FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:3060 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x5615b3da1838 size 40 | libevent_malloc: new ptr-libevent@0x5615b3d7fcd8 size 40 | libevent_malloc: new ptr-libevent@0x5615b3d7fdd8 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x5615b3e029f8 size 56 | libevent_malloc: new ptr-libevent@0x5615b3daf198 size 664 | libevent_malloc: new ptr-libevent@0x5615b3e02a68 size 24 | libevent_malloc: new ptr-libevent@0x5615b3e02ab8 size 384 | libevent_malloc: new ptr-libevent@0x5615b3e029b8 size 16 | libevent_malloc: new ptr-libevent@0x5615b3d7f908 size 40 | libevent_malloc: new ptr-libevent@0x5615b3d7fd38 size 48 | libevent_realloc: new ptr-libevent@0x5615b3daee28 size 256 | libevent_malloc: new ptr-libevent@0x5615b3e02c68 size 16 | libevent_free: release ptr-libevent@0x5615b3e029f8 | libevent initialized | libevent_realloc: new ptr-libevent@0x5615b3e029f8 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 started thread for crypto helper 2 | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 3 | starting up helper thread 1 | starting up helper thread 3 started thread for crypto helper 4 | status value returned by setting the priority of this thread (crypto helper 3) 22 | status value returned by setting the priority of this thread (crypto helper 1) 22 | starting up helper thread 4 | crypto helper 3 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | crypto helper 1 waiting (nothing to do) | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | checking IKEv1 state table | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | crypto helper 6 waiting (nothing to do) | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5615b3e081e8 | libevent_malloc: new ptr-libevent@0x5615b3debc58 size 128 | libevent_malloc: new ptr-libevent@0x5615b3e07748 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x5615b3e07638 | libevent_malloc: new ptr-libevent@0x5615b3db2348 size 128 | libevent_malloc: new ptr-libevent@0x5615b3e08138 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x5615b3e08178 | libevent_malloc: new ptr-libevent@0x5615b3e14438 size 128 | libevent_malloc: new ptr-libevent@0x5615b3e1f748 size 16 | libevent_realloc: new ptr-libevent@0x5615b3e1f788 size 256 | libevent_malloc: new ptr-libevent@0x5615b3e1f8b8 size 8 | libevent_realloc: new ptr-libevent@0x5615b3daf6d8 size 144 | libevent_malloc: new ptr-libevent@0x5615b3db3808 size 152 | libevent_malloc: new ptr-libevent@0x5615b3e1f8f8 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x5615b3e1f938 size 8 | libevent_malloc: new ptr-libevent@0x5615b3e1f978 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x5615b3e1fa48 size 8 | libevent_malloc: new ptr-libevent@0x5615b3e1fa88 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x5615b3e1fb58 size 8 | libevent_realloc: release ptr-libevent@0x5615b3daf6d8 | libevent_realloc: new ptr-libevent@0x5615b3e1fb98 size 256 | libevent_malloc: new ptr-libevent@0x5615b3e1fcc8 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:3141) using fork+execve | forked child 3141 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x5615b3e20218 | libevent_malloc: new ptr-libevent@0x5615b3e14388 size 128 | libevent_malloc: new ptr-libevent@0x5615b3e20288 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x5615b3e202c8 | libevent_malloc: new ptr-libevent@0x5615b3db05e8 size 128 | libevent_malloc: new ptr-libevent@0x5615b3e20338 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x5615b3e20378 | libevent_malloc: new ptr-libevent@0x5615b3db2448 size 128 | libevent_malloc: new ptr-libevent@0x5615b3e203e8 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x5615b3e20428 | libevent_malloc: new ptr-libevent@0x5615b3daf5d8 size 128 | libevent_malloc: new ptr-libevent@0x5615b3e20498 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x5615b3e204d8 | libevent_malloc: new ptr-libevent@0x5615b3d804e8 size 128 | libevent_malloc: new ptr-libevent@0x5615b3e20548 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x5615b3e20588 | libevent_malloc: new ptr-libevent@0x5615b3d801d8 size 128 | libevent_malloc: new ptr-libevent@0x5615b3e205f8 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.971 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection clear with policy AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE | counting wild cards for (none) is 15 | counting wild cards for (none) is 15 | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none | new hp@0x5615b3e21258 added connection description "clear" | ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE | 192.1.2.23---192.1.2.254...%group | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.097 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection clear-or-private with policy AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | counting wild cards for ID_NULL is 0 | counting wild cards for ID_NULL is 0 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x5615b3e21258: clear added connection description "clear-or-private" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | 192.1.2.23[ID_NULL]---192.1.2.254...