevent_malloc: new ptr-libevent@0x55d242291758 size 152 | libevent_malloc: new ptr-libevent@0x55d2422fe268 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x55d2422fe2a8 size 8 | libevent_malloc: new ptr-libevent@0x55d242289378 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x55d2422fe2e8 size 8 | libevent_malloc: new ptr-libevent@0x55d2422fe328 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x55d2422fe3f8 size 8 | libevent_realloc: release ptr-libevent@0x55d24227eb68 | libevent_realloc: new ptr-libevent@0x55d2422fe438 size 256 | libevent_malloc: new ptr-libevent@0x55d2422fe568 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:20725) using fork+execve | forked child 20725 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x55d2422fe968 | libevent_malloc: new ptr-libevent@0x55d2422f2e68 size 128 | libevent_malloc: new ptr-libevent@0x55d2422fe9d8 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x55d2422fea18 | libevent_malloc: new ptr-libevent@0x55d2422870d8 size 128 | libevent_malloc: new ptr-libevent@0x55d2422fea88 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x55d2422feac8 | libevent_malloc: new ptr-libevent@0x55d242288928 size 128 | libevent_malloc: new ptr-libevent@0x55d2422feb38 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x55d2422feb78 | libevent_malloc: new ptr-libevent@0x55d242288878 size 128 | libevent_malloc: new ptr-libevent@0x55d2422febe8 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x55d2422fec28 | libevent_malloc: new ptr-libevent@0x55d24225d4e8 size 128 | libevent_malloc: new ptr-libevent@0x55d2422fec98 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x55d2422fecd8 | libevent_malloc: new ptr-libevent@0x55d24225d1d8 size 128 | libevent_malloc: new ptr-libevent@0x55d2422fed48 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.537 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x55d2422f2e68 | free_event_entry: release EVENT_NULL-pe@0x55d2422fe968 | add_fd_read_event_handler: new ethX-pe@0x55d2422fe968 | libevent_malloc: new ptr-libevent@0x55d2422f2e68 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x55d2422870d8 | free_event_entry: release EVENT_NULL-pe@0x55d2422fea18 | add_fd_read_event_handler: new ethX-pe@0x55d2422fea18 | libevent_malloc: new ptr-libevent@0x55d2422870d8 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x55d242288928 | free_event_entry: release EVENT_NULL-pe@0x55d2422feac8 | add_fd_read_event_handler: new ethX-pe@0x55d2422feac8 | libevent_malloc: new ptr-libevent@0x55d242288928 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x55d242288878 | free_event_entry: release EVENT_NULL-pe@0x55d2422feb78 | add_fd_read_event_handler: new ethX-pe@0x55d2422feb78 | libevent_malloc: new ptr-libevent@0x55d242288878 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x55d24225d4e8 | free_event_entry: release EVENT_NULL-pe@0x55d2422fec28 | add_fd_read_event_handler: new ethX-pe@0x55d2422fec28 | libevent_malloc: new ptr-libevent@0x55d24225d4e8 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x55d24225d1d8 | free_event_entry: release EVENT_NULL-pe@0x55d2422fecd8 | add_fd_read_event_handler: new ethX-pe@0x55d2422fecd8 | libevent_malloc: new ptr-libevent@0x55d24225d1d8 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.26 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 20725 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0123 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection westnet-eastnet-subnets/1x1 with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for @west is 0 | counting wild cards for @east is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x55d2422ffe18 added connection description "westnet-eastnet-subnets/1x1" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.16/28===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/28 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.108 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) add keyid @west | add pubkey 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 | add pubkey 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e | add pubkey b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 | add pubkey 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 | add pubkey 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 | add pubkey f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c | add pubkey ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a | add pubkey 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 | add pubkey b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 | add pubkey 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a | add pubkey 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 | add pubkey ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc | add pubkey 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e | add pubkey d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 | add pubkey 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d | add pubkey 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f | add pubkey c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 | add pubkey 15 04 37 f9 | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 | computed rsa CKAID 7f 0f 03 50 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0809 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) add keyid @east | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 | add pubkey 51 51 48 ef | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.088 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection westnet-eastnet-subnets/1x2 with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for @west is 0 | counting wild cards for @east is 0 | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@0x55d2422ffe18: westnet-eastnet-subnets/1x1 added connection description "westnet-eastnet-subnets/1x2" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.64/26===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/28 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0628 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) add keyid @west | unreference key: 0x55d242258c48 @west cnt 1-- | add pubkey 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 | add pubkey 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e | add pubkey b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 | add pubkey 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 | add pubkey 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 | add pubkey f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c | add pubkey ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a | add pubkey 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 | add pubkey b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 | add pubkey 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a | add pubkey 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 | add pubkey ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc | add pubkey 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e | add pubkey d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 | add pubkey 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d | add pubkey 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f | add pubkey c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 | add pubkey 15 04 37 f9 | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 | computed rsa CKAID 7f 0f 03 50 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.069 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) add keyid @east | unreference key: 0x55d242300188 @east cnt 1-- | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 | add pubkey 51 51 48 ef | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0693 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection westnet-eastnet-subnets/2x1 with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for @west is 0 | counting wild cards for @east is 0 | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@0x55d2422ffe18: westnet-eastnet-subnets/1x2 added connection description "westnet-eastnet-subnets/2x1" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.16/28===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.128/28 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0715 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) add keyid @west | unreference key: 0x55d242258c48 @west cnt 1-- | add pubkey 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 | add pubkey 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e | add pubkey b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 | add pubkey 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 | add pubkey 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 | add pubkey f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c | add pubkey ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a | add pubkey 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 | add pubkey b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 | add pubkey 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a | add pubkey 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 | add pubkey ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc | add pubkey 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e | add pubkey d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 | add pubkey 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d | add pubkey 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f | add pubkey c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 | add pubkey 15 04 37 f9 | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 | computed rsa CKAID 7f 0f 03 50 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0722 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) add keyid @east | unreference key: 0x55d242300188 @east cnt 1-- | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 | add pubkey 51 51 48 ef | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0673 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection westnet-eastnet-subnets/2x2 with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for @west is 0 | counting wild cards for @east is 0 | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@0x55d2422ffe18: westnet-eastnet-subnets/2x1 added connection description "westnet-eastnet-subnets/2x2" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.64/26===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.128/28 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0742 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) add keyid @west | unreference key: 0x55d242258c48 @west cnt 1-- | add pubkey 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 | add pubkey 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e | add pubkey b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 | add pubkey 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 | add pubkey 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 | add pubkey f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c | add pubkey ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a | add pubkey 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 | add pubkey b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 | add pubkey 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a | add pubkey 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 | add pubkey ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc | add pubkey 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e | add pubkey d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 | add pubkey 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d | add pubkey 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f | add pubkey c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 | add pubkey 15 04 37 f9 | computed rsa CKAID b4 9f 1a ac 9e 45 6e 79 29 c8 81 97 3a 0c 6a d3 | computed rsa CKAID 7f 0f 03 50 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0722 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) add keyid @east | unreference key: 0x55d242300188 @east cnt 1-- | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 | add pubkey 51 51 48 ef | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0672 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.573 milliseconds in whack | spent 0.00304 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 792 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 00 0a 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 00 0a 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 00 0a 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 00 0a 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 00 0a 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 00 0a 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 00 0a 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 00 0a 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 00 0a 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 792 (0x318) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-subnets/2x2) | find_next_host_connection returns westnet-eastnet-subnets/2x2 | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-subnets/2x1) | find_next_host_connection returns westnet-eastnet-subnets/2x1 | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-subnets/1x2) | find_next_host_connection returns westnet-eastnet-subnets/1x2 | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (westnet-eastnet-subnets/1x1) | find_next_host_connection returns westnet-eastnet-subnets/1x1 | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | creating state object #1 at 0x55d2423039d8 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) "westnet-eastnet-subnets/2x2" #1: responding to Main Mode | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 10 (0xa) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 00 0a 80 01 00 07 80 02 00 04 | attributes 80 03 00 03 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 144 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 144 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 00 0a | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x55d2422ffef8 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55d242300278 size 128 "westnet-eastnet-subnets/2x2" #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.645 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00269 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 78 ef 37 42 d7 36 18 bc 3b 61 f5 ee 85 42 28 b4 | 88 bf 42 1b 6a 41 62 76 6a f1 bb e7 20 a2 0b 7e | ed 4b 24 ee e3 04 56 1f 88 a1 03 e6 8e d1 01 de | aa b4 a9 89 4a 6f a7 e4 1c 48 77 bf ff 7d d5 5d | 25 33 bd 79 0e e9 22 25 37 b5 9c 8f 7d 5d 57 84 | 87 24 45 2c d8 39 3a f1 6f 1e 48 b2 4f 51 ea 2d | 75 61 1b 00 1a 0b d0 3d bf 65 4b ad 75 c6 39 87 | 3b cf 07 c6 39 09 65 ee d2 48 24 bf b5 e8 4a 20 | 15 af d5 5f bb 33 44 0c 2d a4 d7 80 d2 23 96 09 | 66 83 ef 9f 85 7c 52 d8 0b 62 90 93 89 c3 78 ee | 71 49 b9 fe b2 4e eb de aa b1 13 8a 14 31 7b 49 | 8a 45 4d 76 34 44 6d 02 d6 15 5c 3b a4 4e d7 67 | ae 1d 82 7b ad bd 2f c6 1d e8 a3 e7 da 81 c5 86 | 9f c7 43 4f d2 81 3c 89 b4 c8 a7 af 06 35 17 cf | 01 e2 b4 39 7b ac 8b 8d 32 87 00 ef 5d bc e1 5a | 53 4d 4c e6 a4 4e 2e b8 0c f8 84 ec f9 1d 23 bd | 14 00 00 24 3a 45 5c a7 d4 16 90 ef 1c 0d ae 5a | b9 28 71 8e fb 14 e5 c9 26 ff 63 49 45 c6 f9 10 | 4a 14 04 5c 14 00 00 24 be cc 77 e2 04 b0 3c 60 | bd 4e 72 86 f9 8a 53 ec 97 d6 48 01 d2 e5 17 c4 | a5 ad d6 49 9c 49 0a 47 00 00 00 24 b0 ed 44 24 | 94 f9 a6 86 9d 45 65 c5 29 7b 3b 84 74 44 30 d3 | d0 ee f6 d6 01 82 d8 47 78 90 d8 fa | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55d24095dca0(32) | natd_hash: icookie= 58 65 7e 03 6c d2 dc 8b | natd_hash: rcookie= 8c 79 d8 bb 28 3b 88 3a | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= be cc 77 e2 04 b0 3c 60 bd 4e 72 86 f9 8a 53 ec | natd_hash: hash= 97 d6 48 01 d2 e5 17 c4 a5 ad d6 49 9c 49 0a 47 | natd_hash: hasher=0x55d24095dca0(32) | natd_hash: icookie= 58 65 7e 03 6c d2 dc 8b | natd_hash: rcookie= 8c 79 d8 bb 28 3b 88 3a | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= b0 ed 44 24 94 f9 a6 86 9d 45 65 c5 29 7b 3b 84 | natd_hash: hash= 74 44 30 d3 d0 ee f6 d6 01 82 d8 47 78 90 d8 fa | expected NAT-D(me): be cc 77 e2 04 b0 3c 60 bd 4e 72 86 f9 8a 53 ec | expected NAT-D(me): 97 d6 48 01 d2 e5 17 c4 a5 ad d6 49 9c 49 0a 47 | expected NAT-D(him): | b0 ed 44 24 94 f9 a6 86 9d 45 65 c5 29 7b 3b 84 | 74 44 30 d3 d0 ee f6 d6 01 82 d8 47 78 90 d8 fa | received NAT-D: be cc 77 e2 04 b0 3c 60 bd 4e 72 86 f9 8a 53 ec | received NAT-D: 97 d6 48 01 d2 e5 17 c4 a5 ad d6 49 9c 49 0a 47 | received NAT-D: b0 ed 44 24 94 f9 a6 86 9d 45 65 c5 29 7b 3b 84 | received NAT-D: 74 44 30 d3 d0 ee f6 d6 01 82 d8 47 78 90 d8 fa | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x55d242300278 | free_event_entry: release EVENT_SO_DISCARD-pe@0x55d2422ffef8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d2422ffef8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55d242303768 size 128 | crypto helper 0 resuming | crypto helper 0 starting work-order 1 for state #1 | crypto helper 0 doing build KE and nonce (inI2_outR2 KE); request ID 1 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.137 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.287 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.000751 seconds | (#1) spent 0.74 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fcaa0002888 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x55d240888b50 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value da 63 cb 35 af 1e 5d de c8 bb a5 f5 94 0a 39 a0 | keyex value 2d 79 d4 05 8d f8 28 b8 3a 4d 4b a3 6d 7e 6e 1f | keyex value 23 45 7f e8 31 3e ee 5a c9 47 9b 6a 09 5f 26 2d | keyex value 4a 31 d1 48 18 d2 6b d3 f5 0a 0d 32 25 c8 37 8e | keyex value 0c c7 a2 c2 af a6 cc 43 a5 e7 ea ae d3 5e da a6 | keyex value 44 96 46 fd 08 68 6c 01 bb db 87 3a 43 d3 af 36 | keyex value 23 80 b4 b2 0d 2d 55 cf 8a 4c f6 26 46 86 2c f0 | keyex value 82 43 d7 14 6d 11 c3 5a 87 fd af 97 44 0d 5f f3 | keyex value 86 86 bf 52 dd c1 65 f2 e7 e8 28 58 72 b0 5b e5 | keyex value 56 d9 99 05 00 48 02 36 f4 bc 86 03 c4 76 f7 f1 | keyex value 20 bd 15 d0 7c 0b e4 71 cb 39 42 f6 35 50 f0 d7 | keyex value 6b 14 70 e7 28 0c cc 13 da d9 42 f6 31 8b f1 6e | keyex value 35 31 7e ee f5 40 e1 fa 3a fc 36 f8 c9 db 83 66 | keyex value 78 75 d8 68 15 62 7f 15 35 b8 78 05 9b e7 71 a8 | keyex value 71 3a 92 c7 88 29 4f 4a c9 a5 1f 8c 61 84 80 fd | keyex value d2 d7 52 65 cc 81 90 f6 0d 9f 36 1c 20 0a c8 01 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 56 66 d2 88 03 93 c1 66 53 a6 5d f5 9e a5 dd a4 | Nr 66 e9 73 16 84 e4 5e 56 0a 2b ce 36 8a 63 87 f3 | emitting length of ISAKMP Nonce Payload: 36 | sending NAT-D payloads | natd_hash: hasher=0x55d24095dca0(32) | natd_hash: icookie= 58 65 7e 03 6c d2 dc 8b | natd_hash: rcookie= 8c 79 d8 bb 28 3b 88 3a | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= b0 ed 44 24 94 f9 a6 86 9d 45 65 c5 29 7b 3b 84 | natd_hash: hash= 74 44 30 d3 d0 ee f6 d6 01 82 d8 47 78 90 d8 fa | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D b0 ed 44 24 94 f9 a6 86 9d 45 65 c5 29 7b 3b 84 | NAT-D 74 44 30 d3 d0 ee f6 d6 01 82 d8 47 78 90 d8 fa | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x55d24095dca0(32) | natd_hash: icookie= 58 65 7e 03 6c d2 dc 8b | natd_hash: rcookie= 8c 79 d8 bb 28 3b 88 3a | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= be cc 77 e2 04 b0 3c 60 bd 4e 72 86 f9 8a 53 ec | natd_hash: hash= 97 d6 48 01 d2 e5 17 c4 a5 ad d6 49 9c 49 0a 47 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D be cc 77 e2 04 b0 3c 60 bd 4e 72 86 f9 8a 53 ec | NAT-D 97 d6 48 01 d2 e5 17 c4 a5 ad d6 49 9c 49 0a 47 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d242303768 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d2422ffef8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d2422ffef8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55d242304ad8 size 128 | #1 main_inI2_outR2_continue1_tail:1165 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | crypto helper 1 resuming | [RE]START processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | crypto helper 1 starting work-order 2 for state #1 | #1 is idle; has background offloaded task | crypto helper 1 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d242304ad8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d2422ffef8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 396 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | da 63 cb 35 af 1e 5d de c8 bb a5 f5 94 0a 39 a0 | 2d 79 d4 05 8d f8 28 b8 3a 4d 4b a3 6d 7e 6e 1f | 23 45 7f e8 31 3e ee 5a c9 47 9b 6a 09 5f 26 2d | 4a 31 d1 48 18 d2 6b d3 f5 0a 0d 32 25 c8 37 8e | 0c c7 a2 c2 af a6 cc 43 a5 e7 ea ae d3 5e da a6 | 44 96 46 fd 08 68 6c 01 bb db 87 3a 43 d3 af 36 | 23 80 b4 b2 0d 2d 55 cf 8a 4c f6 26 46 86 2c f0 | 82 43 d7 14 6d 11 c3 5a 87 fd af 97 44 0d 5f f3 | 86 86 bf 52 dd c1 65 f2 e7 e8 28 58 72 b0 5b e5 | 56 d9 99 05 00 48 02 36 f4 bc 86 03 c4 76 f7 f1 | 20 bd 15 d0 7c 0b e4 71 cb 39 42 f6 35 50 f0 d7 | 6b 14 70 e7 28 0c cc 13 da d9 42 f6 31 8b f1 6e | 35 31 7e ee f5 40 e1 fa 3a fc 36 f8 c9 db 83 66 | 78 75 d8 68 15 62 7f 15 35 b8 78 05 9b e7 71 a8 | 71 3a 92 c7 88 29 4f 4a c9 a5 1f 8c 61 84 80 fd | d2 d7 52 65 cc 81 90 f6 0d 9f 36 1c 20 0a c8 01 | 14 00 00 24 56 66 d2 88 03 93 c1 66 53 a6 5d f5 | 9e a5 dd a4 66 e9 73 16 84 e4 5e 56 0a 2b ce 36 | 8a 63 87 f3 14 00 00 24 b0 ed 44 24 94 f9 a6 86 | 9d 45 65 c5 29 7b 3b 84 74 44 30 d3 d0 ee f6 d6 | 01 82 d8 47 78 90 d8 fa 00 00 00 24 be cc 77 e2 | 04 b0 3c 60 bd 4e 72 86 f9 8a 53 ec 97 d6 48 01 | d2 e5 17 c4 a5 ad d6 49 9c 49 0a 47 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55d2422ffef8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x55d242304ad8 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11342.205503 "westnet-eastnet-subnets/2x2" #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.466 milliseconds in resume sending helper answer | stop processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fcaa0002888 | crypto helper 1 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.000793 seconds | (#1) spent 0.797 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fca98000f48 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 2 | calling continuation function 0x55d240888b50 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1015) | stop processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1028) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.0147 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca98000f48 | spent 0.00304 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 332 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 05 10 02 01 00 00 00 00 00 00 01 4c b9 7e ca a9 | 16 63 d7 fa 68 26 ef b0 a3 99 4d 1a 97 c9 b7 9b | 32 75 7c 41 b7 e2 bf d4 83 28 6c f2 57 22 97 2d | f3 3d 25 67 90 cb 39 c7 2b 6f 8c 0c 27 24 22 5f | bd 72 12 94 b5 f3 c3 1d ce 1e 5c da 50 57 08 6e | f2 02 5d 2a d0 ba 6b e1 c7 f3 05 c1 fc 5b 64 00 | c0 46 97 41 fe f9 d3 27 5f 9f 35 65 4d 08 45 72 | 27 fe 14 20 04 d3 b0 