FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:15391 core dump dir: /var/tmp secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) NAT-Traversal support [enabled] Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 started thread for crypto helper 2 started thread for crypto helper 3 started thread for crypto helper 4 started thread for crypto helper 5 started thread for crypto helper 6 Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 selinux support is enabled. listening for IKE messages Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 adding interface lo/lo 127.0.0.1:4500 loading secrets from "/etc/ipsec.secrets" loaded private key for keyid: PKK_RSA:AQO9bJbr3 listening for IKE messages forgetting secrets loading secrets from "/etc/ipsec.secrets" loaded private key for keyid: PKK_RSA:AQO9bJbr3 added connection description "road-eastnet-nat" add keyid @road | add pubkey 01 03 c7 15 fa 72 27 70 a4 e1 f3 0a 70 21 f9 0c | add pubkey 3f e2 65 12 87 d9 fd 12 cb af d4 e0 c2 e3 dd 77 | add pubkey a0 ef aa c7 d6 a2 b2 30 f2 64 b0 c5 e6 c7 a7 27 | add pubkey 17 54 7a 8e 32 c9 ac fd bf 8f b3 33 b9 74 74 73 | add pubkey dd 23 83 11 53 d6 d4 91 0e 36 7e 67 fc 89 1e 48 | add pubkey ac e9 da 2e 66 9d 6e 4f e2 98 a7 dc 41 b3 a4 37 | add pubkey f5 07 a9 9c 23 69 83 54 87 7b ea 00 a7 5b ab 2d | add pubkey 41 34 d1 a3 17 1e a7 64 2d 7f ff 45 7a 5d 85 5c | add pubkey 73 dd 63 e7 40 ad eb 71 e6 5f 21 43 80 f5 23 4c | add pubkey 3d 4a 11 2c ca 9a d6 79 c5 c2 51 6e af c3 6e 99 | add pubkey f5 26 1c 67 ee 8a 3e 30 4b c1 93 a7 92 34 36 8c | add pubkey bf e6 d0 d3 fe 78 0b 0a 64 04 44 ca 8c 83 fd f1 | add pubkey 2e b5 00 76 61 a6 de f1 59 67 2b 6d c2 57 e0 f2 | add pubkey 7d 6b 9f d3 46 41 8c 31 c2 fd c4 60 72 08 3b bb | add pubkey 56 fb 01 fc 1d 57 4e cf 7c 0f c4 6f 72 6f 2a 0e | add pubkey f3 30 db a0 80 f9 70 cc bb 07 a9 f9 d7 76 99 63 | add pubkey 4b 6a 0f 1a 37 95 cb 9b ea 17 f7 55 62 6b 8a 83 | add pubkey 05 ff 43 78 57 dd bd 08 85 9c f1 62 35 6e 69 c7 | add pubkey 04 0b 4b c4 1b d2 38 89 8c de 56 d0 c8 2c 51 54 | add pubkey 32 1b 7d 27 dc cd 37 7a 4e cb 1a ec d2 ce 48 ed | add pubkey 43 48 9c 8a fc 30 9f b1 57 1c a9 98 e5 84 93 6c | add pubkey da 4d cc 95 e3 f5 f2 a5 b3 9d 70 ae 24 8d 08 3b | add pubkey 0f 8c e9 5a a5 f0 4d 9c 3c 2f 7f bc 10 95 34 1c | add pubkey 96 74 29 fc ab fb 8f 4b 71 aa 0b 26 b5 f0 32 98 | add pubkey 90 6a fd 31 f5 ab add keyid @east | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 | add pubkey 51 51 48 ef "road-eastnet-nat"[1] 192.1.2.254 #1: responding to Main Mode from unknown peer 192.1.2.254 on port 500 "road-eastnet-nat"[1] 192.1.2.254 #1: STATE_MAIN_R1: sent MR1, expecting MI2 "road-eastnet-nat"[1] 192.1.2.254 #1: STATE_MAIN_R2: sent MR2, expecting MI3 "road-eastnet-nat"[1] 192.1.2.254 #1: Peer ID is ID_FQDN: '@road' "road-eastnet-nat"[1] 192.1.2.254 #1: Authenticated using RSA "road-eastnet-nat"[1] 192.1.2.254 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} "road-eastnet-nat"[1] 192.1.2.254 #1: the peer proposed: 192.0.2.0/24:0/0 -> 192.0.2.219/32:0/0 "road-eastnet-nat"[1] 192.1.2.254 #2: responding to Quick Mode proposal {msgid:0cc01241} "road-eastnet-nat"[1] 192.1.2.254 #2: us: 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east] "road-eastnet-nat"[1] 192.1.2.254 #2: them: 192.1.2.254[@road]===192.0.2.219/32 "road-eastnet-nat"[1] 192.1.2.254 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x60c5d5c2 <0x7366d6cc xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.1.2.254:4500 DPD=passive} "road-eastnet-nat"[1] 192.1.2.254 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x60c5d5c2 <0x7366d6cc xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.1.2.254:4500 DPD=passive} shutting down forgetting secrets "road-eastnet-nat"[1] 192.1.2.254: deleting connection "road-eastnet-nat"[1] 192.1.2.254 instance with peer 192.1.2.254 {isakmp=#1/ipsec=#2} "road-eastnet-nat"[1] 192.1.2.254 #2: deleting state (STATE_QUICK_R2) aged 5.009s and sending notification "road-eastnet-nat"[1] 192.1.2.254 #2: ESP traffic information: in=336B out=336B "road-eastnet-nat"[1] 192.1.2.254 #1: deleting state (STATE_MAIN_R3) aged 5.034s and sending notification unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 leak: virtual description, item size: 4 leak detective found 1 leaks, total size 4