%opportunisticgroup[ID_NULL] | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.211 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection private-or-clear with policy AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | counting wild cards for ID_NULL is 0 | counting wild cards for ID_NULL is 0 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x5615b3e21258: clear-or-private added connection description "private-or-clear" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: AUTHNULL+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS | 192.1.2.23[ID_NULL]---192.1.2.254...%opportunisticgroup[ID_NULL] | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.177 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection private with policy AUTHNULL+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 | from whack: got --esp= | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 | counting wild cards for ID_NULL is 0 | counting wild cards for ID_NULL is 0 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x5615b3e21258: private-or-clear added connection description "private" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: AUTHNULL+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP | 192.1.2.23[ID_NULL]---192.1.2.254...%opportunisticgroup[ID_NULL] | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.116 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection block with policy AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE | counting wild cards for (none) is 15 | counting wild cards for (none) is 15 | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@0x5615b3e21258: private added connection description "block" | ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE | 192.1.2.23---192.1.2.254...%group | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0584 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x5615b3e14388 | free_event_entry: release EVENT_NULL-pe@0x5615b3e20218 | add_fd_read_event_handler: new ethX-pe@0x5615b3e20218 | libevent_malloc: new ptr-libevent@0x5615b3e14388 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x5615b3db05e8 | free_event_entry: release EVENT_NULL-pe@0x5615b3e202c8 | add_fd_read_event_handler: new ethX-pe@0x5615b3e202c8 | libevent_malloc: new ptr-libevent@0x5615b3db05e8 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x5615b3db2448 | free_event_entry: release EVENT_NULL-pe@0x5615b3e20378 | add_fd_read_event_handler: new ethX-pe@0x5615b3e20378 | libevent_malloc: new ptr-libevent@0x5615b3db2448 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x5615b3daf5d8 | free_event_entry: release EVENT_NULL-pe@0x5615b3e20428 | add_fd_read_event_handler: new ethX-pe@0x5615b3e20428 | libevent_malloc: new ptr-libevent@0x5615b3daf5d8 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x5615b3d804e8 | free_event_entry: release EVENT_NULL-pe@0x5615b3e204d8 | add_fd_read_event_handler: new ethX-pe@0x5615b3e204d8 | libevent_malloc: new ptr-libevent@0x5615b3d804e8 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x5615b3d801d8 | free_event_entry: release EVENT_NULL-pe@0x5615b3e20588 | add_fd_read_event_handler: new ethX-pe@0x5615b3e20588 | libevent_malloc: new ptr-libevent@0x5615b3d801d8 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' loading group "/etc/ipsec.d/policies/block" loading group "/etc/ipsec.d/policies/private" loading group "/etc/ipsec.d/policies/private-or-clear" loading group "/etc/ipsec.d/policies/clear-or-private" loading group "/etc/ipsec.d/policies/clear" | 192.1.2.23/32->192.1.3.254/32 0 sport 0 dport 0 clear | 192.1.2.23/32->192.1.3.253/32 0 sport 0 dport 0 clear | 192.1.2.23/32->192.1.2.253/32 0 sport 0 dport 0 clear | 192.1.2.23/32->192.1.3.0/24 0 sport 0 dport 0 clear-or-private | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in conn_by_name | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.341 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "clear" (in whack_route_connection() at rcv_whack.c:106) | FOR_EACH_CONNECTION_... in conn_by_name | suspend processing: connection "clear" (in route_group() at foodgroups.c:435) | start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435) | could_route called for clear#192.1.3.254/32 (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: clear#192.1.3.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 | shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-host | executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16408' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT | popen cmd is 1016 chars long | cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25: | cmd( 80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16408' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_: | cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTA: | cmd( 720):NCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_P: | cmd( 800):EER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER=: | cmd( 880):'0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' V: | cmd( 960):TI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-host | executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16408' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 | popen cmd is 1014 chars long | cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/: | cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL: | cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16408' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE: | cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3: | cmd( 480):.