c1 e4 ee 4b 38 b1 f4 1c 89 | 3a 4f 94 ae 67 5a d7 49 cf 02 65 2b a0 a5 6d d8 | 0c 4d cf a3 b1 c3 9e e0 5b be 33 4d e6 b9 ea 8e | a9 d4 aa e3 d0 6b 01 d7 65 c1 05 37 36 7b bc b8 | 77 92 9a 5c 09 fe bb 94 12 1e 41 2b 30 d8 57 ef | 33 0e d5 1a fc 6d 02 d5 03 80 b4 8a 85 28 db 69 | a4 eb b0 64 25 d8 f6 1d 54 12 d4 77 2a a2 a7 88 | ab e8 ca d7 04 e6 c4 59 22 a6 5c 8c 85 9e 39 8f | 25 59 ec ae 97 73 41 ee 39 43 76 ba 38 87 79 c9 | f1 82 77 ce a4 c5 07 5c 44 11 8e 38 be 70 aa e5 | 8b 9d 9b c1 79 59 2a fc f5 52 09 ae 98 52 92 97 | 04 4d a8 9d 3d b7 eb 1e dd 67 fe 70 ed 2e 84 9c | 00 49 29 66 26 03 3a 1d 95 9f 36 9e | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 332 (0x14c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 12 (0xc) | ID type: ID_FQDN (0x2) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 77 65 73 74 | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 278 (0x116) | removing 14 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early "westnet-eastnet-subnets/2x2" #1: Peer ID is ID_FQDN: '@west' | X509: no CERT payloads to process | refine_host_connection for IKEv1: starting with "westnet-eastnet-subnets/2x2" | match_id a=@west | b=@west | results matched | refine_host_connection: checking "westnet-eastnet-subnets/2x2" against "westnet-eastnet-subnets/2x2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) | Warning: not switching back to template of current instance | No IDr payload received from peer | refine_host_connection: checked westnet-eastnet-subnets/2x2 against westnet-eastnet-subnets/2x2, now for see if best | started looking for secret for @east->@west of kind PKK_RSA | actually looking for secret for @east->@west of kind PKK_RSA | line 1: key type PKK_RSA(@east) to type PKK_RSA | 1: compared key (none) to @east / @west -> 002 | 2: compared key (none) to @east / @west -> 002 | line 1: match=002 | match 002 beats previous best_match 000 match=0x55d242258b58 (line=1) | concluding with best_match=002 best=0x55d242258b58 (lineno=1) | returning because exact peer id match | offered CA: '%none' | required RSA CA is '%any' | checking RSA keyid '@east' for match with '@west' | checking RSA keyid '@west' for match with '@west' | key issuer CA is '%any' | an RSA Sig check passed with *AQOm9dY/4 [preloaded key] | #1 spent 0.0621 milliseconds in try_all_RSA_keys() trying a pubkey "westnet-eastnet-subnets/2x2" #1: Authenticated using RSA | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: 0?? | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so do not send cert. | I did not send a certificate because I do not have one. | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_SIG (0x9) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 65 61 73 74 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | started looking for secret for @east->@west of kind PKK_RSA | actually looking for secret for @east->@west of kind PKK_RSA | line 1: key type PKK_RSA(@east) to type PKK_RSA | 1: compared key (none) to @east / @west -> 002 | 2: compared key (none) to @east / @west -> 002 | line 1: match=002 | match 002 beats previous best_match 000 match=0x55d242258b58 (line=1) | concluding with best_match=002 best=0x55d242258b58 (lineno=1) | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 274 raw bytes of SIG_R into ISAKMP Signature Payload | SIG_R 8a 6d 98 58 08 2b e2 36 74 8c 3f 97 c6 8a 84 29 | SIG_R c1 93 94 e3 4a c6 7f 3e cb f9 4b ae f3 66 b1 67 | SIG_R e4 5d 8f b2 88 f9 fb 87 5c 35 eb ef 27 87 22 66 | SIG_R 42 bd 9e 9a c1 22 1f a5 2e a1 c0 78 ae f6 0a f3 | SIG_R f4 79 65 14 2b de dd 3f 48 08 7c 07 21 b5 5c fa | SIG_R 7e 53 73 c6 64 19 6f 6d 25 29 81 d3 28 70 2b 5a | SIG_R 35 36 e9 30 22 a4 28 11 75 3b a5 63 07 ff 65 c5 | SIG_R b1 47 48 75 b0 34 a7 46 bf 3b 68 73 7b 52 ef 13 | SIG_R 2b 06 08 bf 8e b5 e4 ed 5d 12 da 94 90 f4 43 d4 | SIG_R af 33 94 f3 e2 17 47 ad 16 31 f0 e2 e7 f0 91 91 | SIG_R e8 aa a6 c5 3e 82 c0 7e 0a 6a b1 83 d0 dd 24 82 | SIG_R b9 4d 0b ae df da 9c 3b 8d b4 a0 8e 1a 80 78 6e | SIG_R 3a 72 48 57 f3 ee 96 b8 9a 9e 7b 21 7c ef bd 18 | SIG_R b6 41 d0 50 e2 a4 88 53 20 4b 3b aa 42 1a a8 a0 | SIG_R 61 0a 48 e8 25 fc 89 43 5b 5f d9 cb 71 3f c2 6a | SIG_R dd 70 92 2a fd 7d 72 cf 62 6f e2 1d 64 da 7f 64 | SIG_R 9f a7 e2 bf 80 f7 a1 a6 31 d7 bc 07 d6 24 13 d1 | SIG_R 9c 95 | emitting length of ISAKMP Signature Payload: 278 | emitting 14 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 332 | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 | parent state #1: MAIN_R2(open IKE SA) => MAIN_R3(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_R3: retransmits: cleared | libevent_free: release ptr-libevent@0x55d242304ad8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55d2422ffef8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 332 bytes for STATE_MAIN_R2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 05 10 02 01 00 00 00 00 00 00 01 4c c3 c3 66 a0 | 0f 45 31 3d 38 36 7c 27 a5 0a 44 db 99 66 b3 99 | d6 17 28 7a 8d e4 8c b3 f8 36 02 16 88 9f b6 88 | f8 fc 3b d8 ac 9b 57 be 6d b3 88 77 69 5d e1 85 | 2b 3f 46 2d 5b 12 cf 23 eb ed 72 d4 3b 82 aa c0 | 29 fe 96 3b 84 5d 5b a5 61 49 ae ed d9 1a dd 4c | 1a c7 93 67 53 5b 40 9f b6 02 1f 3b 9c cb 02 c5 | a6 d1 a1 3b 26 2e b4 0c 06 d4 32 51 70 85 c0 e2 | 7a ac 24 61 04 f9 76 eb ab ca 9e 4f f3 b9 6e 95 | 8d 1d 14 33 44 38 16 86 2e 73 3b 11 50 f7 5a e5 | 87 62 c0 2c 13 8e d4 5a 9b 00 1f 57 33 ad cc 2f | 6b e2 15 34 c2 bb 32 db 01 c0 fc e9 f9 a2 39 d0 | 83 18 e3 26 e1 d5 73 c6 14 84 4b 20 23 68 9d 4b | 7e 1d c7 4e 01 f9 d1 6a 8e 46 cc 22 b0 b4 b6 d5 | 4e 7b ec 70 e7 21 37 04 f0 17 be 94 15 1a b4 66 | d7 4e 71 25 3c 01 7c f7 a6 61 be 63 63 b5 85 d4 | 74 e0 5d 18 56 80 bf 3d 52 0a 68 7b f5 b2 a8 33 | 11 b1 52 56 28 d1 8a 31 2e c7 82 42 b9 73 db b2 | 74 6a 14 73 65 9a cf e4 22 f6 ee 91 88 c1 f9 2b | 0e f3 d1 92 f2 78 bf e6 e9 de f9 5c | !event_already_set at reschedule | event_schedule: new EVENT_SA_EXPIRE-pe@0x55d2422ffef8 | inserting event EVENT_SA_EXPIRE, timeout in 10 seconds for #1 | libevent_malloc: new ptr-libevent@0x7fcaa0002888 size 128 | pstats #1 ikev1.isakmp established "westnet-eastnet-subnets/2x2" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | #1 spent 6.09 milliseconds | #1 spent 6.27 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 6.45 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00374 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 1b ee 78 41 00 00 01 dc 15 55 55 7b | 8b 0a 20 4f 4e f8 21 29 38 de 19 4a 89 fb 20 5c | ed 98 41 22 d4 d3 ff 49 ff 30 97 21 75 7c 55 a3 | fd 0a 10 6c 53 f2 34 d0 55 40 48 5a 6a 45 f7 11 | 85 31 ca e1 1f 71 fc 0d 39 b2 7f 42 7f 80 0a bb | 7e d7 16 ce b7 50 52 38 dc ba 02 50 92 e4 77 b2 | 8d ca c9 96 93 ae 98 0c fe 28 e1 a6 34 a1 6b 20 | 5f 56 b9 56 72 d4 f2 50 c6 02 a4 4b b3 e0 56 d8 | 8b 1f 57 2d 8f 89 c7 83 2d 8a a4 99 3f d9 fd d7 | c1 22 ba 60 28 eb 09 0d 70 8b ac 15 d3 d3 e0 1c | 6f b6 ac 00 1d ec 58 2e 62 21 74 16 d7 e2 86 da | 1f e3 20 54 c0 44 fc ce 7b 00 d4 78 98 f9 1c eb | 16 48 3d 40 56 ce 3a 51 40 9d 37 5b 79 43 3e 73 | 6e 51 db 2c 13 07 9b df e9 c4 5b 04 29 0c 9c 96 | 02 b4 fb ee 86 55 6f 98 07 b8 c3 f0 2a a3 fc 17 | d5 cc 60 38 35 29 5a 6a ac 6c 06 5e a6 23 cd 7b | 40 76 a6 8f c5 d3 35 6b 68 94 f3 2a ab 4e 46 3b | a5 8b 65 4a b9 c7 64 c2 ba a3 de 89 96 65 ac 88 | c9 ae bd b5 35 7d 65 6a 2d fa 53 e4 64 53 a7 aa | fb 3a 3f 65 3b 51 7d f2 d6 ab 64 68 d4 39 5b 9b | 3d fc b1 ba c8 65 6e 56 b3 1d d0 a2 9c 3d 91 4e | 67 3a 7c d1 46 fb 3e ea 05 b2 50 37 0b 3e 21 a7 | 53 94 4e 4a b5 12 fb da 00 f7 bf a9 7e 48 2d 17 | 8f 63 94 df 6a 8a 75 cb 5d 8c a5 1d 57 db f3 6d | 81 41 1b 35 d3 b9 39 58 8e 2e c1 99 a2 8e c5 3f | 14 26 9a 69 b1 d7 67 82 9a 89 38 75 7d bc 5e 04 | 93 e0 75 ec 66 67 d9 84 ea e7 5a 9f dc 90 2b 88 | c1 46 27 b4 6e 03 d4 41 2b a0 fa 3b cd 5f 85 d4 | e5 a3 48 22 21 52 cd 39 2a bf 4f 23 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 468613185 (0x1bee7841) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 80 ff ff ff f0 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 40 ff ff ff c0 | quick_inI1_outR1 HASH(1): | 01 a1 42 b2 de be 32 59 b9 35 1a 10 b5 a9 02 c5 | 19 65 a9 47 81 3b 9d 71 dd 98 3e 1b f9 95 ca 46 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 80 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | peer client is subnet 192.0.1.128/28 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 40 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff c0 | our client is subnet 192.0.2.64/26 | our client protocol/port is 0/0 "westnet-eastnet-subnets/2x2" #1: the peer proposed: 192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | find_client_connection starting with westnet-eastnet-subnets/2x2 | looking for 192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | concrete checking against sr#0 192.0.2.64/26 -> 192.0.1.128/28 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/2x1:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | our client (192.0.2.16/28) not in our_net (192.0.2.64/26) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/1x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | their client (192.0.1.0/28) not in same peer_net (192.0.1.128/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/1x1:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | our client (192.0.2.16/28) not in our_net (192.0.2.64/26) | fc_try concluding with westnet-eastnet-subnets/2x2 [129] | fc_try westnet-eastnet-subnets/2x2 gives westnet-eastnet-subnets/2x2 | concluding with d = westnet-eastnet-subnets/2x2 | client wildcard: no port wildcard: no virtual: no | creating state object #2 at 0x55d24230cb08 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "westnet-eastnet-subnets/2x2" as #2 for IPSEC SA | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | suspend processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #2: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI fa e8 75 46 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fcaa0002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x55d242308ce8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #2 and saving MD | #2 is busy; has a suspended MD | #1 spent 0.161 milliseconds in process_packet_tail() | crypto helper 2 resuming | crypto helper 2 starting work-order 3 for state #2 | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 2 doing build KE and nonce (quick_outI1 KE); request ID 3 | stop processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.429 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00199 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 9e 8f 68 f5 00 00 01 dc 87 b4 93 ba | c5 b0 22 38 78 85 39 f3 ba c1 f1 2a af 0c 63 c3 | 76 6c 7f ec b4 e5 33 55 a0 2e b7 5e fd 48 60 23 | 9f 71 ce 66 c5 33 55 05 1b 40 da c9 3d 54 68 24 | b6 4d b3 01 92 89 d4 3d 96 68 52 c1 47 69 da 69 | ca 41 fa 0e 1d 3c 2b 32 89 56 fb 0e 39 a0 b9 c2 | 53 07 d9 df 32 71 c4 e2 d3 56 83 4c d3 48 fa 23 | a4 e7 f1 dd 19 d2 a4 fa 84 1c 8b e5 3e 59 9e ec | 89 56 ef 25 f4 10 d0 a9 e5 fb c0 1c cb 3d 22 77 | fc a1 55 ca dc c3 07 8e 62 00 f1 5a 1a 5d d3 74 | d1 a3 ef 9e cd d5 e9 0c 54 92 d5 d2 02 01 58 18 | f4 08 54 5b 33 20 d8 2d 91 24 ea 9f 1e eb 48 1c | d4 b6 50 da 95 e6 65 cd ba 72 13 75 bf 55 84 f3 | c2 69 84 a1 c1 54 7c af 64 5d 11 91 9d a4 6d ff | d2 55 7c 5b 92 cf 2a 27 fc 16 d0 1b 8a 71 86 2d | 12 ae c5 30 06 4b 66 68 ce b9 c7 24 47 31 83 a8 | 79 ff 18 b0 27 61 fa a6 e2 9e 41 61 b9 21 70 d9 | b5 d5 ba c0 37 44 8e 79 8c a6 1a a5 75 df 39 28 | 8e 11 3a 9d 98 ec 27 18 88 f3 e4 42 15 f3 24 dd | eb 9f 71 34 5d ec 38 ca ac 66 1f e1 36 06 09 f9 | ec 77 45 f0 a2 3f c5 1a 4f ab 3a f9 50 33 d0 d6 | 3c 05 0e 80 fc 77 42 5a 28 84 11 d9 ac 2e 9c 65 | 54 ff e5 c0 41 72 96 ad dc 79 44 a7 43 26 4c b8 | 0c b4 98 db c9 95 5e f6 bb 35 66 a8 33 50 84 0f | 20 05 8f e8 8f f7 20 1f 87 ba e1 56 6d 42 f5 f4 | 83 38 7f 05 03 91 ac 0f 4b 29 a4 ca 4f da 52 14 | d2 9e b0 23 cb 44 a5 0c 2b a0 bc c7 a8 d1 f7 70 | bf 43 c6 08 79 03 10 8f ee 2b 54 d6 6a 80 c3 10 | e6 cb 40 b1 e7 2c 2e 2e c1 c5 d6 f2 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2660198645 (0x9e8f68f5) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 80 ff ff ff f0 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 10 ff ff ff f0 | quick_inI1_outR1 HASH(1): | d0 cc 86 af af 91 04 0f 71 73 03 6d ec 5a 40 3f | 3e 57 b6 6a 37 66 ab 86 ac 20 69 80 51 0f 5c 55 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 80 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | peer client is subnet 192.0.1.128/28 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 10 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | our client is subnet 192.0.2.16/28 | our client protocol/port is 0/0 "westnet-eastnet-subnets/2x2" #1: the peer proposed: 192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | find_client_connection starting with westnet-eastnet-subnets/2x2 | looking for 192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | concrete checking against sr#0 192.0.2.64/26 -> 192.0.1.128/28 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | our client (192.0.2.64/26) not in our_net (192.0.2.16/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/2x1:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/1x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | our client (192.0.2.64/26) not in our_net (192.0.2.16/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/1x1:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | their client (192.0.1.0/28) not in same peer_net (192.0.1.128/28) | fc_try concluding with westnet-eastnet-subnets/2x1 [128] | fc_try westnet-eastnet-subnets/2x2 gives westnet-eastnet-subnets/2x1 | concluding with d = westnet-eastnet-subnets/2x1 | using connection "westnet-eastnet-subnets/2x1" | client wildcard: no port wildcard: no virtual: no | creating state object #3 at 0x55d242311288 | State DB: adding IKEv1 state #3 in UNDEFINED | pstats #3 ikev1.ipsec started | duplicating state object #1 "westnet-eastnet-subnets/2x2" as #3 for IPSEC SA | #3 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | in connection_discard for connection westnet-eastnet-subnets/2x2 | start processing: connection "westnet-eastnet-subnets/2x1" (BACKGROUND) (in quick_inI1_outR1_tail() at ikev1_quick.c:1286) | suspend processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #3: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 95 08 73 94 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 4 for state #3 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d2423036f8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 | libevent_malloc: new ptr-libevent@0x55d242304ad8 size 128 | libevent_realloc: release ptr-libevent@0x55d2422e1488 | libevent_realloc: new ptr-libevent@0x55d242300018 size 128 | crypto helper 3 resuming | crypto helper 3 starting work-order 4 for state #3 | crypto helper 3 doing build KE and nonce (quick_outI1 KE); request ID 4 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #3 and saving MD | #3 is busy; has a suspended MD | #1 spent 0.212 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in process_md() at demux.c:382) | resume processing: connection "westnet-eastnet-subnets/2x1" (in process_md() at demux.c:382) | stop processing: connection "westnet-eastnet-subnets/2x1" (in process_md() at demux.c:383) | spent 0.402 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00153 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 68 f2 34 3d 00 00 01 dc 5b b5 92 19 | 59 aa 89 53 9f 80 85 c3 1a 26 1a cb 46 d0 6d e6 | 12 d0 06 b5 76 a0 81 e5 bb d7 98 ed 3f 08 05 c3 | 51 b6 69 b1 1d ad 0a 7e 4b 31 cb 10 c7 4f 35 ae | ad ad 60 01 1d e9 2b 1d 21 5b ed 81 22 aa 0c be | 2f 6f 63 fc 79 dc 51 0a 57 fc bb d4 7f 04 91 cd | 0c 53 6f c7 cb ad f6 09 44 e6 67 64 45 f3 61 41 | 48 7e 73 d7 aa d5 95 7b 03 fd 29 26 c3 fe b8 8f | bf ce af b4 96 4b 22 4b cc 7e c4 69 e6 14 76 ab | a2 94 42 39 5a 1c 69 3e 99 4b 68 b5 6f d6 50 77 | 78 a8 da f7 be 1f a1 9e a1 bf a2 e0 36 02 a5 77 | 51 a0 5c c0 87 08 f7 9d 27 94 34 2c 44 a7 7a 55 | 4d 29 c4 6f a7 28 d4 c1 53 34 c4 ac f7 5a 1d 69 | 7f c1 5b 49 1a 07 9d b0 d8 2e 76 78 74 c6 f6 a1 | a1 d1 0b e2 3d 4c 38 8a 22 d9 df 6c f5 af 58 28 | 10 2b 60 d3 d0 0d 50 00 36 27 b0 89 7b 20 41 7e | 31 5b 9e a6 43 64 cf 17 78 0f b2 10 34 51 f4 f0 | 77 e8 ac 05 be 67 e2 cc df 0b 6b 9f 7f de 68 c9 | b1 97 d1 19 d2 e0 bd c9 c7 1c 54 e4 b0 43 55 fe | 3f da 07 01 de fe 35 db 13 a5 9e 2d 70 14 50 4a | 0f be 34 f7 b8 04 cf 9f 98 88 49 74 8e 62 ac 0f | 16 2c 04 b4 c2 0b 65 5d 66 c2 ac e1 68 f1 7e 18 | 8f da 3e 79 09 6f 8e e6 84 1c f3 d8 26 4c ca b8 | 80 da 22 e9 06 4e 8f 0f 31 96 10 0d 53 d5 c4 17 | 39 cb ca 4e 2a ef 84 ac 8e e8 39 27 61 5f 60 c0 | 8e 75 0c bc 8c 46 56 2c b6 3b d9 b0 ed 2d 47 04 | 76 65 12 62 f4 fd 10 4b f7 92 6d b2 84 45 70 d6 | f2 86 06 3f 51 c1 75 e9 79 85 83 c8 4a 47 aa 0c | 35 5d dd 2c c9 83 1a 44 d0 80 d1 d8 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1760703549 (0x68f2343d) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 00 ff ff ff f0 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 10 ff ff ff f0 | quick_inI1_outR1 HASH(1): | 97 4e 74 dc 41 fe 02 70 8b 18 67 00 bf 56 50 20 | 6c 08 df 10 fc e7 04 e4 9e 70 6a 78 eb 71 e9 5a | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | peer client is subnet 192.0.1.0/28 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 10 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | our client is subnet 192.0.2.16/28 | our client protocol/port is 0/0 "westnet-eastnet-subnets/2x2" #1: the peer proposed: 192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | find_client_connection starting with westnet-eastnet-subnets/2x2 | looking for 192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | concrete checking against sr#0 192.0.2.64/26 -> 192.0.1.128/28 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | our client (192.0.2.64/26) not in our_net (192.0.2.16/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/2x1:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | their client (192.0.1.128/28) not in same peer_net (192.0.1.0/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/1x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | our client (192.0.2.64/26) not in our_net (192.0.2.16/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/1x1:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | fc_try concluding with westnet-eastnet-subnets/1x1 [128] | fc_try westnet-eastnet-subnets/2x2 gives westnet-eastnet-subnets/1x1 | concluding with d = westnet-eastnet-subnets/1x1 | using connection "westnet-eastnet-subnets/1x1" | client wildcard: no port wildcard: no virtual: no | creating state object #4 at 0x55d242313d58 | State DB: adding IKEv1 state #4 in UNDEFINED | pstats #4 ikev1.ipsec started | duplicating state object #1 "westnet-eastnet-subnets/2x2" as #4 for IPSEC SA | #4 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | in connection_discard for connection westnet-eastnet-subnets/2x2 | start processing: connection "westnet-eastnet-subnets/1x1" (BACKGROUND) (in quick_inI1_outR1_tail() at ikev1_quick.c:1286) | suspend processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #4: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 4a 46 f0 32 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 5 for state #4 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d2422e1488 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 | libevent_malloc: new ptr-libevent@0x55d24230ab28 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #4 and saving MD | #4 is busy; has a suspended MD | #1 spent 0.203 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in process_md() at demux.c:382) | resume processing: connection "westnet-eastnet-subnets/1x1" (in process_md() at demux.c:382) | stop processing: connection "westnet-eastnet-subnets/1x1" (in process_md() at demux.c:383) | spent 0.386 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00151 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 88 82 f8 51 00 00 01 dc 9f 71 94 4d | a2 03 60 69 cc 85 c9 b6 52 bc 35 24 d0 18 39 be | 2d db 82 74 e7 d8 58 35 52 60 0c be 1c 91 f8 67 | 44 35 8f 90 59 cd f9 a6 3f 6a cd 65 34 cd 21 aa | 12 9c f9 04 cd d8 98 e1 73 a3 f2 95 1a 67 2d c0 | a0 cb fd 4c cc f1 21 64 d9 c9 1e c5 7d c5 cf a7 | 3b b4 8d b8 4d e5 21 9a 76 7e 81 fb 67 a5 fd 12 | 86 41 58 91 e8 6d f7 e0 f4 9a 78 e1 4b 2d ff 97 | 36 b8 6d 8a 03 fc 38 3c 3e 1f a0 7f b2 65 e0 6f | f9 e1 98 85 14 b6 00 a7 75 c6 eb 64 ed 14 b4 fc | c3 dd 04 f1 b8 98 d0 09 02 a5 46 5c 33 83 4f 03 | cd ea 9c 4c cc 2e 41 c9 c3 e1 e0 ef 03 80 92 f0 | 61 b7 ad e4 f9 96 01 ef df 31 5b 6c 9a a1 22 b3 | 31 c6 ed 55 60 75 7c e9 36 48 5a d8 28 9c 52 41 | 64 53 04 d1 47 e8 6a 3a 43 b5 1b 68 ad 21 b6 06 | 89 05 ec 56 9c 9e cf 60 0e 3a 16 76 5b f4 89 7c | 89 4e 68 e8 64 65 4c 37 34 51 9e 7e 80 af b3 ce | 40 4e 3c eb eb 72 75 eb 57 54 9b b4 f5 a8 79 7d | 03 68 20 bb 0f 25 2c 27 77 88 60 ac 9b 8f 9a b6 | 7a fd fe 7f 98 4d 38 c7 0b 4c 1c c4 84 3a e2 59 | 7c 89 c3 c8 f5 0c 78 6e 98 c9 ac 96 42 c8 3b df | f3 dd a4 78 cb bf ae 42 e0 e6 00 a0 55 28 32 9f | e0 72 96 34 14 d9 a8 78 ca b2 b9 36 68 42 27 ea | 1b 8d 24 57 90 47 02 b0 c7 cd ea 2c ec 80 df d1 | f0 2a 9e 84 95 4b bf ca 7d 3b 42 67 58 1d 7a f0 | a3 7a bb f3 5a 84 2e 0d c2 bc 11 e7 6b ad 48 55 | 58 b9 f4 89 a9 c0 5d d9 27 17 7f 54 43 6a af dc | e3 cd 8f 97 4b ab 88 43 12 84 75 f9 9d 1b 97 2e | a8 04 bb 99 c5 c6 42 7d 40 66 ad dc | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2290284625 (0x8882f851) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 00 ff ff ff f0 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 40 ff ff ff c0 | quick_inI1_outR1 HASH(1): | e5 03 7c 5c 95 50 e6 19 3a c2 f1 24 ab f1 ee 5c | b5 54 7c 3b cd ea 40 60 65 19 ae 68 1d cc 46 46 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | peer client is subnet 192.0.1.0/28 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 40 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff c0 | our client is subnet 192.0.2.64/26 | our client protocol/port is 0/0 "westnet-eastnet-subnets/2x2" #1: the peer proposed: 192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | find_client_connection starting with westnet-eastnet-subnets/2x2 | looking for 192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | concrete checking against sr#0 192.0.2.64/26 -> 192.0.1.128/28 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | their client (192.0.1.128/28) not in same peer_net (192.0.1.0/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/2x1:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | our client (192.0.2.16/28) not in our_net (192.0.2.64/26) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/1x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/1x1:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | our client (192.0.2.16/28) not in our_net (192.0.2.64/26) | fc_try concluding with westnet-eastnet-subnets/1x2 [128] | fc_try westnet-eastnet-subnets/2x2 gives westnet-eastnet-subnets/1x2 | concluding with d = westnet-eastnet-subnets/1x2 | using connection "westnet-eastnet-subnets/1x2" | client wildcard: no port wildcard: no virtual: no | creating state object #5 at 0x55d242317d68 | State DB: adding IKEv1 state #5 in UNDEFINED | pstats #5 ikev1.ipsec started | duplicating state object #1 "westnet-eastnet-subnets/2x2" as #5 for IPSEC SA | #5 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | in connection_discard for connection westnet-eastnet-subnets/2x2 | start processing: connection "westnet-eastnet-subnets/1x2" (BACKGROUND) (in quick_inI1_outR1_tail() at ikev1_quick.c:1286) | suspend processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #5: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 1b 5f 9f 63 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 6 for state #5 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d24230d6a8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #5 | libevent_malloc: new ptr-libevent@0x55d24230d5f8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #5 and saving MD | crypto helper 5 resuming | crypto helper 5 starting work-order 5 for state #4 | #5 is busy; has a suspended MD | crypto helper 5 doing build KE and nonce (quick_outI1 KE); request ID 5 | #1 spent 0.252 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | resume processing: connection "westnet-eastnet-subnets/1x2" (in process_md() at demux.c:382) | stop processing: connection "westnet-eastnet-subnets/1x2" (in process_md() at demux.c:383) | spent 0.465 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 4 resuming | crypto helper 4 starting work-order 6 for state #5 | crypto helper 4 doing build KE and nonce (quick_outI1 KE); request ID 6 | crypto helper 2 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.002177 seconds | (#2) spent 1.03 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 2 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7fca9c003f28 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 3 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue1 for #2: calculated ke+nonce, calculating DH | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 7 for state #2 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d242308ce8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fcaa0002b78 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fcaa0002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x55d242308ce8 size 128 | suspending state #2 and saving MD | #2 is busy; has a suspended MD | resume sending helper answer for #2 suppresed complete_v1_state_transition() and stole MD | crypto helper 6 resuming | #2 spent 0.0547 milliseconds in resume sending helper answer | crypto helper 6 starting work-order 7 for state #2 | stop processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | crypto helper 6 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 7 | libevent_free: release ptr-libevent@0x7fca9c003f28 | crypto helper 4 finished build KE and nonce (quick_outI1 KE); request ID 6 time elapsed 0.001438 seconds | crypto helper 5 finished build KE and nonce (quick_outI1 KE); request ID 5 time elapsed 0.001589 seconds | (#5) spent 0.93 milliseconds in crypto helper computing work-order 6: quick_outI1 KE (pcr) | (#4) spent 0.623 milliseconds in crypto helper computing work-order 5: quick_outI1 KE (pcr) | crypto helper 5 sending results from work-order 5 for state #4 to event queue | crypto helper 3 finished build KE and nonce (quick_outI1 KE); request ID 4 time elapsed 0.002516 seconds | crypto helper 4 sending results from work-order 6 for state #5 to event queue | scheduling resume sending helper answer for #4 | (#3) spent 0.66 milliseconds in crypto helper computing work-order 4: quick_outI1 KE (pcr) | crypto helper 3 sending results from work-order 4 for state #3 to event queue | libevent_malloc: new ptr-libevent@0x7fca94003f28 size 128 | scheduling resume sending helper answer for #5 | crypto helper 5 waiting (nothing to do) | scheduling resume sending helper answer for #3 | libevent_malloc: new ptr-libevent@0x7fca880055c8 size 128 | libevent_malloc: new ptr-libevent@0x7fca90003f28 size 128 | crypto helper 4 waiting (nothing to do) | processing resume sending helper answer for #4 | crypto helper 3 waiting (nothing to do) | start processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 5 replies to request ID 5 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue1 for #4: calculated ke+nonce, calculating DH | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | crypto helper 6 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 7 time elapsed 0.000917 seconds | adding quick outR1 DH work-order 8 for state #4 | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted | (#2) spent 0.916 milliseconds in crypto helper computing work-order 7: quick outR1 DH (pcr) | crypto helper 6 sending results from work-order 7 for state #2 to event queue | libevent_free: release ptr-libevent@0x55d24230ab28 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d2422e1488 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d2422e1488 | scheduling resume sending helper answer for #2 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 | libevent_malloc: new ptr-libevent@0x7fca9c003f28 size 128 | libevent_malloc: new ptr-libevent@0x7fca8c003618 size 128 | suspending state #4 and saving MD | crypto helper 6 starting work-order 8 for state #4 | #4 is busy; has a suspended MD | crypto helper 6 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 8 | crypto helper 0 resuming | resume sending helper answer for #4 suppresed complete_v1_state_transition() and stole MD | crypto helper 0 waiting (nothing to do) | #4 spent 0.076 milliseconds in resume sending helper answer | stop processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca94003f28 | processing resume sending helper answer for #5 | start processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 4 replies to request ID 6 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue1 for #5: calculated ke+nonce, calculating DH | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 9 for state #5 | state #5 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d24230d5f8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d24230d6a8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d24230d6a8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #5 | libevent_malloc: new ptr-libevent@0x7fca94003f28 size 128 | suspending state #5 and saving MD | #5 is busy; has a suspended MD | resume sending helper answer for #5 suppresed complete_v1_state_transition() and stole MD | crypto helper 1 resuming | #5 spent 0.0488 milliseconds in resume sending helper answer | crypto helper 1 starting work-order 9 for state #5 | stop processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca880055c8 | crypto helper 1 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 9 | processing resume sending helper answer for #3 | start processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 4 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue1 for #3: calculated ke+nonce, calculating DH | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 10 for state #3 | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d242304ad8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d2423036f8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d2423036f8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 | libevent_malloc: new ptr-libevent@0x7fca880055c8 size 128 | crypto helper 2 resuming | crypto helper 2 starting work-order 10 for state #3 | crypto helper 2 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 10 | crypto helper 6 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 8 time elapsed 0.000684 seconds | (#4) spent 0.679 milliseconds in crypto helper computing work-order 8: quick outR1 DH (pcr) | crypto helper 6 sending results from work-order 8 for state #4 to event queue | scheduling resume sending helper answer for #4 | libevent_malloc: new ptr-libevent@0x7fca8c0044f8 size 128 | crypto helper 6 waiting (nothing to do) | crypto helper 1 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 9 time elapsed 0.000941 seconds | (#5) spent 0.944 milliseconds in crypto helper computing work-order 9: quick outR1 DH (pcr) | crypto helper 1 sending results from work-order 9 for state #5 to event queue | scheduling resume sending helper answer for #5 | libevent_malloc: new ptr-libevent@0x7fca98005258 size 128 | crypto helper 1 waiting (nothing to do) | crypto helper 2 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 10 time elapsed 0.000918 seconds | (#3) spent 0.925 milliseconds in crypto helper computing work-order 10: quick outR1 DH (pcr) | crypto helper 2 sending results from work-order 10 for state #3 to event queue | scheduling resume sending helper answer for #3 | libevent_malloc: new ptr-libevent@0x7fca9c003e78 size 128 | crypto helper 2 waiting (nothing to do) | suspending state #3 and saving MD | #3 is busy; has a suspended MD | resume sending helper answer for #3 suppresed complete_v1_state_transition() and stole MD | #3 spent 0.0515 milliseconds in resume sending helper answer | stop processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca90003f28 | processing resume sending helper answer for #2 | start processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 6 replies to request ID 7 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue2 for #2: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 468613185 (0x1bee7841) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI fa e8 75 46 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x700402af for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 70 04 02 af | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "westnet-eastnet-subnets/2x2" #2: responding to Quick Mode proposal {msgid:1bee7841} "westnet-eastnet-subnets/2x2" #2: us: 192.0.2.64/26===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-subnets/2x2" #2: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.128/28 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr c3 54 cc 57 62 9a d9 12 81 e1 16 b8 92 57 8e 5d | Nr 66 03 5f fd 4e c4 6a 2a a3 2f 75 5d 5d 1b 76 c8 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value e0 66 87 93 b3 af f6 01 4c 04 4f 61 01 1a 9f ef | keyex value 92 da 99 5b 9b 7b dd 79 5d 97 58 7d cc ed f4 f4 | keyex value 00 ae 6c 04 09 79 5e 04 29 8d 1c 2d 23 44 f6 77 | keyex value 9e 41 1c da e6 96 8e c9 9d 93 e0 06 fd 0a ca 6b | keyex value 90 69 46 a5 3a 2f ff ed 46 33 a3 42 23 5c 62 79 | keyex value 5d 4d 1d 2b 18 f7 06 6a 9e 17 58 05 77 c2 b9 ba | keyex value f1 3e fb d0 cf 99 a4 1a 13 1b b5 c6 53 ce 83 fe | keyex value 59 ac 61 f7 28 7f d7 a5 46 ac 3f 51 b2 97 f5 37 | keyex value 7b ba 93 52 8f b1 e9 75 3e bb 84 a5 1b f9 1d d4 | keyex value 1b 44 84 ff e1 3b 50 e5 31 f6 f2 c8 41 aa 35 09 | keyex value fd e3 c9 1a 66 04 b1 c1 7b 3a b9 11 46 dc a9 62 | keyex value 63 e1 de 3b 15 03 59 a6 35 5f d0 be 4b ba 9b 07 | keyex value c2 9a e2 e8 75 6b 2f 24 6a 74 aa e2 da a9 c9 c1 | keyex value 83 5e b8 b7 fc da 04 f2 c1 00 1b 13 57 56 12 92 | keyex value 72 7d 9a f1 39 67 46 68 7b 63 5d 48 66 91 bc f1 | keyex value 4f fd 42 88 28 b0 9f c6 64 e1 f7 2f e0 89 88 66 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 80 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 40 ff ff ff c0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | 32 3b 66 5e 25 48 64 7f 15 73 eb 23 0c b2 b5 4e | 4b e1 68 d3 65 1c 28 29 d3 b6 3e 9d 34 8b ec 5d | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x2" unrouted: NULL | install_inbound_ipsec_sa() checking if we can route | could_route called for westnet-eastnet-subnets/2x2 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x2" unrouted: NULL; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55d24230cb08 ost=(nil) st->serialno=#2 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/2x2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.fae87546@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/2x2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.700402af@192.1.2.23 included non-error error | priority calculation of connection "westnet-eastnet-subnets/2x2" is 0xfe5e3 | add inbound eroute 192.0.1.128/28:0 --0-> 192.0.2.64/26:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1041891 | raw_eroute result=success | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 460 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #2: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d242308ce8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fcaa0002b78 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 460 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 1b ee 78 41 00 00 01 cc cd 89 46 7f | 39 70 5a f9 65 be 8a 2f a1 bb 2f 1e 0a 8a 01 17 | f1 50 0f 53 23 17 48 62 f1 5a 8a f2 49 32 60 5d | 49 32 a2 87 72 58 a9 50 9b d8 52 d4 21 b9 51 8b | 24 bd 43 07 7f a3 3b 82 0f 09 8b b9 a2 dd 04 bb | 9c 89 f7 d3 3e 76 9a 00 bd 9f 61 c3 ff 3d 9e 24 | a3 49 29 70 97 64 31 47 27 03 f9 80 49 96 ec 09 | 9b 49 da 87 f3 cc 9e 9c 8a a0 29 f4 a1 e0 dc 6d | b3 f4 9f 5d af 17 2f 3a ea c3 e1 62 7b 64 84 d9 | 5c 05 65 30 48 c5 b0 71 df 44 35 47 35 01 68 26 | bd e1 3d 2b 5d 8e 4a fd e0 66 57 c5 3e a1 c8 b2 | 92 40 38 3f f8 49 a6 ed 53 9f ff ba f4 3e f2 1a | a2 37 20 8e 5d ac cb 54 ee 92 e0 81 8f 68 2f 1e | 53 37 c2 5f 6b 19 81 b0 38 de d3 02 a1 c7 19 d2 | 81 60 ce 47 d0 a0 7e 96 75 43 cc 49 97 d8 27 76 | bd 9d 7b f6 23 c0 ee 9f df 76 18 10 ae 2e b0 58 | 39 11 08 85 78 fc b0 d2 74 e5 88 ec de 90 22 ae | 23 8b fb 13 26 34 31 5f e0 df a5 ac e5 ec c3 5f | f1 46 ae 7b a0 48 e9 3f e7 58 c3 a3 8f 6c 79 1a | f7 85 99 88 55 57 ce c6 a7 6c fd ab 9f 7b 3d 43 | 70 3f dd 4b 1d 9f 2c ac db f3 39 99 e8 e4 86 80 | 0a c2 9e 85 45 d0 62 28 5e 6d 47 d0 ec 24 4c 9c | 0a dd 0e ec 59 07 16 fb dc 7a f0 12 a5 90 58 02 | 3f 86 e4 d6 3f 5e 89 5f 0e ae d3 31 6c ab 3e 65 | d0 db c0 ac 25 92 be e3 25 e1 50 fe 3e c2 79 71 | 76 08 2f 01 56 76 8a e4 32 86 bf a7 b3 df 6e 73 | 99 ec 37 d9 0e 75 86 e7 c3 46 d0 2e 22 35 5c dd | 95 1e 4f f6 1d dc d5 72 d1 10 b5 de | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7fcaa0002b78 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fca90003f28 size 128 | #2 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11342.225686 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/2x2" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xfae87546 <0x700402af xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 0.923 milliseconds in resume sending helper answer | stop processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca8c003618 | processing resume sending helper answer for #4 | start processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 6 replies to request ID 8 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue2 for #4: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1760703549 (0x68f2343d) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 4a 46 f0 32 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0xb2d9847b for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI b2 d9 84 7b | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "westnet-eastnet-subnets/1x1" #4: responding to Quick Mode proposal {msgid:68f2343d} "westnet-eastnet-subnets/1x1" #4: us: 192.0.2.16/28===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-subnets/1x1" #4: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.0/28 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 05 53 a9 c5 85 e7 bc a9 60 96 f3 45 d0 b3 c2 a2 | Nr ac 77 b7 81 2c 2b fb a9 91 0e 84 84 d0 44 fc e5 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value e1 9d 7a 56 9d df 6f f6 18 50 6e 24 66 3d 52 f5 | keyex value b3 26 c4 b9 55 4a e4 4c aa 59 96 39 80 b3 89 2a | keyex value 45 9a 76 b3 6c fd 84 f4 94 7b 33 65 f9 ae bb 8b | keyex value e1 b9 73 76 bd 06 fe 37 c1 c5 74 f3 45 10 2a 11 | keyex value 7e 35 8b 1d c7 d4 6e bf 42 24 be ba 74 4f 25 03 | keyex value 47 40 b3 2c cf c0 d5 97 7c 1a 9a 5f 24 74 6c 5d | keyex value ec 6b e0 2f 9c d6 69 97 a3 7f 47 60 f0 29 1f c7 | keyex value 44 a4 04 59 74 53 ff ad 7c 60 b5 01 e0 5c c0 2a | keyex value 2f 89 e7 be 6d 37 d5 cf 05 26 9b 13 46 ae 58 b2 | keyex value e0 e3 b9 43 27 ae f3 7e 66 13 1a c1 ce f7 4b 7d | keyex value be 7b 78 1f 28 ce 93 a6 dd 4a e1 48 96 20 16 75 | keyex value 76 8b e9 d7 d0 d6 22 50 8d 70 2d fe 69 db 64 1a | keyex value 2c da ad 87 d1 de a9 eb 0c 70 28 dd 3e a7 a7 1e | keyex value 52 11 bf 75 ba 9b 61 9e 62 71 9a b0 22 d9 4f 01 | keyex value bd cc c5 bd a4 c6 73 c3 20 fe 3c b4 96 b6 ce dc | keyex value 0d c5 ef ce 31 3d 3e b4 04 7b f3 bf 21 e1 ea 82 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 00 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 10 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | c8 a4 da 38 3c a9 4e 7d 4f 2d de 4f d8 a3 ab 50 | 29 eb ef b0 82 94 14 ce 7c 5b 29 03 0a 1f 49 a3 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x1" unrouted: NULL | install_inbound_ipsec_sa() checking if we can route | could_route called for westnet-eastnet-subnets/1x1 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x1" unrouted: NULL; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55d242313d58 ost=(nil) st->serialno=#4 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/1x1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.4a46f032@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/1x1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.b2d9847b@192.1.2.23 included non-error error | priority calculation of connection "westnet-eastnet-subnets/1x1" is 0xfe3e3 | add inbound eroute 192.0.1.0/28:0 --0-> 192.0.2.16/28:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1041379 | raw_eroute result=success | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 460 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #4 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #4: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fca9c003f28 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d2422e1488 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 460 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #4) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 68 f2 34 3d 00 00 01 cc 65 3b 73 5e | 32 1f 40 2a 51 a6 51 29 13 bc ac 6f 19 95 69 9b | be 64 6a a8 0d 8d 94 43 da d8 75 42 6a b7 c5 eb | 14 59 91 b4 f6 85 90 5d b5 c4 22 ca a2 df 59 2f | a4 a2 79 9a d9 8a a2 25 7b 84 90 46 e4 bf e1 c8 | 88 70 ce 04 8a 60 79 9d 8a 58 20 3b fd dd 74 6b | af da 93 85 83 43 85 0a d8 ed 3f 47 91 21 0f d7 | 0e ae cb 88 f5 d6 2c 85 6b 37 e0 2e 10 89 1e d7 | ef 7e 5b 7e e4 b0 b3 ac 62 04 07 95 fa 21 2c be | 39 db 77 6a f4 49 09 17 4e 2f 10 14 e5 38 a8 a5 | e5 ee e8 ef 1e 16 7e ac ff 24 ae 1c 24 d9 76 24 | 5a 71 fa 5b 58 d2 9b c6 87 2b 84 5c 68 e4 5f 31 | 9f 05 23 e2 39 1a 3b 51 4d bb ca a7 8d 02 11 2e | c6 59 16 5d 57 fb 5e a1 f2 52 fc bd 98 32 34 c6 | 63 56 d2 da bd ae ab 9c f8 fd 65 6e d3 30 ea bb | d7 31 18 87 af 52 be 04 64 a3 ac c3 ec 06 8b 09 | 18 ed ef ae 36 21 bc 99 26 e1 69 d2 c0 36 bd 1d | be fd 6b 43 49 82 74 20 d4 d6 e0 cc 01 e2 bf 20 | 65 55 df 5d 50 29 19 8b 63 57 73 78 70 fd 66 1f | 1e 2b 92 ce c5 63 9b d4 e0 10 ac f9 c9 90 57 67 | bd 9d 83 38 ba d9 02 a9 79 eb 22 1e df 9f 69 0c | 79 fc 6a 60 45 a1 7d a9 5e d8 56 bb 9f 65 22 39 | 0c 84 c1 5c 70 3f 20 28 29 67 bd 92 97 82 6c 34 | 44 88 26 e4 e1 b7 c3 cc b4 72 ce 54 dd df d1 64 | 7e eb a5 6c ba 5a 9c 50 5f d9 9a 8d ac e9 2d d3 | 4b c3 23 02 79 c3 39 78 cb 7c 2e 86 b2 4e 20 aa | a8 61 3d 6f 2f 70 1d 3b e5 50 43 f8 0c 06 2f ff | c8 e5 f0 89 ff a2 17 04 d6 5e e2 f8 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55d2422e1488 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #4 | libevent_malloc: new ptr-libevent@0x7fca8c003618 size 128 | #4 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11342.226521 | pstats #4 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/1x1" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x4a46f032 <0xb2d9847b xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #4 suppresed complete_v1_state_transition() | #4 spent 0.796 milliseconds in resume sending helper answer | stop processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca8c0044f8 | processing resume sending helper answer for #5 | start processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 9 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue2 for #5: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2290284625 (0x8882f851) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 1b 5f 9f 63 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0xb67af74a for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI b6 7a f7 4a | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "westnet-eastnet-subnets/1x2" #5: responding to Quick Mode proposal {msgid:8882f851} "westnet-eastnet-subnets/1x2" #5: us: 192.0.2.64/26===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-subnets/1x2" #5: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.0/28 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 86 d4 b9 c2 6c 54 2a a2 3a fe a9 f7 ec ca ac e1 | Nr 98 2e 39 a5 84 b8 1e 6c d3 d6 0e a6 36 53 56 78 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 1b 52 5e b7 bf 09 ba 74 a6 f9 a6 09 e8 aa d0 f9 | keyex value f4 c6 2d aa 32 1a 14 da 1a c6 6d c5 0b 06 86 69 | keyex value 9d 8e b9 c9 20 42 03 6b c3 73 03 fc f8 35 76 fd | keyex value 33 9e 8e d2 85 03 20 9a d2 21 19 ae 21 b8 5e 34 | keyex value ce 58 c2 d8 1c aa ff 7d e8 1e 38 42 e6 f9 ed 1b | keyex value 50 31 21 b8 53 01 90 d2 8e c1 1a c6 4a 2b 7c cb | keyex value a7 10 85 31 8e 5b 72 d4 7f 97 b3 2b 33 4e c1 dc | keyex value 24 b4 32 cf 14 8b 77 e5 ec 5b a9 d1 a4 5c f4 51 | keyex value ea b4 33 cb f1 f3 76 a2 51 5a 76 82 59 0d fe d5 | keyex value cb 92 40 1c 3e f6 86 60 bc 14 99 dc be 68 23 e8 | keyex value d8 5e 6f 46 27 74 d7 28 36 b4 13 e0 78 0b 6a 34 | keyex value f7 e9 d5 97 9b b2 45 ef 52 05 6c ca 8d 6e 90 36 | keyex value 45 f0 96 48 6b 4d 55 34 45 ad 80 fc 59 e3 ed bf | keyex value 74 e1 8e 17 7f b7 8e 9e 14 de 80 89 03 f1 6e df | keyex value 69 9f 05 cb 38 2e cc 51 4d e8 63 fe 28 24 fc 21 | keyex value 6b 7e b6 38 88 d6 95 fa fd 02 29 6d 87 a1 d6 25 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 00 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 40 ff ff ff c0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | 75 00 9b 50 52 f3 8d 1c d3 7a bf 4b f6 03 a6 88 | ab 70 3a cb 15 95 24 86 36 97 84 e7 52 ce 21 9a | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x2" unrouted: NULL | install_inbound_ipsec_sa() checking if we can route | could_route called for westnet-eastnet-subnets/1x2 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x2" unrouted: NULL; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55d242317d68 ost=(nil) st->serialno=#5 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/1x2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.1b5f9f63@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/1x2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.b67af74a@192.1.2.23 included non-error error | priority calculation of connection "westnet-eastnet-subnets/1x2" is 0xfe5e3 | add inbound eroute 192.0.1.0/28:0 --0-> 192.0.2.64/26:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1041891 | raw_eroute result=success | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 460 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #5 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #5: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #5 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fca94003f28 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d24230d6a8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 460 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #5) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 88 82 f8 51 00 00 01 cc 0d 49 de 76 | 9b e8 90 ab fa ae d8 b7 f1 bf 43 78 51 10 26 62 | 5f b4 97 01 2c b0 a9 ad de 85 03 83 a3 c0 19 51 | 43 4f ce 8f b9 e1 a2 9d cb c6 23 36 f4 26 ac 16 | 7c fc df 2f c4 95 c1 b1 1b 5f 77 af e6 4a ef bc | 13 50 f1 04 c4 7d c2 e4 4f 9e a4 0c 34 0e 11 56 | d0 e3 b8 8e e6 c7 8e 14 0a fb 73 f9 63 ed 39 6d | a2 2f 30 2b fe 0d b8 b0 57 6c 42 b6 e3 4d 8b 57 | cb bf 86 93 45 79 03 2f da f1 8b 4c e8 b2 70 44 | c9 49 56 c0 6e e6 a0 29 09 6b c1 ec 8d bb 2a 2b | 3a b7 8f d5 70 fe 6e 22 86 ec 0e b0 2a d2 bb 6b | c6 86 97 fb 66 7a f0 ea 59 73 18 a4 b0 20 f9 a5 | b8 8e 05 ff 58 03 8b 08 31 28 54 1c 97 43 9c 3e | d4 b3 4b 47 77 e7 e7 7f dd 1e 6f 8b 1b e9 52 f3 | be c7 cd 17 7d cf 72 19 17 3a c2 b9 63 e5 f2 7b | c7 34 07 2f 62 51 af 7c 61 fb 74 1c 8f 1e a9 37 | fe cc 3b 76 7b 34 f7 2c 4a 98 d4 c2 74 4d d3 63 | 9e 47 aa bc b9 aa 4a 98 f2 3b a0 bf 4d 15 60 51 | 78 48 0e 82 1f 7e 98 2f ae 7d 6b 01 c3 47 fb 0a | eb a0 ea 95 f5 d9 f2 a6 46 a0 f0 b7 f4 fd 66 8d | 90 fa 5c 66 f8 de 5b 4e 28 d2 cb 45 ad 03 fc 7f | 2a 4a 0e ef 40 47 10 45 05 da fd 84 f1 99 df 0b | c2 28 ba 71 25 cf 99 7d 17 c8 dd 4a 69 a9 a0 c8 | aa a9 4b c6 21 61 66 95 5c ab b7 60 29 d8 9c 06 | c8 0f 73 49 12 eb c3 3b cd ea 05 a8 6f 48 56 05 | 76 49 5b 74 25 ad 12 ce cd 84 28 bd 92 f9 e7 fd | 06 a0 36 e8 ec ed 67 69 00 94 e5 ed af 97 b7 70 | 45 af f8 29 bc 14 68 7e f6 3f b3 e2 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55d24230d6a8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #5 | libevent_malloc: new ptr-libevent@0x7fca8c0044f8 size 128 | #5 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11342.227297 | pstats #5 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/1x2" #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x1b5f9f63 <0xb67af74a xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #5 suppresed complete_v1_state_transition() | #5 spent 0.743 milliseconds in resume sending helper answer | stop processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca98005258 | processing resume sending helper answer for #3 | start processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 10 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue2 for #3: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2660198645 (0x9e8f68f5) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 95 08 73 94 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0xf4455162 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI f4 45 51 62 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "westnet-eastnet-subnets/2x1" #3: responding to Quick Mode proposal {msgid:9e8f68f5} "westnet-eastnet-subnets/2x1" #3: us: 192.0.2.16/28===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-subnets/2x1" #3: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.128/28 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr f1 66 11 eb 0d 5b 9c 18 4e 58 43 31 67 83 b4 a9 | Nr 59 ef 93 16 d9 ee d0 75 b8 23 a3 52 d1 1b d4 d1 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 1e 07 3a 48 ed 57 a6 a1 b3 f7 d9 0f 30 c4 8d 51 | keyex value 5a af d5 82 d0 1f 74 db c5 9c 51 2b 64 b3 6b 61 | keyex value ee e7 0f c0 2c 26 60 d9 95 49 e5 59 55 65 a0 55 | keyex value 55 29 6e d9 6b 48 03 f0 c6 f0 65 f4 cf a5 e9 a1 | keyex value dd 9c ff 5a b4 35 4b b8 03 67 18 e7 dc 92 10 c1 | keyex value 9d 50 ee 68 00 a7 27 17 1b 10 dc 9c 62 bb f4 4c | keyex value 33 26 2d 0e df 2f 3c 87 da 42 fe 10 57 e9 35 80 | keyex value 56 cd 79 e4 1b ff 7f ce 56 9a 7c a1 ae 7b 3f 80 | keyex value 4a 3d fb f8 01 99 b9 10 af e8 23 6c 76 39 08 07 | keyex value 99 7f 99 42 a3 87 71 31 31 ea ba c3 78 9d 47 87 | keyex value d0 2b 4e 02 cc ce 94 d5 73 4f cb d9 78 41 a7 e2 | keyex value 70 d9 ab 50 3f 1d 80 15 44 20 95 60 3f 22 cd 02 | keyex value 6b d8 c9 04 f9 ee 67 50 55 69 7b f5 e3 60 2b 86 | keyex value 66 90 2c 0e ab d6 9f 22 57 ff 13 d6 de e1 b4 0c | keyex value 73 29 68 de 51 2d dd 37 4f 21 2a 75 82 fd ca a8 | keyex value 34 5a fe 82 0a d7 59 70 17 23 a9 db 06 54 0a 3d | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 80 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 10 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | 67 15 61 50 05 07 3b f8 a6 ff f6 f9 23 96 8b 27 | 49 43 97 3e 92 58 47 f4 ed 63 1d ec ce cf 8d 68 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x1" unrouted: NULL | install_inbound_ipsec_sa() checking if we can route | could_route called for westnet-eastnet-subnets/2x1 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x1" unrouted: NULL; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55d242311288 ost=(nil) st->serialno=#3 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/2x1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.95087394@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/2x1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.f4455162@192.1.2.23 included non-error error | priority calculation of connection "westnet-eastnet-subnets/2x1" is 0xfe3e3 | add inbound eroute 192.0.1.128/28:0 --0-> 192.0.2.16/28:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1041379 | raw_eroute result=success | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 460 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #3 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #3: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fca880055c8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d2423036f8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 460 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #3) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 9e 8f 68 f5 00 00 01 cc 87 71 35 2f | 5d e2 3c c9 01 73 14 87 a4 3d f0 17 a4 4c 75 09 | 85 71 aa 2f 71 a9 e7 84 fe 83 46 19 b5 64 7a 90 | 73 23 88 84 51 3e 38 c5 d7 ec 4e d9 3d 58 00 f1 | 95 0e 6e fd ec e8 9e 30 30 b7 cf 9c 5e e9 ff 20 | ab 55 ba 7c 9a 9f bd ec 7f fb 41 b6 02 22 f1 05 | 22 f4 19 dd e3 cf 12 0b ea 87 a3 b2 15 57 4e 25 | 98 de e1 02 65 31 ef 43 93 f1 2f ea 2b 0b ba 8e | c3 eb 70 fb f6 b2 44 90 b3 93 9b a3 10 1e ca ab | 4f 7e bb bf f4 a7 08 c2 9b 1e 43 02 78 4e 1f e2 | 10 04 f7 25 aa df 9d 5e a1 99 bf 1c a6 6f d1 c8 | b2 7d 59 65 94 60 7f a0 88 23 40 b5 ac 48 4d 73 | 69 09 80 56 52 7a 0b 5e 89 5f 13 7a 5a 0d cf 73 | 5d a7 23 17 56 ba 06 46 48 1e d4 50 b1 c2 61 79 | 7f 17 63 21 b5 b8 6c ca f2 d0 f9 2e 1d f8 05 10 | c2 79 0b db e7 d1 0c 7b 76 2c 27 36 79 c0 b8 fc | 5d 4e 2a a7 34 31 99 89 b9 5c fa 63 7b c5 7e bc | 3d 69 0f e4 d5 e7 f1 50 76 bb 09 bd 67 b4 bd 8d | dc 3b 60 f7 9b a8 70 54 4e 74 ef e7 14 8d a8 ea | 83 cb ba 35 65 ad 1f 10 32 dc 83 71 0f 26 da 2e | 43 cf 63 08 6b e6 67 7b 84 5f f1 ed 18 54 4c cf | 13 47 8d 64 f8 ab 05 ae 9f 16 87 0d 0f fe ba d6 | 94 93 48 d2 89 ce 1b fa d6 9d 1e 74 f1 f6 d7 46 | 38 4f 16 eb 5a a3 f8 34 3e 57 21 42 45 4e 92 0f | 3f 5f c3 c8 f9 5f b2 18 e6 e9 b6 13 5c e4 4d a5 | 46 fc 83 99 7d a3 0e dd 47 4c e3 67 22 06 19 61 | ce 92 b0 97 d4 f4 8f 06 6c 68 78 76 a7 5a e6 5e | 9a e1 d5 1d 61 d4 ba bd 75 19 62 ea | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55d2423036f8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #3 | libevent_malloc: new ptr-libevent@0x7fca98005258 size 128 | #3 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11342.227894 | pstats #3 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/2x1" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x95087394 <0xf4455162 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #3 suppresed complete_v1_state_transition() | #3 spent 0.565 milliseconds in resume sending helper answer | stop processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca9c003e78 | spent 0 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 1b ee 78 41 00 00 00 4c 5e be 11 84 | 10 33 5d f1 db 28 f2 83 33 2c 38 64 1f f1 01 d4 | 64 ba 58 a0 48 2d dc 51 b7 8b 3c b6 c9 f9 53 70 | 08 67 03 3e 2d 6e 5f 96 c8 45 54 1f | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 468613185 (0x1bee7841) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_R1 (find_state_ikev1) | start processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #2 is idle | #2 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | 6d b3 81 b7 95 a0 19 e6 16 d1 e4 3e 08 f3 99 89 | 68 df 0a ac 90 0c 3a 7c 36 1f 3e 19 14 3f 45 23 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #2: outbound only | could_route called for westnet-eastnet-subnets/2x2 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x2" unrouted: NULL; eroute owner: NULL | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x2" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: westnet-eastnet-subnets/2x2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "westnet-eastnet-subnets/2x2" is 0xfe5e3 | eroute_connection add eroute 192.0.2.64/26:0 --0-> 192.0.1.128/28:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1041891 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/2x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='192.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16400' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED= | popen cmd is 1056 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-sub: | cmd( 80):nets/2x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.2: | cmd( 160):3' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16400' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_: | cmd( 400):PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 480):1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_P: | cmd( 560):ROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_P: | cmd( 640):OLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' : | cmd( 720):PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xfae87546 SPI_OUT=0x700402af ip: | cmd(1040):sec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/2x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='192.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16400' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' V | popen cmd is 1061 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: | cmd( 80):t-subnets/2x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.: | cmd( 160):1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET=: | cmd( 240):'192.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_P: | cmd( 320):ROTOCOL='0' PLUTO_SA_REQID='16400' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' P: | cmd( 400):LUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='1: | cmd( 480):92.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_P: | cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_C: | cmd( 640):ONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN: | cmd( 720):_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xfae87546 SPI_OUT=0x700402: | cmd(1040):af ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/2x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='192.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16400' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_S | popen cmd is 1059 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-: | cmd( 80):subnets/2x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.: | cmd( 160):2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='1: | cmd( 240):92.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PRO: | cmd( 320):TOCOL='0' PLUTO_SA_REQID='16400' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLU: | cmd( 400):TO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192: | cmd( 480):.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEE: | cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CON: | cmd( 640):N_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_N: | cmd( 720):O' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PL: | cmd( 800):UTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEE: | cmd( 880):R_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VT: | cmd( 960):I_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xfae87546 SPI_OUT=0x700402af: | cmd(1040): ipsec _updown 2>&1: | route_and_eroute: instance "westnet-eastnet-subnets/2x2", setting eroute_owner {spd=0x55d242301888,sr=0x55d242301888} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 1.55 milliseconds in install_ipsec_sa() | inI2: instance westnet-eastnet-subnets/2x2[0], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #2: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7fca90003f28 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fcaa0002b78 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7fcaa0002b78 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fca9c003e78 size 128 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/2x2" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xfae87546 <0x700402af xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #2 spent 1.66 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 1.83 milliseconds in comm_handle_cb() reading and processing packet | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.0048 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00293 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00292 milliseconds in signal handler PLUTO_SIGCHLD | spent 0.00213 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 68 f2 34 3d 00 00 00 4c 9e 45 5a f7 | 4e b7 0a ac 75 15 7a 02 52 0a d3 ee a5 af d1 3a | e3 d7 85 4c 3f a0 2f ef b3 f5 6d da dd 89 99 a4 | 87 57 5d 60 fa ef 38 e6 8e 06 75 57 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1760703549 (0x68f2343d) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #4 in QUICK_R1 (find_state_ikev1) | start processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #4 is idle | #4 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | af 1a 0c 3e 11 37 51 83 4f ee 44 65 03 25 ca f4 | 37 34 60 87 e9 80 8f 8d cc 98 3b c4 2b a4 d2 21 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #4: outbound only | could_route called for westnet-eastnet-subnets/1x1 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x1" unrouted: NULL; eroute owner: NULL | sr for #4: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x1" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: westnet-eastnet-subnets/1x1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #4 | priority calculation of connection "westnet-eastnet-subnets/1x1" is 0xfe3e3 | eroute_connection add eroute 192.0.2.16/28:0 --0-> 192.0.1.0/28:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1041379 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' | popen cmd is 1052 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-sub: | cmd( 80):nets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.2: | cmd( 160):3' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_: | cmd( 400):PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.1.: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: | cmd( 560):COL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLIC: | cmd( 640):Y='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4a46f032 SPI_OUT=0xb2d9847b ipsec : | cmd(1040):_updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_S | popen cmd is 1057 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: | cmd( 80):t-subnets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.: | cmd( 160):1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET=: | cmd( 240):'192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_P: | cmd( 320):ROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' P: | cmd( 400):LUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192: | cmd( 480):.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_: | cmd( 640):POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO': | cmd( 720): PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUT: | cmd( 800):O_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_: | cmd( 880):BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_: | cmd( 960):IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4a46f032 SPI_OUT=0xb2d9847b i: | cmd(1040):psec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE | popen cmd is 1055 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-: | cmd( 80):subnets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.: | cmd( 160):2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='1: | cmd( 240):92.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PRO: | cmd( 320):TOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLU: | cmd( 400):TO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0: | cmd( 480):.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_PO: | cmd( 640):LICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' P: | cmd( 720):LUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_: | cmd( 800):IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BA: | cmd( 880):NNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IF: | cmd( 960):ACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4a46f032 SPI_OUT=0xb2d9847b ips: | cmd(1040):ec _updown 2>&1: | route_and_eroute: instance "westnet-eastnet-subnets/1x1", setting eroute_owner {spd=0x55d2422ff758,sr=0x55d2422ff758} to #4 (was #0) (newest_ipsec_sa=#0) | #1 spent 1.76 milliseconds in install_ipsec_sa() | inI2: instance westnet-eastnet-subnets/1x1[0], setting IKEv1 newest_ipsec_sa to #4 (was #0) (spd.eroute=#4) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #4 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #4: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #4 requesting EVENT_RETRANSMIT to be deleted | #4 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7fca8c003618 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55d2422e1488 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55d2422e1488 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #4 | libevent_malloc: new ptr-libevent@0x55d242308ce8 size 128 | pstats #4 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/1x1" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x4a46f032 <0xb2d9847b xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #4 spent 1.86 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 2.06 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00187 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 88 82 f8 51 00 00 00 4c a8 28 aa 96 | 3a e1 56 ad d9 5e 9e dc 1d d0 e6 45 63 97 d9 ee | 02 90 14 e3 bf 40 d3 79 29 1d fe 44 8d 6d 29 4b | 89 85 33 4a ef de f1 06 30 6d 76 67 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2290284625 (0x8882f851) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #5 in QUICK_R1 (find_state_ikev1) | start processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #5 is idle | #5 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | ce 51 4c db e7 76 ac b9 99 c8 9d 33 41 7b c8 3c | ca 53 29 99 98 09 69 71 cd b7 22 45 66 fb d8 ae | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #5: outbound only | could_route called for westnet-eastnet-subnets/1x2 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x2" unrouted: "westnet-eastnet-subnets/1x1" erouted; eroute owner: NULL | sr for #5: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x2" unrouted: "westnet-eastnet-subnets/1x1" erouted; eroute owner: NULL | route_and_eroute with c: westnet-eastnet-subnets/1x2 (next: none) ero:null esr:{(nil)} ro:westnet-eastnet-subnets/1x1 rosr:{0x55d2422ff758} and state: #5 | priority calculation of connection "westnet-eastnet-subnets/1x2" is 0xfe5e3 | eroute_connection add eroute 192.0.2.64/26:0 --0-> 192.0.1.0/28:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1041891 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/1x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='192.