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_PO: | cmd( 640):LICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANC: | cmd( 720):E' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEE: | cmd( 800):R_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0: | cmd( 880):' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI: | cmd( 960):_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: | suspend processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439) | start processing: connection "clear" (in route_group() at foodgroups.c:439) | FOR_EACH_CONNECTION_... in conn_by_name | suspend processing: connection "clear" (in route_group() at foodgroups.c:435) | start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435) | could_route called for clear#192.1.3.253/32 (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: clear#192.1.3.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 | shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-host | executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16412' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT | popen cmd is 1016 chars long | cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25: | cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16412' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_: | cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTA: | cmd( 720):NCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_P: | cmd( 800):EER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER=: | cmd( 880):'0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' V: | cmd( 960):TI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-host | executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16412' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 | popen cmd is 1014 chars long | cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/: | cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL: | cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16412' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE: | cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3: | cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_PO: | cmd( 640):LICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANC: | cmd( 720):E' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEE: | cmd( 800):R_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0: | cmd( 880):' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI: | cmd( 960):_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: | suspend processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439) | start processing: connection "clear" (in route_group() at foodgroups.c:439) | FOR_EACH_CONNECTION_... in conn_by_name | suspend processing: connection "clear" (in route_group() at foodgroups.c:435) | start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435) | could_route called for clear#192.1.2.253/32 (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private#192.1.3.0/24 mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn block mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn private-or-clear mark 0/00000000, 0/00000000 | conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs | conn clear-or-private mark 0/00000000, 0/00000000 | route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: clear#192.1.2.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 | shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf | netlink_raw_eroute: SPI_PASS | IPsec Sa SPD priority set to 1564639 | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-host | executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT | popen cmd is 1016 chars long | cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25: | cmd( 80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT: | cmd( 320):OCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_: | cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_: | cmd( 640):POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTA: | cmd( 720):NCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_P: | cmd( 800):EER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER=: | cmd( 880):'0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' V: | cmd( 960):TI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-host | executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 | popen cmd is 1014 chars long | cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/: | cmd( 80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL: | cmd( 160):UTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC: | cmd( 320):OL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE: | cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2: | cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_PO: | cmd( 640):LICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANC: | cmd( 720):E' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEE: | cmd( 800):R_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0: | cmd( 880):' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI: | cmd( 960):_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: | suspend processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439) | start processing: connection "clear" (in route_group() at foodgroups.c:439) | stop processing: connection "clear" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 2.67 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00372 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00202 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00199 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.0026 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00332 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned nothing left to do (all child processes are busy) | spent 0.00199 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:106) | stop processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0541 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "private" (in whack_route_connection() at rcv_whack.c:106) | stop processing: connection "private" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0432 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "block" (in whack_route_connection() at rcv_whack.c:106) | stop processing: connection "block" (in whack_route_connection() at rcv_whack.c:116) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.021 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 3141 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0252 milliseconds in signal handler PLUTO_SIGCHLD | spent 0.00288 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 851 bytes from 192.1.2.254:500 on eth1 (192.1.2.23:500) | bc e3 d2 eb c0 b6 f0 35 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 53 22 00 01 b4 | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f | 28 00 01 08 00 0e 00 00 25 e8 af e0 d4 55 e1 7c | d9 a4 b5 47 03 b6 d8 ae ca 74 2b e9 ba 1a 57 bf | 37 fa c6 d3 61 a5 33 d6 e2 e0 38 54 ef 28 fb 9d | e5 3f 33 6d 53 60 70 91 49 c9 92 56 bf f8 12 c7 | 50 2c 1c 95 65 56 1f c9 11 aa 36 3f d4 9d 40 59 | b0 74 ab 8c 09 84 92 09 bf a7 b4 31 27 0a e7 c7 | 52 1a c4 d4 a9 45 ab 2d 98 4a c7 a6 80 5c 30 e0 | e2 53 f2 3f 5a 0c 07 c9 8a a2 0b b5 8d 6a 72 27 | 97 37 ea 4b 59 36 67 40 e8 80 83 37 00 67 c3 75 | 43 c2 62 95 71 6c 88 a5 37 ea 8c b6 20 b2 b4 67 | 4b db 95 ee 2c 1c c9 ee f1 4d a0 33 3d 64 8b ba | 2a b7 62 23 8b db cb 85 fc 2f 5f b7 a3 c3 02 92 | 9e 1d 4b 31 23 89 b2 54 5e da 56 ea ca 1d c5 64 | c7 a8 30 9b 34 7e 9d 73 58 bf 7f c8 c7 67 34 1b | 47 35 42 e9 05 56 af c9 39 76 6a 5d 5a 1d f2 17 | 83 eb 9b d9 dc b5 06 57 ec fe 5b 8f 86 3c 7a aa | e3 b6 16 c0 1e 24 7f e0 29 00 00 24 a5 bf fe 2b | 2d dd 3a 1e a7 78 5a 6b 53 30 aa bd 17 48 92 41 | ba d1 b8 8b 71 e7 ba 92 7c dd 45 27 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 89 35 e6 c6 | ff 3c 69 6f 34 d1 dc 15 ef 8c 67 5b a7 0f f1 af | 2b 00 00 1c 00 00 40 05 c5 14 b2 64 04 e7 7a 72 | 68 44 0f aa c6 d1 66 8e 62 f1 24 ce 00 00 00 17 | 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50 | 73 65 63 | start processing: from 192.1.2.254:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | bc e3 d2 eb c0 b6 f0 35 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 851 (0x353) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 436 (0x1b4) | processing payload: ISAKMP_NEXT_v2SA (len=432) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2V (0x2b) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2V) | ***parse IKEv2 Vendor ID Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 23 (0x17) | processing payload: ISAKMP_NEXT_v2V (len=19) | DDOS disabled and no cookie sent, continuing | VID_OPPORTUNISTIC received | Processing IKE request for Opportunistic IPsec | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=PSK+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=PSK+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy PSK+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=AUTHNULL+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=AUTHNULL+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | find_next_host_connection returns private | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | find_next_host_connection returns private-or-clear | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | find_next_host_connection returns clear-or-private | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | find_next_host_connection returns clear-or-private#192.1.3.0/24 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | find_next_host_connection returns private-or-clear | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | find_next_host_connection returns clear-or-private | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | find_next_host_connection returns clear-or-private#192.1.3.0/24 