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' | popen cmd is 1052 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-sub: | cmd( 80):nets/1x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.2: | cmd( 160):3' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_: | cmd( 400):PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.1.: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: | cmd( 560):COL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLIC: | cmd( 640):Y='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1b5f9f63 SPI_OUT=0xb67af74a ipsec : | cmd(1040):_updown 2>&1: | route_and_eroute: firewall_notified: true | route_and_eroute: instance "westnet-eastnet-subnets/1x2", setting eroute_owner {spd=0x55d242300a48,sr=0x55d242300a48} to #5 (was #0) (newest_ipsec_sa=#0) | #1 spent 0.536 milliseconds in install_ipsec_sa() | inI2: instance westnet-eastnet-subnets/1x2[0], setting IKEv1 newest_ipsec_sa to #5 (was #0) (spd.eroute=#5) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #5 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #5: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #5 requesting EVENT_RETRANSMIT to be deleted | #5 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7fca8c0044f8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55d24230d6a8 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55d24230d6a8 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #5 | libevent_malloc: new ptr-libevent@0x55d242306338 size 128 | pstats #5 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/1x2" #5: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1b5f9f63 <0xb67af74a xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #5 spent 0.614 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.741 milliseconds in comm_handle_cb() reading and processing packet | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00347 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00191 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00188 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00186 milliseconds in signal handler PLUTO_SIGCHLD | spent 0.002 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 9e 8f 68 f5 00 00 00 4c 92 c2 67 fa | 9c 21 19 ba 01 cd 92 0a 07 75 07 d0 0c ac ad be | b0 0a 52 3a 01 59 d9 9b 81 6b 38 f1 21 f1 b8 bf | 23 e3 ae 86 87 da 7b d5 5a 90 3a ac | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2660198645 (0x9e8f68f5) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #3 in QUICK_R1 (find_state_ikev1) | start processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #3 is idle | #3 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | b9 c3 75 e9 5e 12 b8 e8 7e 08 1d 4c 43 74 29 e9 | 5c 72 3c ab 6b 63 6a 43 10 6e 80 b4 c0 e0 25 a2 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #3: outbound only | could_route called for westnet-eastnet-subnets/2x1 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x1" unrouted: "westnet-eastnet-subnets/2x2" erouted; eroute owner: NULL | sr for #3: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x1" unrouted: "westnet-eastnet-subnets/2x2" erouted; eroute owner: NULL | route_and_eroute with c: westnet-eastnet-subnets/2x1 (next: none) ero:null esr:{(nil)} ro:westnet-eastnet-subnets/2x2 rosr:{0x55d242301888} and state: #3 | priority calculation of connection "westnet-eastnet-subnets/2x1" is 0xfe3e3 | eroute_connection add eroute 192.0.2.16/28:0 --0-> 192.0.1.128/28:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1041379 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/2x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED= | popen cmd is 1056 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-sub: | cmd( 80):nets/2x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.2: | cmd( 160):3' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_: | cmd( 400):PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 480):1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_P: | cmd( 560):ROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_P: | cmd( 640):OLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' : | cmd( 720):PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x95087394 SPI_OUT=0xf4455162 ip: | cmd(1040):sec _updown 2>&1: | route_and_eroute: firewall_notified: true | route_and_eroute: instance "westnet-eastnet-subnets/2x1", setting eroute_owner {spd=0x55d242301078,sr=0x55d242301078} to #3 (was #0) (newest_ipsec_sa=#0) | #1 spent 0.512 milliseconds in install_ipsec_sa() | inI2: instance westnet-eastnet-subnets/2x1[0], setting IKEv1 newest_ipsec_sa to #3 (was #0) (spd.eroute=#3) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #3 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #3: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #3 requesting EVENT_RETRANSMIT to be deleted | #3 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7fca98005258 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55d2423036f8 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55d2423036f8 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #3 | libevent_malloc: new ptr-libevent@0x55d242311d78 size 128 | pstats #3 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/2x1" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x95087394 <0xf4455162 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #3 spent 0.6 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.732 milliseconds in comm_handle_cb() reading and processing packet | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00465 milliseconds in signal handler PLUTO_SIGCHLD | spent 0.0026 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 f6 97 eb e2 00 00 01 dc e7 a4 ca ce | 12 fd d3 77 9c af 00 bd 83 26 a7 c1 f3 35 4b 7b | 06 8c a9 05 d1 6a a4 3c d1 2e b6 76 77 f8 64 34 | 6c e9 32 5c 78 ce 32 45 48 ca f6 f7 4e 56 51 15 | a5 d1 01 1c d3 c0 26 8e 95 34 9b d8 de a0 94 b2 | e7 bf c6 81 2a 8a 68 a5 92 76 e5 33 c9 b3 cc f8 | c2 7a ad 68 73 9e 56 70 d7 11 77 98 e5 5d 20 22 | 5d 79 f7 00 d1 92 e1 e1 20 af 9a a7 82 e9 0e 7f | 67 f1 d2 34 df c7 87 1c 02 ba 32 f1 57 fe e3 23 | f3 10 38 5e 27 ba a0 2a d8 95 1a 5b e2 4b 0a ee | 10 ce 38 91 65 d1 54 90 a4 e6 66 9f 34 8d 4d a7 | d7 0a e9 6e 8e c8 c4 c2 45 1b 51 8b 88 96 18 0b | 13 69 bf f4 8e 44 cd fc 61 ad 79 37 23 c8 69 74 | 10 25 81 cb c7 fe 67 c6 2d fc 16 6d 3a f3 a1 85 | 30 38 0e d3 27 47 f2 c8 a5 e9 40 fd fc 99 97 14 | 99 48 cf 42 39 ab 22 5d e3 4b 08 ab 3a 7b 2f f2 | f0 0e 14 7e 5d ab f3 e4 29 c9 3a de a9 d2 da 11 | cb a7 96 45 16 8c 4e 31 51 66 9f 52 87 74 4d 8a | 2e 9c aa 62 3a 0f f7 45 85 8e 6a e3 b1 4a 58 13 | ee 28 0b 27 7f 67 2e ea d3 37 1f 63 a3 59 ee 2c | 30 b8 e5 57 77 44 15 82 8c ac 0d 7f 10 67 83 80 | 77 37 3e 7b 5f 7d 07 e8 a7 f7 5c b5 58 27 25 60 | b0 a9 c8 da 89 e0 41 54 1d 76 15 24 46 73 8b 0a | f1 9b a0 c4 78 23 4f 36 d3 e4 73 cb d2 38 e9 35 | 36 03 ce 3c ac 3d 51 ce 07 64 a1 df 5b fe 1e fe | b9 60 9a f2 b8 06 17 c7 66 52 3c 1e 5e 79 26 81 | 16 bb 66 01 87 c4 c7 73 ac 7b b5 b4 79 28 ed 62 | c1 fa c5 74 fc b6 f4 a8 e1 b4 95 68 72 09 36 6f | f4 80 c9 76 7d 9f 6f 1e 13 89 d0 c2 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4137151458 (0xf697ebe2) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 00 ff ff ff f0 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 10 ff ff ff f0 | quick_inI1_outR1 HASH(1): | 4b 68 1f be 51 57 f9 d6 ac 88 fc 6f 3c f6 a3 22 | 0a 29 2b b0 43 2e 16 86 a3 89 44 fd 55 b2 49 e7 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | peer client is subnet 192.0.1.0/28 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 10 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | our client is subnet 192.0.2.16/28 | our client protocol/port is 0/0 "westnet-eastnet-subnets/2x2" #1: the peer proposed: 192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | find_client_connection starting with westnet-eastnet-subnets/2x2 | looking for 192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | concrete checking against sr#0 192.0.2.64/26 -> 192.0.1.128/28 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | our client (192.0.2.64/26) not in our_net (192.0.2.16/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/2x1:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | their client (192.0.1.128/28) not in same peer_net (192.0.1.0/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/1x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | our client (192.0.2.64/26) not in our_net (192.0.2.16/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/1x1:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | fc_try concluding with westnet-eastnet-subnets/1x1 [256] | fc_try westnet-eastnet-subnets/2x2 gives westnet-eastnet-subnets/1x1 | concluding with d = westnet-eastnet-subnets/1x1 | using connection "westnet-eastnet-subnets/1x1" | client wildcard: no port wildcard: no virtual: no | creating state object #6 at 0x55d242314848 | State DB: adding IKEv1 state #6 in UNDEFINED | pstats #6 ikev1.ipsec started | duplicating state object #1 "westnet-eastnet-subnets/2x2" as #6 for IPSEC SA | #6 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | in connection_discard for connection westnet-eastnet-subnets/2x2 | start processing: connection "westnet-eastnet-subnets/1x1" (BACKGROUND) (in quick_inI1_outR1_tail() at ikev1_quick.c:1286) | suspend processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #6: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI fb e2 7b d0 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 11 for state #6 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fca90004218 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #6 | libevent_malloc: new ptr-libevent@0x55d2423120c8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #6 and saving MD | #6 is busy; has a suspended MD | #1 spent 0.169 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in process_md() at demux.c:382) | resume processing: connection "westnet-eastnet-subnets/1x1" (in process_md() at demux.c:382) | stop processing: connection "westnet-eastnet-subnets/1x1" (in process_md() at demux.c:383) | spent 0.393 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 5 resuming | crypto helper 5 starting work-order 11 for state #6 | crypto helper 5 doing build KE and nonce (quick_outI1 KE); request ID 11 | spent 0.00226 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 e6 5a b2 3a 00 00 01 dc 07 b3 49 35 | d9 67 e3 4f 6e 73 cd 0a 65 d2 44 9b a3 df b5 d5 | eb eb a6 6b 74 d0 2d 4d 35 83 2b a1 2c 6c a6 e8 | 3c bc 9c 5b 66 d8 b4 8e f5 04 64 2b 7e 5c 57 d4 | 18 21 8a e5 2a 34 58 0d ea a5 15 f3 46 04 96 74 | e6 b8 01 99 b9 eb 30 b2 21 0a 68 49 87 f1 4e 98 | 80 57 08 23 50 4a 2d a8 04 92 77 a5 7c 78 05 f9 | 35 c8 d0 f6 fd 98 24 96 2c e1 a4 20 4b 6d 1f d6 | 26 87 9f 40 e9 96 1a eb e6 76 db f9 9e e4 81 80 | cf b8 5a 19 07 ef 42 82 87 a8 e1 e6 c4 00 bd 52 | a0 81 6b 66 bf e4 8b f6 97 5a aa 31 9d a7 7a e6 | b8 7c 99 fd 72 54 52 7f a2 d0 b9 db dd 4d 06 e5 | e6 76 1a 9b cf 53 b2 7d 21 d2 c1 73 92 e0 85 24 | 0b d5 82 c3 e0 59 a7 12 f3 5e 1d 97 69 ca d3 33 | 03 1e 6e 3a 98 9c 24 95 2d e8 ef cd e9 de 78 ca | 27 69 47 e8 ce 2d c1 e2 fd 21 82 91 70 97 29 c1 | 24 ca 4f c1 6d 8e 98 94 9a 20 cb b6 3a 0a 2c 37 | 75 2e a6 5c 7a f9 8b 1c 74 55 77 fb df 4b e3 6e | 53 dd 71 b1 23 bc 4a 47 30 0b 34 b7 00 e4 a9 5e | 3c 12 0a 3c bb ac d9 06 7b 20 15 12 9f 2f cc 29 | cb ef fa 5f 1e f8 92 e2 04 90 73 16 57 01 8c f6 | cd 06 00 b5 da 5f 03 55 0b 75 bb 13 3e cb fd 2d | b5 ab 12 87 42 57 92 ca 1d 03 e0 b9 f3 c1 70 04 | 4a c6 76 37 fa 88 b3 f4 fb b3 19 67 68 70 de bb | 8e d4 37 b8 a8 4a dc dd 3e 48 67 6d ed d7 29 f0 | 42 96 01 52 48 ea 44 bb ef 71 b0 de 4d 10 ee 1e | ae e8 14 d8 72 e3 a3 8f cc 0c 04 5b 2f 91 58 1a | c0 96 ec 24 d8 2d 41 3d 1a e6 0c 49 34 92 e5 7e | 72 fe 6b 2a 13 8d b4 90 0d 65 9e 67 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3864703546 (0xe65ab23a) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 00 ff ff ff f0 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 40 ff ff ff c0 | quick_inI1_outR1 HASH(1): | e6 8b 6e 82 ca 45 d0 56 a3 99 e8 a4 92 26 86 72 | ef 3f 11 21 67 6a 7d 55 20 8a 04 19 33 6f c6 e1 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | peer client is subnet 192.0.1.0/28 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 40 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff c0 | our client is subnet 192.0.2.64/26 | our client protocol/port is 0/0 "westnet-eastnet-subnets/2x2" #1: the peer proposed: 192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | find_client_connection starting with westnet-eastnet-subnets/2x2 | looking for 192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | concrete checking against sr#0 192.0.2.64/26 -> 192.0.1.128/28 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | their client (192.0.1.128/28) not in same peer_net (192.0.1.0/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/2x1:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | our client (192.0.2.16/28) not in our_net (192.0.2.64/26) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/1x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 vs westnet-eastnet-subnets/1x1:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | our client (192.0.2.16/28) not in our_net (192.0.2.64/26) | fc_try concluding with westnet-eastnet-subnets/1x2 [256] | fc_try westnet-eastnet-subnets/2x2 gives westnet-eastnet-subnets/1x2 | concluding with d = westnet-eastnet-subnets/1x2 | using connection "westnet-eastnet-subnets/1x2" | client wildcard: no port wildcard: no virtual: no | creating state object #7 at 0x55d242319428 | State DB: adding IKEv1 state #7 in UNDEFINED | pstats #7 ikev1.ipsec started | duplicating state object #1 "westnet-eastnet-subnets/2x2" as #7 for IPSEC SA | #7 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | in connection_discard for connection westnet-eastnet-subnets/2x2 | start processing: connection "westnet-eastnet-subnets/1x2" (BACKGROUND) (in quick_inI1_outR1_tail() at ikev1_quick.c:1286) | suspend processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #7: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 5c 64 f4 78 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 12 for state #7 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fca880058b8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #7 | libevent_malloc: new ptr-libevent@0x55d242315338 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #7 and saving MD | #7 is busy; has a suspended MD | #1 spent 0.185 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 4 resuming | crypto helper 4 starting work-order 12 for state #7 | crypto helper 4 doing build KE and nonce (quick_outI1 KE); request ID 12 | stop processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | resume processing: connection "westnet-eastnet-subnets/1x2" (in process_md() at demux.c:382) | stop processing: connection "westnet-eastnet-subnets/1x2" (in process_md() at demux.c:383) | spent 0.397 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00133 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 58 9c 96 ee 00 00 01 dc 5d ef c0 50 | 20 87 42 58 3c eb 8c b3 a6 00 43 21 d1 90 16 27 | 5d bb 89 8e 42 a3 50 21 39 c3 92 dc 87 a9 fe 2f | 55 80 1c 14 96 06 bf c2 eb 5a 28 65 c1 1c db 3c | 95 47 32 e4 61 6d 94 09 2e 00 a0 81 f3 d9 d3 0b | ed 5e 89 38 00 bf 81 09 4b 20 72 fd 7d 11 ff 4e | 9a 3b aa fd b5 a2 ab 89 1f 28 a5 0f b8 8a 5d 46 | 38 e5 d0 74 66 d3 d7 a2 56 f9 f1 9c 14 bb a0 c1 | 34 13 66 bc de a0 72 20 36 b9 11 e1 6e e3 c1 f1 | 57 f8 db 90 7b 95 e9 e5 b9 0f 11 c8 a0 22 2b f5 | 61 e7 dc 9b 90 90 96 7b f6 a1 3c a4 7d d3 b8 53 | db 32 4a ab c6 21 12 59 5f c4 ff 1d 5e 34 4a bd | e2 42 8b d8 31 48 56 c9 8d 0f fa df c8 e1 ee a8 | e4 c7 9b 2f 0d ba 59 67 1d 43 f7 a8 78 de ff 39 | 0a 93 2e a6 62 eb e0 88 12 1f a3 9f 6b 59 ea ac | 65 32 60 d3 f6 fd 16 af fc 21 30 9b a4 87 8e 21 | 52 37 dc 0c 5d de 61 cf 6b c0 ce 9f c9 7e 38 5a | e6 6a 76 f8 d2 c3 1d f0 bd 6e 90 e8 28 e8 1b f9 | 68 35 4e 8f 78 68 d9 45 8d e9 19 fd aa ef bd 0e | 3b 15 ba d5 86 18 b0 ef 59 66 a3 49 97 83 a9 3d | 6d 81 2f e6 c4 75 16 02 78 ff 5b 15 3f 33 71 dd | 4b fb dc 64 96 f8 78 ff 0f 29 62 3a 31 7a f8 52 | ae ed 4e a2 94 5d 58 c9 2d 78 a6 e2 51 92 c7 1d | a6 fc b9 2e 41 f7 c6 e4 be 0f 2c 9f 39 de c9 96 | d9 e2 bd 51 cf 12 a4 6e 51 3e 47 1b 93 3c 6a f9 | 74 f0 e0 4c 64 ba 65 4a a8 64 98 2f 90 eb 0b 68 | ab 7d 2d ee 6f f3 9f c9 43 51 1f 39 1f b6 47 dd | 83 38 d5 68 5e 01 87 3e 8e 44 39 3f b1 db d7 64 | 5b f1 b8 02 56 a2 8b 46 15 0e 68 d7 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1486657262 (0x589c96ee) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 80 ff ff ff f0 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 10 ff ff ff f0 | quick_inI1_outR1 HASH(1): | 5d 05 19 9c 7f 71 be a5 d0 a0 bf d7 29 8a a6 0f | 73 8c d5 dc 54 b1 d4 e2 71 a6 77 19 0b fe f5 15 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 80 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | peer client is subnet 192.0.1.128/28 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 10 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | our client is subnet 192.0.2.16/28 | our client protocol/port is 0/0 "westnet-eastnet-subnets/2x2" #1: the peer proposed: 192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | find_client_connection starting with westnet-eastnet-subnets/2x2 | looking for 192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | concrete checking against sr#0 192.0.2.64/26 -> 192.0.1.128/28 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/2x2:192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | our client (192.0.2.64/26) not in our_net (192.0.2.16/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/2x1:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/1x2:192.0.2.64/26:0/0 -> 192.0.1.0/28:0/0 | our client (192.0.2.64/26) not in our_net (192.0.2.16/28) | match_id a=@west | b=@west | results matched | fc_try trying westnet-eastnet-subnets/2x2:192.0.2.16/28:0/0 -> 192.0.1.128/28:0/0 vs westnet-eastnet-subnets/1x1:192.0.2.16/28:0/0 -> 192.0.1.0/28:0/0 | their client (192.0.1.0/28) not in same peer_net (192.0.1.128/28) | fc_try concluding with westnet-eastnet-subnets/2x1 [256] | fc_try westnet-eastnet-subnets/2x2 gives westnet-eastnet-subnets/2x1 | concluding with d = westnet-eastnet-subnets/2x1 | using connection "westnet-eastnet-subnets/2x1" | client wildcard: no port wildcard: no virtual: no | creating state object #8 at 0x55d2423200c8 | State DB: adding IKEv1 state #8 in UNDEFINED | pstats #8 ikev1.ipsec started | duplicating state object #1 "westnet-eastnet-subnets/2x2" as #8 for IPSEC SA | #8 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | in connection_discard for connection westnet-eastnet-subnets/2x2 | start processing: connection "westnet-eastnet-subnets/2x1" (BACKGROUND) (in quick_inI1_outR1_tail() at ikev1_quick.c:1286) | suspend processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #8: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI ab e5 8c 79 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 13 for state #8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d242312178 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #8 | libevent_malloc: new ptr-libevent@0x55d242319f18 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #8 and saving MD | #8 is busy; has a suspended MD | #1 spent 0.167 milliseconds in process_packet_tail() | crypto helper 3 resuming | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 3 starting work-order 13 for state #8 | stop processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in process_md() at demux.c:382) | crypto helper 3 doing build KE and nonce (quick_outI1 KE); request ID 13 | resume processing: connection "westnet-eastnet-subnets/2x1" (in process_md() at demux.c:382) | stop processing: connection "westnet-eastnet-subnets/2x1" (in process_md() at demux.c:383) | spent 0.352 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00123 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 c0 29 f8 8b 00 00 01 dc 86 38 f4 59 | b7 bd a2 0d 3f 19 48 9f 44 ba f0 16 6c 3f 30 e4 | 67 e1 06 73 34 90 03 af 7d 60 6c 07 6f 97 58 b1 | df 82 07 12 67 0f 21 90 2c 86 3d 54 7a f9 c0 b0 | 82 e1 d0 74 b0 15 94 54 3e a8 11 29 01 9a d2 cf | 88 e5 0d 20 c0 b6 f1 ae 5b c5 11 f2 25 66 85 3f | 23 59 60 2a a3 85 b1 d3 30 90 ff 6d 05 f0 7f 6a | 30 3f 2a 78 f0 e7 bf 03 9f 06 a5 59 14 90 a8 02 | bc e4 cc 6c f8 55 6e ac 0b 7c 26 1d 69 58 a5 96 | 8c 61 73 61 0a 25 d8 18 a3 cc 29 63 25 a3 02 b7 | 8e 0d 16 4b e3 c1 57 f6 02 b2 50 6c b3 62 6e 6a | 5b 28 e6 55 22 dc 50 ec 9e 50 17 00 ff 7c 84 3f | 9f 99 ee 84 fb e2 10 3a 5a 0a 15 60 72 42 32 a3 | 97 a7 52 ca 56 5d cb 6e af 09 0d 71 e2 c4 64 a7 | 4e e0 1f b0 f1 5b b1 8d 3f 18 85 de 02 be d9 15 | e0 f0 31 cf 67 0d 50 94 7a fc b0 46 15 5c 2c e0 | 7c f5 65 6b ba d7 82 49 93 f3 76 dd fd 31 9c d4 | 94 43 23 d1 9d 7c 9d 28 4e 1d 8b 99 4b bd 1f 8d | a2 c1 31 6c 61 31 51 10 20 d2 90 3e e3 a3 8b 77 | d4 b9 9e 1c 05 28 4b 07 b2 7a 2c 47 79 00 b0 3c | f0 24 4b 21 a7 b0 5d f5 cb 6f 11 bd 7f b9 cf 07 | 99 38 43 02 d1 d8 ac d2 28 36 b9 e1 a3 df 11 8c | dd 82 83 6e 6d 6c 7b d6 35 2b 3f 44 06 a9 6f cf | b6 33 03 99 4e f1 ac 12 43 b5 e5 89 eb ff 73 2e | cd cc cc 52 7f ee 62 ed a3 7a c8 14 92 ba 59 7c | 8f a7 17 e4 19 f0 1e d9 b5 65 fd 43 be 72 4e 5b | a2 25 eb c1 5a 6e ee 06 6e 20 fb e5 1a 90 66 ee | d1 c8 c5 50 ad e3 48 b3 27 54 1b a0 5c c7 15 2d | ee a2 99 e4 1a a8 1c ef 66 39 01 35 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3223976075 (0xc029f88b) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 80 ff ff ff f0 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 40 ff ff ff c0 | quick_inI1_outR1 HASH(1): | 57 1b a4 e4 f4 dc 95 95 54 6e 2f cd 2b 65 86 43 | 5d 09 e9 57 c9 fc e7 34 66 b5 7f 5b 9f d7 ac 18 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 80 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff f0 | peer client is subnet 192.0.1.128/28 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 40 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff c0 | our client is subnet 192.0.2.64/26 | our client protocol/port is 0/0 "westnet-eastnet-subnets/2x2" #1: the peer proposed: 192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | find_client_connection starting with westnet-eastnet-subnets/2x2 | looking for 192.0.2.64/26:0/0 -> 192.0.1.128/28:0/0 | concrete checking against sr#0 192.0.2.64/26 -> 192.0.1.128/28 | client wildcard: no port wildcard: no virtual: no | creating state object #9 at 0x55d242321788 | State DB: adding IKEv1 state #9 in UNDEFINED | pstats #9 ikev1.ipsec started | duplicating state object #1 "westnet-eastnet-subnets/2x2" as #9 for IPSEC SA | #9 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | suspend processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #9: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI e5 0f f3 33 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 14 for state #9 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d2423124c8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #9 | libevent_malloc: new ptr-libevent@0x55d242307d68 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #9 and saving MD | #9 is busy; has a suspended MD | crypto helper 0 resuming | #1 spent 0.112 milliseconds in process_packet_tail() | crypto helper 0 starting work-order 14 for state #9 | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 0 doing build KE and nonce (quick_outI1 KE); request ID 14 | stop processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.276 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 3 finished build KE and nonce (quick_outI1 KE); request ID 13 time elapsed 0.00087 seconds | (#8) spent 0.558 milliseconds in crypto helper computing work-order 13: quick_outI1 KE (pcr) | crypto helper 3 sending results from work-order 13 for state #8 to event queue | scheduling resume sending helper answer for #8 | libevent_malloc: new ptr-libevent@0x7fca9000a028 size 128 | crypto helper 3 waiting (nothing to do) | crypto helper 5 finished build KE and nonce (quick_outI1 KE); request ID 11 time elapsed 0.001868 seconds | (#6) spent 0.687 milliseconds in crypto helper computing work-order 11: quick_outI1 KE (pcr) | crypto helper 5 sending results from work-order 11 for state #6 to event queue | scheduling resume sending helper answer for #6 | libevent_malloc: new ptr-libevent@0x7fca94008998 size 128 | libevent_realloc: release ptr-libevent@0x55d242300018 | libevent_realloc: new ptr-libevent@0x7fca94008ba8 size 256 | crypto helper 5 waiting (nothing to do) | processing resume sending helper answer for #8 | start processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 13 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue1 for #8: calculated ke+nonce, calculating DH | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 15 for state #8 | state #8 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d242319f18 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d242312178 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d242312178 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #8 | libevent_malloc: new ptr-libevent@0x55d242319f18 size 128 | suspending state #8 and saving MD | #8 is busy; has a suspended MD | resume sending helper answer for #8 suppresed complete_v1_state_transition() and stole MD | #8 spent 0.0376 milliseconds in resume sending helper answer | stop processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca9000a028 | processing resume sending helper answer for #6 | start processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 5 replies to request ID 11 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue1 for #6: calculated ke+nonce, calculating DH | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 16 for state #6 | state #6 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d2423120c8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fca90004218 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fca90004218 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #6 | libevent_malloc: new ptr-libevent@0x7fca9000a028 size 128 | suspending state #6 and saving MD | #6 is busy; has a suspended MD | resume sending helper answer for #6 suppresed complete_v1_state_transition() and stole MD | crypto helper 6 resuming | crypto helper 6 starting work-order 15 for state #8 | #6 spent 0.0309 milliseconds in resume sending helper answer | crypto helper 6 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 15 | stop processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca94008998 | crypto helper 1 resuming | crypto helper 1 starting work-order 16 for state #6 | crypto helper 1 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 16 | crypto helper 4 finished build KE and nonce (quick_outI1 KE); request ID 12 time elapsed 0.002026 seconds | crypto helper 0 finished build KE and nonce (quick_outI1 KE); request ID 14 time elapsed 0.001119 seconds | (#7) spent 0.76 milliseconds in crypto helper computing work-order 12: quick_outI1 KE (pcr) | (#9) spent 0.639 milliseconds in crypto helper computing work-order 14: quick_outI1 KE (pcr) | crypto helper 4 sending results from work-order 12 for state #7 to event queue | crypto helper 0 sending results from work-order 14 for state #9 to event queue | scheduling resume sending helper answer for #9 | libevent_malloc: new ptr-libevent@0x7fcaa000a0d8 size 128 | scheduling resume sending helper answer for #7 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #9 | libevent_malloc: new ptr-libevent@0x7fca8800b6c8 size 128 | start processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 4 waiting (nothing to do) | crypto helper 0 replies to request ID 14 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue1 for #9: calculated ke+nonce, calculating DH | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | crypto helper 6 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 15 time elapsed 0.00056 seconds | concluding with best_match=000 best=(nil) (lineno=-1) | (#8) spent 0.564 milliseconds in crypto helper computing work-order 15: quick outR1 DH (pcr) | crypto helper 6 sending results from work-order 15 for state #8 to event queue | no PreShared Key Found | scheduling resume sending helper answer for #8 | adding quick outR1 DH work-order 17 for state #9 | libevent_malloc: new ptr-libevent@0x7fca8c002538 size 128 | crypto helper 6 waiting (nothing to do) | state #9 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d242307d68 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d2423124c8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55d2423124c8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #9 | libevent_malloc: new ptr-libevent@0x7fca94008998 size 128 | suspending state #9 and saving MD | #9 is busy; has a suspended MD | resume sending helper answer for #9 suppresed complete_v1_state_transition() and stole MD | #9 spent 0.0681 milliseconds in resume sending helper answer | stop processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fcaa000a0d8 | processing resume sending helper answer for #7 | start processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 4 replies to request ID 12 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue1 for #7: calculated ke+nonce, calculating DH | started looking for secret for @east->@west of kind PKK_PSK | actually looking for secret for @east->@west of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 18 for state #7 | state #7 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d242315338 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fca880058b8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fca880058b8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #7 | libevent_malloc: new ptr-libevent@0x7fcaa000a0d8 size 128 | suspending state #7 and saving MD | crypto helper 3 resuming | #7 is busy; has a suspended MD | crypto helper 3 starting work-order 17 for state #9 | crypto helper 2 resuming | resume sending helper answer for #7 suppresed complete_v1_state_transition() and stole MD | crypto helper 3 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 17 | crypto helper 2 starting work-order 18 for state #7 | #7 spent 0.0574 milliseconds in resume sending helper answer | stop processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca8800b6c8 | crypto helper 1 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 16 time elapsed 0.00071 seconds | crypto helper 2 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 18 | (#6) spent 0.715 milliseconds in crypto helper computing work-order 16: quick outR1 DH (pcr) | processing resume sending helper answer for #8 | crypto helper 1 sending results from work-order 16 for state #6 to event queue | start processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 6 replies to request ID 15 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue2 for #8: calculated DH, sending R1 | scheduling resume sending helper answer for #6 | libevent_malloc: new ptr-libevent@0x7fca98000e98 size 128 | crypto helper 1 waiting (nothing to do) | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1486657262 (0x589c96ee) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI ab e5 8c 79 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0xfdd85bd4 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI fd d8 5b d4 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "westnet-eastnet-subnets/2x1" #8: responding to Quick Mode proposal {msgid:589c96ee} "westnet-eastnet-subnets/2x1" #8: us: 192.0.2.16/28===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-subnets/2x1" #8: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.128/28 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 0d 5e da bb df c8 ca 76 a1 fa 27 7e db bb ef a7 | Nr 7e e3 1f d9 1f 28 d9 fe b5 5e b1 96 f1 7c cb 27 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 58 14 53 b3 87 7a 03 0a e5 4c ee 36 10 13 af b1 | keyex value ac 8c c5 43 31 ee c0 f9 db e4 fb 39 8c d8 d0 d3 | keyex value ad a1 9d cd c5 88 ed ff d3 02 59 29 ce 60 af 05 | keyex value 72 52 2f 6d 7d 1b d6 96 d8 cf 39 a5 b0 26 1a 51 | keyex value cb 97 41 44 9d 1f 05 78 e7 a1 b0 42 50 b4 d4 71 | keyex value e8 95 f8 64 97 c4 15 11 e1 5d aa 2e d4 69 e9 f2 | keyex value 5a e4 26 1d 01 33 5c c6 2d 93 ba 7e 8f ae ba 6e | keyex value c1 bd 7a ec 9a fc 9a b6 fe 0f d7 75 11 f3 8b db | keyex value fc 2f f9 42 23 26 0e 72 45 e2 7d dc 59 4a 11 ae | keyex value 5e 31 93 f1 bb 24 a2 70 a1 19 76 fa 4b c7 62 f7 | keyex value 19 62 41 2c 03 f3 06 29 21 28 ff d1 f9 e4 aa f4 | keyex value ed cf 66 36 da a6 b4 90 e6 10 1d 03 5f 88 22 02 | keyex value 07 8e 75 2f 6b fa 40 e8 75 40 9d 32 79 4a 33 70 | keyex value 24 b1 eb d9 55 55 a4 0d 70 09 c4 b5 1e fd b4 4a | keyex value 14 aa 3c c3 b4 31 d6 ca 63 5d 4b 2f 00 fa af ac | keyex value 37 ff 13 ef 37 77 33 8a b3 ab 58 0b 48 ab 3e fa | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 80 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 10 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | 68 93 0b c0 ff 52 53 ac 64 9a 1c 9d 55 a5 6b 51 | 5a 5e 25 61 a6 bc e5 81 ff 74 6a c5 05 8b 2d 2c | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x1" erouted: self | install_inbound_ipsec_sa() checking if we can route | could_route called for westnet-eastnet-subnets/2x1 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x1" erouted: self; eroute owner: self | crypto helper 2 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 18 time elapsed 0.000601 seconds | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | (#7) spent 0.589 milliseconds in crypto helper computing work-order 18: quick outR1 DH (pcr) | crypto helper 2 sending results from work-order 18 for state #7 to event queue | scheduling resume sending helper answer for #7 | st=0x55d2423200c8 ost=0x55d242311288 st->serialno=#8 ost->serialno=#3 | libevent_malloc: new ptr-libevent@0x7fca9c005118 size 128 "westnet-eastnet-subnets/2x1" #8: keeping refhim=0 during rekey | installing outgoing SA now as refhim=0 | crypto helper 2 waiting (nothing to do) | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/2x1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.abe58c79@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/2x1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.fdd85bd4@192.1.2.23 included non-error error | crypto helper 3 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 17 time elapsed 0.000852 seconds | (#9) spent 0.852 milliseconds in crypto helper computing work-order 17: quick outR1 DH (pcr) | crypto helper 3 sending results from work-order 17 for state #9 to event queue | scheduling resume sending helper answer for #9 | libevent_malloc: new ptr-libevent@0x7fca90009f78 size 128 | crypto helper 3 waiting (nothing to do) | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 460 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #8 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #8: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #8 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55d242319f18 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d242312178 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 460 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #8) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 58 9c 96 ee 00 00 01 cc 9e 56 e9 89 | 4e f5 d3 7d b2 ab ec 81 58 3f c6 ac 36 bc c4 b5 | 66 38 e0 e1 21 e2 c4 15 89 5d 9c 48 0d f8 3a ad | 85 66 8f 72 d0 f1 2e 5c 18 82 30 cc ea b5 b0 33 | 46 95 d9 b9 de 31 07 c7 6b 46 68 91 ab 9a a5 60 | 4e 44 4c 82 eb 5d 30 55 dc 14 5b a8 14 c9 cd d9 | 80 bd 53 f9 1c 76 bd 17 2d 06 c6 7f 00 27 be 43 | 0b 97 45 dc fe cc 47 d5 bd 4a de 70 8e 16 57 6c | e7 81 1b 5d 5a a7 7e 04 5f 04 71 ed 8d 07 89 5a | 32 cf f8 e6 7a e1 e7 dc 17 a8 a3 96 dd 08 b8 35 | c7 f7 1f 7c a8 d3 e9 f3 8e 3f 75 20 a8 cf cd 36 | 1d cf d3 cc 90 eb bb 58 ba c6 8c 7e d5 a1 5d 3a | 84 21 5e a2 3b 38 5d b0 bd 45 af 73 96 69 dd 6c | 04 1e b7 09 1f 37 68 03 2d a8 bb 15 b6 59 f8 0d | ea 69 36 f0 a1 e6 37 f5 94 58 c2 fd 8b b9 bb df | 34 9e 0c 1c 72 f3 d0 85 d7 00 9c 37 47 b7 8e 04 | a7 1c f2 6c b7 00 2a 50 e7 e7 8a b1 81 d7 2f e3 | 54 33 08 05 9c 4b 4a 0b d3 e5 7d 2d 3d fd 8f b4 | 24 cc 10 51 d5 12 1c 97 fe 59 f1 5c 4b bc b9 b1 | 51 20 be e9 f6 6f e8 22 cf 73 d8 49 0d 30 b5 10 | b6 62 82 d5 75 64 6c 53 44 2a e2 3a 6c 4e bf 8c | 28 22 73 18 30 d3 be ef ab 60 e4 24 d2 2f 1a 97 | f3 40 80 24 d0 9f cd a8 38 d5 31 fd 27 ad ac ad | 79 28 e3 ad b0 9e f7 e3 a9 61 fb 62 2a 96 c1 bd | 5a 47 e8 e2 89 d6 f0 c9 3c 8b 42 bd d1 f9 cf 13 | 4b 2c e5 1a 24 27 b4 d2 a0 b2 f6 44 04 ba bf 75 | 07 a5 99 90 1a 05 5c e4 8b ae 9c e8 9d 27 7b 43 | 07 77 59 b0 19 11 90 04 47 e9 72 d7 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55d242312178 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #8 | libevent_malloc: new ptr-libevent@0x7fca8800b6c8 size 128 | #8 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11347.575172 | pstats #8 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/2x1" #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xabe58c79 <0xfdd85bd4 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #8 suppresed complete_v1_state_transition() | #8 spent 1.37 milliseconds in resume sending helper answer | stop processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca8c002538 | processing resume sending helper answer for #6 | start processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 16 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue2 for #6: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4137151458 (0xf697ebe2) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI fb e2 7b d0 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0xacb297c8 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI ac b2 97 c8 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "westnet-eastnet-subnets/1x1" #6: responding to Quick Mode proposal {msgid:f697ebe2} "westnet-eastnet-subnets/1x1" #6: us: 192.0.2.16/28===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-subnets/1x1" #6: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.0/28 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr e2 60 cf 09 f7 b5 2d e1 3c 31 87 af 3c a9 78 24 | Nr c1 a8 33 a9 53 7e 12 48 bc 96 86 d6 f2 d5 9e 69 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 21 70 e5 62 c7 c5 1f 1a 00 bf 39 3a db ae e0 08 | keyex value d6 39 12 74 32 e8 ad 26 a4 18 55 a6 ab cd 4f 94 | keyex value f4 e1 ff c4 65 a1 04 5a 7e f3 10 7c 62 65 1a a7 | keyex value 88 de 68 35 dc 4e 5d b9 42 05 3f 0b 4e 43 25 74 | keyex value d3 2d 2a 7f 34 4f 1f 2b d5 9e d1 83 85 dd f4 72 | keyex value 22 43 7e 97 eb af 77 d5 b8 28 d0 21 1e f8 28 67 | keyex value 36 99 6d a3 5e eb ae 03 22 b3 f4 20 24 a8 bf 90 | keyex value 1a f7 ef 43 16 3b 5b cb ca 30 ad 28 49 ab ae ff | keyex value 80 de e9 f6 f8 b1 51 74 fa d5 b7 65 2e 2f 81 8f | keyex value 80 4d b2 d2 cd 3d 79 0a 4e 63 df 66 5d ff 73 1c | keyex value 0d 09 5d 20 a6 45 03 68 27 0f 20 e4 36 64 99 dc | keyex value a7 cd 81 6f c9 d8 f5 cd 15 d2 d5 b3 3c 82 4f 7b | keyex value fb 45 4c 8e 82 bc e8 e4 41 f8 8b 73 0f 6d 13 22 | keyex value 8a 72 47 d3 a8 42 50 db a7 70 98 df fa 2d 52 12 | keyex value ef 18 67 f5 95 0c c6 42 40 93 a4 b4 c2 61 48 01 | keyex value 93 59 e4 44 9e 60 9f 95 0a 8e e2 72 26 b0 f4 69 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 00 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 10 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | 88 fe 86 30 b1 59 0e 62 ee 9f db 57 38 e5 5b 8c | fb 85 5d a1 2b 3d c1 88 80 c4 46 a6 de 27 2c 50 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x1" erouted: self | install_inbound_ipsec_sa() checking if we can route | could_route called for westnet-eastnet-subnets/1x1 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x1" erouted: self; eroute owner: self | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55d242314848 ost=0x55d242313d58 st->serialno=#6 ost->serialno=#4 "westnet-eastnet-subnets/1x1" #6: keeping refhim=0 during rekey | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/1x1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.fbe27bd0@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/1x1' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.acb297c8@192.1.2.23 included non-error error | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 460 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #6 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #6: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #6 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fca9000a028 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fca90004218 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 460 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #6) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 f6 97 eb e2 00 00 01 cc 53 0e ff f3 | b2 dd 59 28 20 d6 3e d4 78 d6 a5 ec 04 fa 26 23 | 60 c4 4e 50 1a c0 cb 03 12 a8 2d 20 9b f5 d6 ca | 44 97 d4 60 bd 4e 26 eb 67 cd 10 7b 8c dd 94 20 | 86 69 6d b1 68 a6 fe c4 94 9e 44 29 6e 70 d6 fe | b8 16 48 36 15 6f 5a 5e ce be ee 84 30 e8 22 62 | c0 35 eb 6f 48 46 de 75 24 6f e6 fe 1a fa 0a b9 | 34 55 b3 81 14 26 d6 59 64 15 1d d7 95 59 1c 0e | f0 31 d8 47 15 61 9d 1b 81 73 f7 60 d4 cf a9 8e | 4e 9b a0 3c 35 2f c6 12 a2 c2 7d 82 2a 83 1a 59 | 27 8d 51 97 60 28 b5 9b a5 05 ef 3a 9a 06 ef 46 | 30 29 98 18 c5 d5 3d 19 b0 c6 e0 79 62 64 d6 df | 53 85 d6 33 23 46 2d 67 92 a2 43 e0 fa ef b0 0e | 0f ed d0 28 94 d3 6f d3 6d ce 3d 6f 34 42 d1 27 | ee 1c ed 85 c6 84 c0 ba 34 f7 43 82 53 b4 9c 6d | 23 d7 f2 06 42 a1 3e b6 d6 08 de 64 71 4e 00 14 | 8c e1 f2 45 1a 4c 97 81 79 8d d1 10 16 05 f5 12 | e9 ca cb b6 9f cd 17 d0 5b 5d 67 31 f8 55 34 e0 | 3a 5c ae cb f5 19 13 27 89 78 51 a4 a3 fb 3e 29 | a0 6a 60 c6 3f f2 f3 09 98 a1 da 9c 8b ac 86 6a | c5 c9 eb 1b fd ce e9 0a dd e8 43 43 47 c5 0b 45 | 61 10 6c 3d 47 25 c9 4b 93 52 9d 74 a5 0c 5c 14 | 00 dd a3 ee 51 5e 88 de 4f a7 d2 2a 57 eb a6 41 | 71 96 6c d3 6f cc b3 88 c1 2e 1b bf 04 ab 0c c8 | ec 8f 7d 65 f2 ed 08 27 d7 d8 3e 77 a2 a4 f0 b4 | 92 ff 42 80 71 6f f3 91 73 88 99 4a c9 39 de 58 | 29 74 d9 2d dc 80 32 a2 f1 67 7a 66 d7 81 1b 52 | ed 56 e1 67 5e 39 df 11 8f 42 ef ce | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7fca90004218 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #6 | libevent_malloc: new ptr-libevent@0x7fca8c002538 size 128 | #6 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11347.576009 | pstats #6 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/1x1" #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xfbe27bd0 <0xacb297c8 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #6 suppresed complete_v1_state_transition() | #6 spent 0.789 milliseconds in resume sending helper answer | stop processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca98000e98 | processing resume sending helper answer for #7 | start processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 18 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue2 for #7: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3864703546 (0xe65ab23a) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 5c 64 f4 78 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x27e839d6 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 27 e8 39 d6 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "westnet-eastnet-subnets/1x2" #7: responding to Quick Mode proposal {msgid:e65ab23a} "westnet-eastnet-subnets/1x2" #7: us: 192.0.2.64/26===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-subnets/1x2" #7: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.0/28 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 75 86 9b 11 70 89 8a f9 f5 61 74 b1 6d a2 8c d8 | Nr 62 1e c3 44 ed 8a 09 09 b7 0c f0 bc 4b cd 6a d4 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 78 d9 13 6e c7 75 89 d6 b1 a7 75 9e 48 9e bb f7 | keyex value c6 da b9 fd 62 9f 2f 67 40 cb cb 4d 53 93 69 51 | keyex value e5 e9 0e 8f 43 d8 24 79 32 55 24 c6 ce bd f9 ca | keyex value f0 e5 8c fb 7f 77 70 1c b9 c8 9b 9c 8a c3 cd 5a | keyex value 63 25 2c 8e f0 75 31 8b 7f 7d 0d 0e e7 f5 41 e8 | keyex value 85 38 c1 86 a1 a3 b5 7d 1e 77 71 8c d8 ed af ea | keyex value 97 11 91 ef 69 4c 93 a4 1a f4 a4 a7 1b 99 57 4d | keyex value c0 bc df 8b 96 50 14 05 2b 96 5b ec 7e 86 f9 51 | keyex value 52 d2 c2 3b 36 d5 fa 35 b3 29 f3 39 38 b1 96 28 | keyex value ef f0 1d 04 c9 f1 47 90 44 bc d2 27 b2 1f 59 06 | keyex value 45 28 73 63 59 1b 05 54 75 0a 96 90 21 80 9d 15 | keyex value 07 ef 91 ed d3 ae 03 42 51 09 6d 27 00 91 4b 3c | keyex value 41 eb 4c 37 58 b5 9d ac 18 00 be 71 6d c0 7e 15 | keyex value 1f 4e 78 9f 8e 5a 9b 13 f2 72 cf 5f e6 07 9c 4f | keyex value 56 2e db ee 52 d3 2f 94 19 6d 01 c8 3e eb 88 25 | keyex value a1 1f 7f 9c 52 fa 32 6c c4 90 6d f7 ef 06 43 02 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 00 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 40 ff ff ff c0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | 4b f5 42 6d 4a 13 51 22 45 1e 5c ce 19 67 87 a3 | 02 ba ba d9 31 c8 57 59 d1 b6 44 41 2f 4d 4d b8 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x2" erouted: self | install_inbound_ipsec_sa() checking if we can route | could_route called for westnet-eastnet-subnets/1x2 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x2" erouted: self; eroute owner: self | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55d242319428 ost=0x55d242317d68 st->serialno=#7 ost->serialno=#5 "westnet-eastnet-subnets/1x2" #7: keeping refhim=0 during rekey | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/1x2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.5c64f478@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/1x2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.27e839d6@192.1.2.23 included non-error error | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 460 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #7 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #7: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #7 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fcaa000a0d8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fca880058b8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 460 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #7) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 e6 5a b2 3a 00 00 01 cc 61 cf 87 a0 | bf d6 2e ed 54 5c 22 1c 8c 2d f3 71 b2 12 30 dd | d9 a7 a2 e8 6e af 66 39 d4 ee 24 d5 65 63 56 90 | 13 12 cf 25 bc 9d 50 10 52 eb 71 2a c1 ff cb 1c | ea d9 39 46 5c 2a 89 06 37 fc d5 eb 8a ff 9f 50 | ec 5e f8 6f 09 26 58 e8 69 f1 11 1d af 09 e8 44 | 15 ea aa c0 d9 79 57 80 c9 78 f6 fd ea 0b 8a a0 | 42 39 9f aa 82 85 0d d3 37 28 1f f9 ed 85 99 b1 | 42 ff 8b 82 47 fc 40 f8 ca ed af 13 e6 52 17 2c | 77 de 2e 53 69 c6 ff a5 9a 5e e7 2e 45 39 6f 04 | 2f 73 9a 4d a5 4e 99 cc 45 0b 45 12 3a 59 ed 21 | 1e 40 a6 e0 d7 7c a8 d9 ce e7 8b 98 db ac 89 a9 | 57 1b a5 dd 9d 5e 11 da 7a 91 48 bd 00 dc 73 4a | 61 3b 0f 64 28 c0 19 d9 ce 74 ee 41 33 94 60 15 | 46 14 42 f3 3f a0 44 58 e5 9f c2 f9 97 7e 5e c6 | 8f 6f 8d 94 74 1c ec eb f8 74 79 15 1d d7 77 58 | 97 66 b6 e7 1a ad 66 5c 9a b4 82 8c cc c8 d6 d1 | 98 31 b0 12 50 db 7c c2 ce ca 65 63 43 c7 02 2e | 0e d8 7d cd 2e c6 41 0a 5d 9c 61 2a 05 31 d8 40 | ba 51 f9 19 b1 27 ef a5 dd d5 e8 f1 c3 6b 2e 20 | 62 b4 e9 bd 0a 73 c2 37 f7 1f 51 31 ab 16 82 3e | b9 d2 0c 74 df 19 c6 dd 8d cc d0 0d b6 df 44 b3 | 32 f0 da 96 ab 91 cd 21 4d 00 fc 44 ae 5a 1e 5b | 91 ef 18 87 c1 b4 ed e7 1a 43 cb b8 33 27 7d ac | 40 4b 69 99 34 c6 04 69 bf 0f 8f 32 b4 f6 eb 55 | c3 dc b3 59 03 44 3b 95 41 03 9a 53 84 e3 a9 5c | d8 da b9 97 cb 7c 8b 0d 42 c5 24 0f ea 72 7e e2 | 22 75 7a 29 b1 03 b5 bd bd 93 a6 85 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7fca880058b8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #7 | libevent_malloc: new ptr-libevent@0x7fca98000e98 size 128 | #7 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11347.576806 | pstats #7 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/1x2" #7: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x5c64f478 <0x27e839d6 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #7 suppresed complete_v1_state_transition() | #7 spent 0.755 milliseconds in resume sending helper answer | stop processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca9c005118 | processing resume sending helper answer for #9 | start processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 17 | calling continuation function 0x55d240888b50 | quick_inI1_outR1_cryptocontinue2 for #9: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3223976075 (0xc029f88b) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI e5 0f f3 33 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x6f6c28c5 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 6f 6c 28 c5 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "westnet-eastnet-subnets/2x2" #9: responding to Quick Mode proposal {msgid:c029f88b} "westnet-eastnet-subnets/2x2" #9: us: 192.0.2.64/26===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-subnets/2x2" #9: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.128/28 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 68 9f 33 d7 fc 6f 7d 2a 18 09 9d 37 be d5 2c 9d | Nr a6 05 a5 00 25 c6 be e2 e1 8e 40 21 ec f7 a2 5e | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 50 8b 0a 2f 8e f7 06 89 e7 86 b0 bb b4 e8 70 a5 | keyex value 55 05 63 3f 0f 35 00 1d cb 65 6e 21 30 57 8d 79 | keyex value af 29 a6 8a 88 04 1f 49 99 e7 f9 38 4a 94 64 59 | keyex value dc 6e e0 a7 79 07 5b e3 b1 4d 0c 97 fb 33 26 e0 | keyex value 07 fd fc 7b 66 53 95 60 82 71 f2 f9 36 9b 33 fb | keyex value 42 28 e9 f5 27 97 96 4a 58 4a bf e8 15 f3 6f 73 | keyex value 2e 78 ba 25 0d 8f 2e 05 9f 02 fb 18 d3 ec af cf | keyex value f3 99 50 54 4d 7f cc e2 39 ee 30 a3 6a 86 82 28 | keyex value 3d 79 61 0c a8 43 bb 1d 54 58 53 53 73 b4 20 30 | keyex value 03 cd 25 38 af bf b7 8a 80 84 a6 e3 44 2e f2 87 | keyex value 88 3c 8f 49 b0 bd 14 cf 17 8d ff 58 2d d3 1c 5d | keyex value 55 29 95 5e a3 bd be 42 58 42 ec 9f dd ea 47 88 | keyex value 04 cf 8b 05 58 f2 36 f8 0a ec 54 37 2c b3 e4 7c | keyex value fd 5c ef ad a3 9e d8 02 cb a7 05 3d 4d fd 7a f9 | keyex value a2 0c 70 61 94 8d dc 6f 7d b3 b5 44 38 b5 59 91 | keyex value e6 31 f1 05 eb 21 69 81 e0 97 fa 8f 7b a1 0b 97 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 80 ff ff ff f0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 40 ff ff ff c0 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | 6c f5 3c 28 8d 2d 21 2f 5e a1 73 0c 0a 00 bf 72 | 57 ec 44 b0 ee 60 9b 24 85 20 d2 6a 9d 2f c7 a6 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x2" erouted: self | install_inbound_ipsec_sa() checking if we can route | could_route called for westnet-eastnet-subnets/2x2 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x2" erouted: self; eroute owner: self | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55d242321788 ost=0x55d24230cb08 st->serialno=#9 ost->serialno=#2 "westnet-eastnet-subnets/2x2" #9: keeping refhim=0 during rekey | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/2x2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.e50ff333@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'westnet-eastnet-subnets/2x2' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.6f6c28c5@192.1.2.23 included non-error error | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 460 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #9 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #9: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #9 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fca94008998 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55d2423124c8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 460 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #9) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 c0 29 f8 8b 00 00 01 cc 98 17 b6 d8 | da e7 0b d6 9f 4b 38 22 ea e0 35 78 dc 61 aa 97 | 76 19 a0 f9 ea ca df fb 2d 52 57 34 fe 15 5f fb | 36 da da 36 eb a0 14 6a 9d 7e 9c cd 24 a0 11 d2 | 79 17 90 e0 6f ea cd de f1 f2 f0 a8 e1 8a ca c9 | d2 4f 83 e8 8d a5 37 9f 07 3f 5e 00 90 c1 91 5d | c7 f0 fd d4 3a 80 17 f5 13 92 23 38 ca 6f af 6a | d3 36 91 54 a5 5b 03 50 31 c7 19 92 de 84 c4 20 | 80 86 9d 84 48 db 1d 19 04 ae b1 73 db 50 fe d5 | 13 e4 71 71 b2 c7 72 65 59 7f 4d e9 0e 37 19 b8 | 4b 44 3c b6 ae 18 63 98 e3 3e 40 08 4a 74 dd bf | 2c 1e 9e 7d ab 08 8a 98 b4 b7 38 56 2d 34 c8 78 | d4 18 cc b4 3a 28 27 90 d4 29 53 cf 85 b5 48 25 | ca 58 c1 4e 66 b7 66 8a b7 58 8f 7f bd dc c3 0f | a2 e5 30 3a 7d cc 56 29 38 f8 49 1b ae ab 3b 40 | 93 42 34 2b a1 ab 1e 41 1c c3 77 b8 f7 47 ae 02 | 23 fd 55 80 9a 62 78 aa 88 9a 2b 25 f3 e4 d2 65 | c4 df fe 03 11 de a9 26 19 38 d8 c8 05 21 02 76 | a0 90 a8 07 48 d5 e1 9c ab 98 d9 21 c5 21 ee 97 | 70 ff 83 a9 82 e3 50 78 67 6b 76 2b 65 99 1e d2 | 87 d4 84 d2 5e 25 76 0b 37 97 69 42 da 4b cc de | c1 47 da 0b 0f 10 fb e0 fe 74 9d 40 8e 57 5f 48 | 61 d9 62 55 47 3c 6e 6c 66 25 3b 3c 2a 36 54 92 | f9 cc 09 aa fb 8b 91 c4 c8 ba d7 8a a0 5f 51 ff | 39 39 ac b0 9a 04 b4 ad c2 d0 ea 46 4b d2 14 31 | ec ba cf 2c e5 b3 02 4a 20 72 c5 87 88 ac 71 a2 | 1d b7 86 4d 2d 1b c4 a6 bc 6d 11 24 6c 3a d6 c6 | 68 df df 00 7b 63 bf 96 24 e0 5e 3f | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55d2423124c8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #9 | libevent_malloc: new ptr-libevent@0x7fca9c005118 size 128 | #9 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11347.577597 | pstats #9 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/2x2" #9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xe50ff333 <0x6f6c28c5 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #9 suppresed complete_v1_state_transition() | #9 spent 0.756 milliseconds in resume sending helper answer | stop processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fca90009f78 | spent 0.00173 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 58 9c 96 ee 00 00 00 4c 75 2c 2c 32 | 5f 49 5f fb bc e5 b4 28 7b c4 f2 f5 8b 2b a6 f1 | 4e 28 c2 cd f6 d4 c7 7e 2e 88 d7 e7 bb 38 75 57 | 7d 18 87 31 2c 42 b2 df 4b c4 dc df | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1486657262 (0x589c96ee) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #8 in QUICK_R1 (find_state_ikev1) | start processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #8 is idle | #8 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | 08 b8 e3 e4 35 79 94 cb 0e 4f 56 81 bd a1 ac bd | 0c 5a 6e 6a f7 ec 61 e1 14 9e d2 57 76 38 0e 0a | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #8: outbound only | could_route called for westnet-eastnet-subnets/2x1 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x1" erouted: self; eroute owner: self | sr for #8: erouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x1" erouted: self; eroute owner: self | route_and_eroute with c: westnet-eastnet-subnets/2x1 (next: none) ero:westnet-eastnet-subnets/2x1 esr:{(nil)} ro:westnet-eastnet-subnets/2x1 rosr:{(nil)} and state: #8 | priority calculation of connection "westnet-eastnet-subnets/2x1" is 0xfe3e3 | eroute_connection replace eroute 192.0.2.16/28:0 --0-> 192.0.1.128/28:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1041379 | raw_eroute result=success | route_and_eroute: firewall_notified: true | route_and_eroute: instance "westnet-eastnet-subnets/2x1", setting eroute_owner {spd=0x55d242301078,sr=0x55d242301078} to #8 (was #3) (newest_ipsec_sa=#3) | #1 spent 0.0967 milliseconds in install_ipsec_sa() | inI2: instance westnet-eastnet-subnets/2x1[0], setting IKEv1 newest_ipsec_sa to #8 (was #3) (spd.eroute=#8) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #8 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #8: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #8 requesting EVENT_RETRANSMIT to be deleted | #8 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7fca8800b6c8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55d242312178 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55d242312178 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #8 | libevent_malloc: new ptr-libevent@0x7fca90009f78 size 128 | pstats #8 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/2x1" #8: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xabe58c79 <0xfdd85bd4 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #8 spent 0.154 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.266 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00155 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 f6 97 eb e2 00 00 00 4c b6 8e 99 71 | 5c bd 3d 65 fb 46 09 ad 58 49 6c d5 79 da d9 83 | 1b 24 0e 53 21 98 91 a3 c8 01 01 de a4 3f 9c 8c | 60 dd 63 3b b7 2e 90 51 29 a6 1b 28 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4137151458 (0xf697ebe2) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #6 in QUICK_R1 (find_state_ikev1) | start processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #6 is idle | #6 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | 62 7d 9c 8b 36 52 98 4d 13 01 08 1e 59 5a a0 52 | 1d a0 66 1c 37 ab f6 dc f8 93 1f 2a 72 8b 8b 79 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #6: outbound only | could_route called for westnet-eastnet-subnets/1x1 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x1" erouted: self; eroute owner: self | sr for #6: erouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x1" erouted: self; eroute owner: self | route_and_eroute with c: westnet-eastnet-subnets/1x1 (next: none) ero:westnet-eastnet-subnets/1x1 esr:{(nil)} ro:westnet-eastnet-subnets/1x1 rosr:{(nil)} and state: #6 | priority calculation of connection "westnet-eastnet-subnets/1x1" is 0xfe3e3 | eroute_connection replace eroute 192.0.2.16/28:0 --0-> 192.0.1.0/28:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1041379 | raw_eroute result=success | route_and_eroute: firewall_notified: true | route_and_eroute: instance "westnet-eastnet-subnets/1x1", setting eroute_owner {spd=0x55d2422ff758,sr=0x55d2422ff758} to #6 (was #4) (newest_ipsec_sa=#4) | #1 spent 0.0931 milliseconds in install_ipsec_sa() | inI2: instance westnet-eastnet-subnets/1x1[0], setting IKEv1 newest_ipsec_sa to #6 (was #4) (spd.eroute=#6) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #6 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #6: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #6 requesting EVENT_RETRANSMIT to be deleted | #6 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7fca8c002538 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fca90004218 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7fca90004218 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #6 | libevent_malloc: new ptr-libevent@0x55d24231e0c8 size 128 | pstats #6 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/1x1" #6: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xfbe27bd0 <0xacb297c8 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #6 spent 0.152 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.259 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00198 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 e6 5a b2 3a 00 00 00 4c 46 a9 fa e4 | 07 f5 f8 c9 0e b3 47 62 35 1d 82 ea 5e 50 31 f2 | 30 61 2e fd 21 d4 a3 40 51 03 f6 42 03 8c 45 90 | dc 0b f5 89 6a 8f 7d 6f 35 d4 c6 c4 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3864703546 (0xe65ab23a) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #7 in QUICK_R1 (find_state_ikev1) | start processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #7 is idle | #7 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | e5 6e cf 53 da 83 1f 84 76 52 cb 7b 00 a8 dd ae | 7a 73 73 f7 8f 64 9a a5 1c 75 d2 26 31 63 2f 56 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #7: outbound only | could_route called for westnet-eastnet-subnets/1x2 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x2" erouted: self; eroute owner: self | sr for #7: erouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x2" erouted: self; eroute owner: self | route_and_eroute with c: westnet-eastnet-subnets/1x2 (next: none) ero:westnet-eastnet-subnets/1x2 esr:{(nil)} ro:westnet-eastnet-subnets/1x2 rosr:{(nil)} and state: #7 | priority calculation of connection "westnet-eastnet-subnets/1x2" is 0xfe5e3 | eroute_connection replace eroute 192.0.2.64/26:0 --0-> 192.0.1.0/28:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1041891 | raw_eroute result=success | route_and_eroute: firewall_notified: true | route_and_eroute: instance "westnet-eastnet-subnets/1x2", setting eroute_owner {spd=0x55d242300a48,sr=0x55d242300a48} to #7 (was #5) (newest_ipsec_sa=#5) | #1 spent 0.0897 milliseconds in install_ipsec_sa() | inI2: instance westnet-eastnet-subnets/1x2[0], setting IKEv1 newest_ipsec_sa to #7 (was #5) (spd.eroute=#7) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #7 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #7: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #7 requesting EVENT_RETRANSMIT to be deleted | #7 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7fca98000e98 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fca880058b8 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7fca880058b8 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #7 | libevent_malloc: new ptr-libevent@0x55d24230e288 size 128 | pstats #7 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/1x2" #7: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x5c64f478 <0x27e839d6 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #7 spent 0.151 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.263 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00198 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 20 01 c0 29 f8 8b 00 00 00 4c 8a 76 1d dd | e9 06 0c d6 f4 b8 91 70 e6 ce a7 c6 6d e5 fa 41 | 2a 73 81 81 23 3e 0d 8c ba 92 c2 6b 78 bc 06 96 | 7c 6d a4 a2 73 5f 68 9c 2c ca d7 08 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3223976075 (0xc029f88b) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #9 in QUICK_R1 (find_state_ikev1) | start processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #9 is idle | #9 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | 7b 51 0a 91 af e9 bb b8 86 36 8f f5 0f ef 52 12 | ba 7d 69 4e 29 87 02 c6 36 ed dc ce 57 13 fd 88 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #9: outbound only | could_route called for westnet-eastnet-subnets/2x2 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x2" erouted: self; eroute owner: self | sr for #9: erouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x2" erouted: self; eroute owner: self | route_and_eroute with c: westnet-eastnet-subnets/2x2 (next: none) ero:westnet-eastnet-subnets/2x2 esr:{(nil)} ro:westnet-eastnet-subnets/2x2 rosr:{(nil)} and state: #9 | priority calculation of connection "westnet-eastnet-subnets/2x2" is 0xfe5e3 | eroute_connection replace eroute 192.0.2.64/26:0 --0-> 192.0.1.128/28:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1041891 | raw_eroute result=success | route_and_eroute: firewall_notified: true | route_and_eroute: instance "westnet-eastnet-subnets/2x2", setting eroute_owner {spd=0x55d242301888,sr=0x55d242301888} to #9 (was #2) (newest_ipsec_sa=#2) | #1 spent 0.0968 milliseconds in install_ipsec_sa() | inI2: instance westnet-eastnet-subnets/2x2[0], setting IKEv1 newest_ipsec_sa to #9 (was #2) (spd.eroute=#9) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #9 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #9: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #9 requesting EVENT_RETRANSMIT to be deleted | #9 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7fca9c005118 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55d2423124c8 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55d2423124c8 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #9 | libevent_malloc: new ptr-libevent@0x55d24230e338 size 128 | pstats #9 ikev1.ipsec established | NAT-T: encaps is 'auto' "westnet-eastnet-subnets/2x2" #9: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xe50ff333 <0x6f6c28c5 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #9 spent 0.154 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.263 milliseconds in comm_handle_cb() reading and processing packet | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.b2d9847b@192.1.2.23 | get_sa_info esp.4a46f032@192.1.2.45 | get_sa_info esp.acb297c8@192.1.2.23 | get_sa_info esp.fbe27bd0@192.1.2.45 | get_sa_info esp.b67af74a@192.1.2.23 | get_sa_info esp.1b5f9f63@192.1.2.45 | get_sa_info esp.27e839d6@192.1.2.23 | get_sa_info esp.5c64f478@192.1.2.45 | get_sa_info esp.f4455162@192.1.2.23 | get_sa_info esp.95087394@192.1.2.45 | get_sa_info esp.fdd85bd4@192.1.2.23 | get_sa_info esp.abe58c79@192.1.2.45 | get_sa_info esp.700402af@192.1.2.23 | get_sa_info esp.fae87546@192.1.2.45 | get_sa_info esp.6f6c28c5@192.1.2.23 | get_sa_info esp.e50ff333@192.1.2.45 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.9 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | unreference key: 0x55d242300188 @east cnt 1-- | unreference key: 0x55d242258c48 @west cnt 2-- | start processing: connection "westnet-eastnet-subnets/2x2" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #9 | suspend processing: connection "westnet-eastnet-subnets/2x2" (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #9 ikev1.ipsec deleted completed | [RE]START processing: state #9 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-subnets/2x2" #9: deleting state (STATE_QUICK_R2) aged 1.378s and sending notification | child state #9: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.e50ff333@192.1.2.45 | get_sa_info esp.6f6c28c5@192.1.2.23 "westnet-eastnet-subnets/2x2" #9: ESP traffic information: in=0B out=0B | #9 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 646638205 (0x268aea7d) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload 6f 6c 28 c5 | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | f1 ca a8 fc 01 e3 e4 f6 38 f0 2d 28 17 5c 1d 54 | 52 85 e5 b9 9a 20 73 8e d2 23 4d 7f 31 09 80 9f | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 05 01 26 8a ea 7d 00 00 00 5c 3b 91 0a a4 | b3 36 e0 b4 fd cd c4 f2 78 4e 86 7a 3d 8e 7a 4a | 0b 20 84 f5 78 85 e9 ab 99 24 4c d9 3f 63 e2 7f | 4b 86 0e 10 c1 b2 de 9e 19 18 37 aa 96 92 20 74 | 2a 90 9d 21 3f 4f 6e 92 e7 cb 5a a0 | state #9 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55d24230e338 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55d2423124c8 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/2x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='192.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16400' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826061' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no | popen cmd is 1067 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-s: | cmd( 80):ubnets/2x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16400' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUT: | cmd( 400):O_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.: | cmd( 480):0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER: | cmd( 560):_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826061' P: | cmd( 640):LUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALL: | cmd( 720):OW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAI: | cmd( 800):LED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' P: | cmd( 880):LUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURE: | cmd( 960):D='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xe50ff333 SPI_OUT=0x: | cmd(1040):6f6c28c5 ipsec _updown 2>&1: | shunt_eroute() called for connection 'westnet-eastnet-subnets/2x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "westnet-eastnet-subnets/2x2" is 0xfe5e3 | IPsec Sa SPD priority set to 1041891 | delete esp.e50ff333@192.1.2.45 | netlink response for Del SA esp.e50ff333@192.1.2.45 included non-error error | priority calculation of connection "westnet-eastnet-subnets/2x2" is 0xfe5e3 | delete inbound eroute 192.0.1.128/28:0 --0-> 192.0.2.64/26:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.6f6c28c5@192.1.2.23 | netlink response for Del SA esp.6f6c28c5@192.1.2.23 included non-error error | stop processing: connection "westnet-eastnet-subnets/2x2" (BACKGROUND) (in update_state_connection() at connections.c:4076) | start processing: connection NULL (in update_state_connection() at connections.c:4077) | in connection_discard for connection westnet-eastnet-subnets/2x2 | State DB: deleting IKEv1 state #9 in QUICK_R2 | child state #9: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #9 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #8 | start processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #8 ikev1.ipsec deleted completed | [RE]START processing: state #8 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-subnets/2x1" #8: deleting state (STATE_QUICK_R2) aged 1.392s and sending notification | child state #8: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.abe58c79@192.1.2.45 | get_sa_info esp.fdd85bd4@192.1.2.23 "westnet-eastnet-subnets/2x1" #8: ESP traffic information: in=0B out=0B | #8 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1335258319 (0x4f966ccf) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload fd d8 5b d4 | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | bc 0f e8 46 bb 41 d8 76 f1 3e 97 2e a6 e2 19 15 | 06 8f 3b 76 9c bc 87 1c 81 6f e3 bc 4e 9e 2b ca | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 05 01 4f 96 6c cf 00 00 00 5c 20 86 a4 e8 | 26 6e 44 fa 18 4c 1f b2 b8 d9 ef 86 c6 3f a9 00 | 93 d1 12 9b 79 4d 14 33 9a fc 08 87 ee 15 c8 39 | ba 30 ae d1 6f 41 59 79 4d 75 2b 77 03 52 a0 af | 9a 3e 84 ef c1 f6 ac 6d 9f 85 54 c2 | state #8 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7fca90009f78 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55d242312178 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/2x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826061' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no | popen cmd is 1067 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-s: | cmd( 80):ubnets/2x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUT: | cmd( 400):O_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.: | cmd( 480):0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER: | cmd( 560):_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826061' P: | cmd( 640):LUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALL: | cmd( 720):OW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAI: | cmd( 800):LED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' P: | cmd( 880):LUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURE: | cmd( 960):D='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xabe58c79 SPI_OUT=0x: | cmd(1040):fdd85bd4 ipsec _updown 2>&1: | shunt_eroute() called for connection 'westnet-eastnet-subnets/2x1' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "westnet-eastnet-subnets/2x1" is 0xfe3e3 | IPsec Sa SPD priority set to 1041379 | delete esp.abe58c79@192.1.2.45 | netlink response for Del SA esp.abe58c79@192.1.2.45 included non-error error | priority calculation of connection "westnet-eastnet-subnets/2x1" is 0xfe3e3 | delete inbound eroute 192.0.1.128/28:0 --0-> 192.0.2.16/28:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.fdd85bd4@192.1.2.23 | netlink response for Del SA esp.fdd85bd4@192.1.2.23 included non-error error | in connection_discard for connection westnet-eastnet-subnets/2x1 | State DB: deleting IKEv1 state #8 in QUICK_R2 | child state #8: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #8 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #7 | start processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #7 ikev1.ipsec deleted completed | [RE]START processing: state #7 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-subnets/1x2" #7: deleting state (STATE_QUICK_R2) aged 1.404s and sending notification | child state #7: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.5c64f478@192.1.2.45 | get_sa_info esp.27e839d6@192.1.2.23 "westnet-eastnet-subnets/1x2" #7: ESP traffic information: in=0B out=0B | #7 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 849662948 (0x32a4d3e4) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload 27 e8 39 d6 | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | 80 cf 9f 4d 91 d0 f0 68 57 1d b6 b5 f0 c5 53 44 | 7c 29 5d 20 9e 28 48 34 83 e1 dd 8d 40 31 32 53 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 05 01 32 a4 d3 e4 00 00 00 5c 0b d0 90 c8 | 67 53 36 81 f7 de 55 81 5b b7 f6 17 6a c9 77 ff | e6 da 0d ea 48 48 95 d7 32 0a 48 c5 3e c0 22 29 | 08 81 eb 8f 75 2a 7c f3 46 a4 43 09 64 dd 8f 58 | d2 d6 3c d5 42 3b c2 d2 08 eb f3 47 | state #7 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55d24230e288 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7fca880058b8 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/1x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='192.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826061' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VT | popen cmd is 1063 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-s: | cmd( 80):ubnets/1x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.64/26' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.0.2.64' PLUTO_MY_CLIENT_MASK='255.255.255.192' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUT: | cmd( 400):O_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 480):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PRO: | cmd( 560):TOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826061' PLUTO: | cmd( 640):_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+E: | cmd( 720):SN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=: | cmd( 800):0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO: | cmd( 880):_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0: | cmd( 960):' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x5c64f478 SPI_OUT=0x27e8: | cmd(1040):39d6 ipsec _updown 2>&1: | shunt_eroute() called for connection 'westnet-eastnet-subnets/1x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "westnet-eastnet-subnets/1x2" is 0xfe5e3 | IPsec Sa SPD priority set to 1041891 | delete esp.5c64f478@192.1.2.45 | netlink response for Del SA esp.5c64f478@192.1.2.45 included non-error error | priority calculation of connection "westnet-eastnet-subnets/1x2" is 0xfe5e3 | delete inbound eroute 192.0.1.0/28:0 --0-> 192.0.2.64/26:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.27e839d6@192.1.2.23 | netlink response for Del SA esp.27e839d6@192.1.2.23 included non-error error | in connection_discard for connection westnet-eastnet-subnets/1x2 | State DB: deleting IKEv1 state #7 in QUICK_R2 | child state #7: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #7 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #6 | start processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #6 ikev1.ipsec deleted completed | [RE]START processing: state #6 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-subnets/1x1" #6: deleting state (STATE_QUICK_R2) aged 1.416s and sending notification | child state #6: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.fbe27bd0@192.1.2.45 | get_sa_info esp.acb297c8@192.1.2.23 "westnet-eastnet-subnets/1x1" #6: ESP traffic information: in=0B out=0B | #6 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 781889132 (0x2e9aae6c) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload ac b2 97 c8 | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | a4 b1 dc 35 db 97 da 43 07 5e d5 a8 55 7e 64 22 | 04 b4 45 6b 6e e5 bb 97 d7 8e ef 65 30 59 81 24 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 05 01 2e 9a ae 6c 00 00 00 5c 75 1a 7f ba | 07 6d ca f4 0b 53 0f 7c e1 41 ed 9d 19 0c 05 4b | fa 91 b0 6c 4c 4f dd 8a d2 e9 68 d3 9a a8 25 97 | a7 3e e6 5f a9 d5 5b f5 93 aa 01 71 30 9b 60 09 | 65 a9 13 c1 3c 8b 06 ec 03 68 81 3c | state #6 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55d24231e0c8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7fca90004218 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826061' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VT | popen cmd is 1063 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-s: | cmd( 80):ubnets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUT: | cmd( 400):O_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 480):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PRO: | cmd( 560):TOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826061' PLUTO: | cmd( 640):_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+E: | cmd( 720):SN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=: | cmd( 800):0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO: | cmd( 880):_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0: | cmd( 960):' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xfbe27bd0 SPI_OUT=0xacb2: | cmd(1040):97c8 ipsec _updown 2>&1: | shunt_eroute() called for connection 'westnet-eastnet-subnets/1x1' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "westnet-eastnet-subnets/1x1" is 0xfe3e3 | IPsec Sa SPD priority set to 1041379 | delete esp.fbe27bd0@192.1.2.45 | netlink response for Del SA esp.fbe27bd0@192.1.2.45 included non-error error | priority calculation of connection "westnet-eastnet-subnets/1x1" is 0xfe3e3 | delete inbound eroute 192.0.1.0/28:0 --0-> 192.0.2.16/28:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.acb297c8@192.1.2.23 | netlink response for Del SA esp.acb297c8@192.1.2.23 included non-error error | in connection_discard for connection westnet-eastnet-subnets/1x1 | State DB: deleting IKEv1 state #6 in QUICK_R2 | child state #6: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #6 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #5 | start processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #5 ikev1.ipsec deleted completed | [RE]START processing: state #5 connection "westnet-eastnet-subnets/1x2" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-subnets/1x2" #5: deleting state (STATE_QUICK_R2) aged 6.784s and sending notification | child state #5: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.1b5f9f63@192.1.2.45 | get_sa_info esp.b67af74a@192.1.2.23 "westnet-eastnet-subnets/1x2" #5: ESP traffic information: in=0B out=0B | #5 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 635564418 (0x25e1f182) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload b6 7a f7 4a | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | 9e f9 0f 0f 66 55 c3 b8 55 d0 cd 23 83 e3 d3 5e | 66 76 38 a3 2f d8 37 97 7c a4 4c 37 12 29 ff 93 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 05 01 25 e1 f1 82 00 00 00 5c 9c 79 91 16 | e1 12 2e e5 95 77 1b 80 9e 7e 42 80 b7 c5 a2 fa | c7 7c e5 96 bd 84 1f 7b ce fd cf 5c 42 86 cc e6 | 8d 40 e9 38 ed fa 37 9c 4b af f2 42 1e 1d a1 f0 | 55 fb 8d 43 fd 91 46 d9 b8 9e f7 99 | state #5 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55d242306338 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55d24230d6a8 | delete esp.1b5f9f63@192.1.2.45 | netlink response for Del SA esp.1b5f9f63@192.1.2.45 included non-error error | priority calculation of connection "westnet-eastnet-subnets/1x2" is 0xfe5e3 | delete inbound eroute 192.0.1.0/28:0 --0-> 192.0.2.64/26:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.b67af74a@192.1.2.23 | netlink response for Del SA esp.b67af74a@192.1.2.23 included non-error error | in connection_discard for connection westnet-eastnet-subnets/1x2 | State DB: deleting IKEv1 state #5 in QUICK_R2 | child state #5: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #5 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #4 | start processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #4 ikev1.ipsec deleted completed | [RE]START processing: state #4 connection "westnet-eastnet-subnets/1x1" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-subnets/1x1" #4: deleting state (STATE_QUICK_R2) aged 6.785s and sending notification | child state #4: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.4a46f032@192.1.2.45 | get_sa_info esp.b2d9847b@192.1.2.23 "westnet-eastnet-subnets/1x1" #4: ESP traffic information: in=0B out=0B | #4 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1352999466 (0x50a5222a) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload b2 d9 84 7b | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | fa 1c 8b 55 c1 14 97 1f 8b 8e 99 0d 8b 52 c6 98 | 55 05 d8 28 bd 85 46 45 fb d5 4f 80 d8 d2 3f ee | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 05 01 50 a5 22 2a 00 00 00 5c 21 71 af 0b | b9 e4 09 65 6d da 75 f3 f1 90 1d 31 f2 bf 69 8b | 35 33 cb 77 41 c1 66 e7 c2 39 ae c1 47 92 14 34 | e0 c4 99 d2 33 d7 5e 85 ee 5f 3f 69 91 0e 58 32 | 0f c1 6a 85 08 09 d9 96 56 ba 34 ca | state #4 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55d242308ce8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55d2422e1488 | delete esp.4a46f032@192.1.2.45 | netlink response for Del SA esp.4a46f032@192.1.2.45 included non-error error | priority calculation of connection "westnet-eastnet-subnets/1x1" is 0xfe3e3 | delete inbound eroute 192.0.1.0/28:0 --0-> 192.0.2.16/28:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.b2d9847b@192.1.2.23 | netlink response for Del SA esp.b2d9847b@192.1.2.23 included non-error error | in connection_discard for connection westnet-eastnet-subnets/1x1 | State DB: deleting IKEv1 state #4 in QUICK_R2 | child state #4: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #4 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #3 | start processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #3 ikev1.ipsec deleted completed | [RE]START processing: state #3 connection "westnet-eastnet-subnets/2x1" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-subnets/2x1" #3: deleting state (STATE_QUICK_R2) aged 6.789s and sending notification | child state #3: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.95087394@192.1.2.45 | get_sa_info esp.f4455162@192.1.2.23 "westnet-eastnet-subnets/2x1" #3: ESP traffic information: in=0B out=0B | #3 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 968783444 (0x39be7654) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload f4 45 51 62 | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | db cf 07 ad 8f 98 58 7f d9 37 ba 21 b5 e5 3c 55 | 64 7b 00 1e 26 2d 9f 7c 46 5c 89 68 cd d9 4f 2e | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 05 01 39 be 76 54 00 00 00 5c 5e 93 bc 1e | db ed 55 9e 51 5e f2 df b7 9b a8 78 2a 98 88 5b | 7a 75 85 9f 43 ec 0d 39 29 f1 df c0 0e 7c 59 6c | c7 c8 d1 4f b7 8f ce df bc 2f 7e a6 c1 90 3e 29 | a0 3a eb 89 db 7c e0 43 4b c9 e5 e1 | state #3 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55d242311d78 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55d2423036f8 | delete esp.95087394@192.1.2.45 | netlink response for Del SA esp.95087394@192.1.2.45 included non-error error | priority calculation of connection "westnet-eastnet-subnets/2x1" is 0xfe3e3 | delete inbound eroute 192.0.1.128/28:0 --0-> 192.0.2.16/28:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.f4455162@192.1.2.23 | netlink response for Del SA esp.f4455162@192.1.2.23 included non-error error | in connection_discard for connection westnet-eastnet-subnets/2x1 | State DB: deleting IKEv1 state #3 in QUICK_R2 | child state #3: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #3 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #2 | start processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #2 ikev1.ipsec deleted completed | [RE]START processing: state #2 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-subnets/2x2" #2: deleting state (STATE_QUICK_R2) aged 6.790s and sending notification | child state #2: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.fae87546@192.1.2.45 | get_sa_info esp.700402af@192.1.2.23 "westnet-eastnet-subnets/2x2" #2: ESP traffic information: in=0B out=0B | #2 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3151184443 (0xbbd3423b) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload 70 04 02 af | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | 34 28 fd ed 28 69 9a 81 3e a0 44 61 1d 94 1c e3 | f4 78 1a 74 22 d3 06 f3 f8 93 c1 90 7d 8e e3 a7 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 05 01 bb d3 42 3b 00 00 00 5c 93 ad bb 51 | f6 31 0a 20 43 ca 1f 16 8c 80 69 5d 7a 71 3c 4b | 2c a5 81 3a 0f ca 11 b6 c2 ed e9 c9 77 a2 18 d9 | d6 2d 96 d5 5a ea 38 47 97 e7 59 18 42 68 c4 93 | 99 eb ea 1d 6c a0 8f f1 bf 16 f8 80 | state #2 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7fca9c003e78 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7fcaa0002b78 | delete esp.fae87546@192.1.2.45 | netlink response for Del SA esp.fae87546@192.1.2.45 included non-error error | priority calculation of connection "westnet-eastnet-subnets/2x2" is 0xfe5e3 | delete inbound eroute 192.0.1.128/28:0 --0-> 192.0.2.64/26:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.700402af@192.1.2.23 | netlink response for Del SA esp.700402af@192.1.2.23 included non-error error | in connection_discard for connection westnet-eastnet-subnets/2x2 | State DB: deleting IKEv1 state #2 in QUICK_R2 | child state #2: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #1 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | start processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #1 ikev1.isakmp deleted completed | [RE]START processing: state #1 connection "westnet-eastnet-subnets/2x2" from 192.1.2.45:500 (in delete_state() at state.c:879) "westnet-eastnet-subnets/2x2" #1: deleting state (STATE_MAIN_R3) aged 6.809s and sending notification | parent state #1: MAIN_R3(established IKE SA) => delete | #1 send IKEv1 delete notification for STATE_MAIN_R3 | **emit ISAKMP Message: | initiator cookie: | 58 65 7e 03 6c d2 dc 8b | responder cookie: | 8c 79 d8 bb 28 3b 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1329499859 (0x4f3e8ed3) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload | initiator SPI 58 65 7e 03 6c d2 dc 8b | emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload | responder SPI 8c 79 d8 bb 28 3b 88 3a | emitting length of ISAKMP Delete Payload: 28 | send delete HASH(1): | c3 28 89 e6 a8 94 6d 95 d3 3e 08 c6 08 4f 38 15 | e8 70 be a4 e9 8b a3 a7 3f 23 f1 6b ed 25 01 d0 | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 58 65 7e 03 6c d2 dc 8b 8c 79 d8 bb 28 3b 88 3a | 08 10 05 01 4f 3e 8e d3 00 00 00 5c 61 ae 68 77 | ab 21 77 e1 0f d3 eb d5 aa 7f 5c 2b 20 69 0e 0e | c8 bf 60 d5 08 81 49 41 3a d9 73 f2 94 eb 13 06 | 15 af 45 34 f5 11 b7 40 83 df 44 25 b9 81 5b 1b | aa 77 2d d1 e4 81 da d9 a6 5f 43 d1 | state #1 requesting EVENT_SA_EXPIRE to be deleted | libevent_free: release ptr-libevent@0x7fcaa0002888 | free_event_entry: release EVENT_SA_EXPIRE-pe@0x55d2422ffef8 | State DB: IKEv1 state not found (flush_incomplete_children) | in connection_discard for connection westnet-eastnet-subnets/2x2 | State DB: deleting IKEv1 state #1 in MAIN_R3 | parent state #1: MAIN_R3(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55d242258c48 @west cnt 1-- | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | shunt_eroute() called for connection 'westnet-eastnet-subnets/2x2' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "westnet-eastnet-subnets/2x2" is 0xfe5e3 | priority calculation of connection "westnet-eastnet-subnets/2x2" is 0xfe5e3 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x2" unrouted: "westnet-eastnet-subnets/2x1" prospective erouted | flush revival: connection 'westnet-eastnet-subnets/2x2' wasn't on the list | processing: STOP connection NULL (in discard_connection() at connections.c:249) | start processing: connection "westnet-eastnet-subnets/2x1" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'westnet-eastnet-subnets/2x1' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "westnet-eastnet-subnets/2x1" is 0xfe3e3 | priority calculation of connection "westnet-eastnet-subnets/2x1" is 0xfe3e3 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/2x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/2x1" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/2x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET='192.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' | popen cmd is 1048 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: | cmd( 80):t-subnets/2x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.: | cmd( 160):1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET=: | cmd( 240):'192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_P: | cmd( 320):ROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' : | cmd( 400):PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.128/28' PLUTO_PEER_CLIENT_NET=': | cmd( 480):192.0.1.128' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_: | cmd( 560):PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_: | cmd( 640):CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ES: | cmd( 720):N_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0: | cmd( 800): PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_: | cmd( 880):PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0': | cmd( 960): VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _upd: | cmd(1040):own 2>&1: "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/2x1": unroute-client output: Error: Peer netns reference is invalid. | flush revival: connection 'westnet-eastnet-subnets/2x1' wasn't on the list | stop processing: connection "westnet-eastnet-subnets/2x1" (in discard_connection() at connections.c:249) | start processing: connection "westnet-eastnet-subnets/1x2" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'westnet-eastnet-subnets/1x2' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "westnet-eastnet-subnets/1x2" is 0xfe5e3 | priority calculation of connection "westnet-eastnet-subnets/1x2" is 0xfe5e3 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 | conn westnet-eastnet-subnets/1x2 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x2" unrouted: "westnet-eastnet-subnets/1x1" prospective erouted | flush revival: connection 'westnet-eastnet-subnets/1x2' wasn't on the list | stop processing: connection "westnet-eastnet-subnets/1x2" (in discard_connection() at connections.c:249) | start processing: connection "westnet-eastnet-subnets/1x1" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'westnet-eastnet-subnets/1x1' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "westnet-eastnet-subnets/1x1" is 0xfe3e3 | priority calculation of connection "westnet-eastnet-subnets/1x1" is 0xfe3e3 | FOR_EACH_CONNECTION_... in route_owner | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 vs | conn westnet-eastnet-subnets/1x1 mark 0/00000000, 0/00000000 | route owner of "westnet-eastnet-subnets/1x1" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet-subnets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET='192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ | popen cmd is 1044 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastne: | cmd( 80):t-subnets/1x1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.: | cmd( 160):1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.16/28' PLUTO_MY_CLIENT_NET=: | cmd( 240):'192.0.2.16' PLUTO_MY_CLIENT_MASK='255.255.255.240' PLUTO_MY_PORT='0' PLUTO_MY_P: | cmd( 320):ROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' : | cmd( 400):PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/28' PLUTO_PEER_CLIENT_NET='19: | cmd( 480):2.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER: | cmd( 560):_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN: | cmd( 640):_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO: | cmd( 720):' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLU: | cmd( 800):TO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER: | cmd( 880):_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI: | cmd( 960):_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown : | cmd(1040):2>&1: "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. "westnet-eastnet-subnets/1x1": unroute-client output: Error: Peer netns reference is invalid. | free hp@0x55d2422ffe18 | flush revival: connection 'westnet-eastnet-subnets/1x1' wasn't on the list | stop processing: connection "westnet-eastnet-subnets/1x1" (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x55d2422f2e68 | free_event_entry: release EVENT_NULL-pe@0x55d2422fe968 | libevent_free: release ptr-libevent@0x55d2422870d8 | free_event_entry: release EVENT_NULL-pe@0x55d2422fea18 | libevent_free: release ptr-libevent@0x55d242288928 | free_event_entry: release EVENT_NULL-pe@0x55d2422feac8 | libevent_free: release ptr-libevent@0x55d242288878 | free_event_entry: release EVENT_NULL-pe@0x55d2422feb78 | libevent_free: release ptr-libevent@0x55d24225d4e8 | free_event_entry: release EVENT_NULL-pe@0x55d2422fec28 | libevent_free: release ptr-libevent@0x55d24225d1d8 | free_event_entry: release EVENT_NULL-pe@0x55d2422fecd8 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x55d2422f2f18 | free_event_entry: release EVENT_NULL-pe@0x55d2422e6d08 | libevent_free: release ptr-libevent@0x55d242287188 | free_event_entry: release EVENT_NULL-pe@0x55d2422e6c98 | libevent_free: release ptr-libevent@0x55d2422ca528 | free_event_entry: release EVENT_NULL-pe@0x55d2422e6158 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x55d242291758 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x55d242289378 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x55d2422fe328 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x55d2422fe568 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x55d2422fe438 | libevent_free: release ptr-libevent@0x55d2422e1548 | libevent_free: release ptr-libevent@0x55d2422e14f8 | libevent_free: release ptr-libevent@0x7fca94008ba8 | libevent_free: release ptr-libevent@0x55d2422e1448 | libevent_free: release ptr-libevent@0x55d2422fe1e8 | libevent_free: release ptr-libevent@0x55d2422fe268 | libevent_free: release ptr-libevent@0x55d2422e16f8 | libevent_free: release ptr-libevent@0x55d2422e6268 | libevent_free: release ptr-libevent@0x55d2422e6c58 | libevent_free: release ptr-libevent@0x55d2422fed48 | libevent_free: release ptr-libevent@0x55d2422fec98 | libevent_free: release ptr-libevent@0x55d2422febe8 | libevent_free: release ptr-libevent@0x55d2422feb38 | libevent_free: release ptr-libevent@0x55d2422fea88 | libevent_free: release ptr-libevent@0x55d2422fe9d8 | libevent_free: release ptr-libevent@0x55d242286788 | libevent_free: release ptr-libevent@0x55d2422fe2e8 | libevent_free: release ptr-libevent@0x55d2422fe2a8 | libevent_free: release ptr-libevent@0x55d2422fe228 | libevent_free: release ptr-libevent@0x55d2422fe3f8 | libevent_free: release ptr-libevent@0x55d242285918 | libevent_free: release ptr-libevent@0x55d24225c908 | libevent_free: release ptr-libevent@0x55d24225cd38 | libevent_free: release ptr-libevent@0x55d242285c88 | releasing global libevent data | libevent_free: release ptr-libevent@0x55d242258128 | libevent_free: release ptr-libevent@0x55d24225ccd8 | libevent_free: release ptr-libevent@0x55d24225cdd8 leak detective found no leaks