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy AUTHNULL+IKEV2_ALLOW packet from 192.1.2.254:500: initial parent SA message received on 192.1.2.23:500 but no suitable connection found with IKEv2 policy packet from 192.1.2.254:500: responding to IKE_SA_INIT (34) message (Message ID 0) from 192.1.2.254:500 with unencrypted notification NO_PROPOSAL_CHOSEN | Opening output PBS unencrypted notification | **emit ISAKMP Message: | initiator cookie: | bc e3 d2 eb c0 b6 f0 35 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN (0xe) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'unencrypted notification' | emitting length of IKEv2 Notify Payload: 8 | emitting length of ISAKMP Message: 36 | sending 36 bytes for v2 notify through eth1 from 192.1.2.23:500 to 192.1.2.254:500 (using #0) | bc e3 d2 eb c0 b6 f0 35 00 00 00 00 00 00 00 00 | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 | 00 00 00 0e | stop processing: from 192.1.2.254:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.598 milliseconds in comm_handle_cb() reading and processing packet | spent 0.0101 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 851 bytes from 192.1.2.254:500 on eth1 (192.1.2.23:500) | bc e3 d2 eb c0 b6 f0 35 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 53 22 00 01 b4 | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f | 28 00 01 08 00 0e 00 00 25 e8 af e0 d4 55 e1 7c | d9 a4 b5 47 03 b6 d8 ae ca 74 2b e9 ba 1a 57 bf | 37 fa c6 d3 61 a5 33 d6 e2 e0 38 54 ef 28 fb 9d | e5 3f 33 6d 53 60 70 91 49 c9 92 56 bf f8 12 c7 | 50 2c 1c 95 65 56 1f c9 11 aa 36 3f d4 9d 40 59 | b0 74 ab 8c 09 84 92 09 bf a7 b4 31 27 0a e7 c7 | 52 1a c4 d4 a9 45 ab 2d 98 4a c7 a6 80 5c 30 e0 | e2 53 f2 3f 5a 0c 07 c9 8a a2 0b b5 8d 6a 72 27 | 97 37 ea 4b 59 36 67 40 e8 80 83 37 00 67 c3 75 | 43 c2 62 95 71 6c 88 a5 37 ea 8c b6 20 b2 b4 67 | 4b db 95 ee 2c 1c c9 ee f1 4d a0 33 3d 64 8b ba | 2a b7 62 23 8b db cb 85 fc 2f 5f b7 a3 c3 02 92 | 9e 1d 4b 31 23 89 b2 54 5e da 56 ea ca 1d c5 64 | c7 a8 30 9b 34 7e 9d 73 58 bf 7f c8 c7 67 34 1b | 47 35 42 e9 05 56 af c9 39 76 6a 5d 5a 1d f2 17 | 83 eb 9b d9 dc b5 06 57 ec fe 5b 8f 86 3c 7a aa | e3 b6 16 c0 1e 24 7f e0 29 00 00 24 a5 bf fe 2b | 2d dd 3a 1e a7 78 5a 6b 53 30 aa bd 17 48 92 41 | ba d1 b8 8b 71 e7 ba 92 7c dd 45 27 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 89 35 e6 c6 | ff 3c 69 6f 34 d1 dc 15 ef 8c 67 5b a7 0f f1 af | 2b 00 00 1c 00 00 40 05 c5 14 b2 64 04 e7 7a 72 | 68 44 0f aa c6 d1 66 8e 62 f1 24 ce 00 00 00 17 | 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50 | 73 65 63 | start processing: from 192.1.2.254:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | bc e3 d2 eb c0 b6 f0 35 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 851 (0x353) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 436 (0x1b4) | processing payload: ISAKMP_NEXT_v2SA (len=432) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2V (0x2b) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2V) | ***parse IKEv2 Vendor ID Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 23 (0x17) | processing payload: ISAKMP_NEXT_v2V (len=19) | DDOS disabled and no cookie sent, continuing | VID_OPPORTUNISTIC received | Processing IKE request for Opportunistic IPsec | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=PSK+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=PSK+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy PSK+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=AUTHNULL+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=AUTHNULL+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | find_next_host_connection returns private | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | find_next_host_connection returns private-or-clear | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | find_next_host_connection returns clear-or-private | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | find_next_host_connection returns clear-or-private#192.1.3.0/24 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | find_next_host_connection returns private-or-clear | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | find_next_host_connection returns clear-or-private | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | find_next_host_connection returns clear-or-private#192.1.3.0/24 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy AUTHNULL+IKEV2_ALLOW packet from 192.1.2.254:500: initial parent SA message received on 192.1.2.23:500 but no suitable connection found with IKEv2 policy packet from 192.1.2.254:500: responding to IKE_SA_INIT (34) message (Message ID 0) from 192.1.2.254:500 with unencrypted notification NO_PROPOSAL_CHOSEN | Opening output PBS unencrypted notification | **emit ISAKMP Message: | initiator cookie: | bc e3 d2 eb c0 b6 f0 35 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN (0xe) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'unencrypted notification' | emitting length of IKEv2 Notify Payload: 8 | emitting length of ISAKMP Message: 36 | sending 36 bytes for v2 notify through eth1 from 192.1.2.23:500 to 192.1.2.254:500 (using #0) | bc e3 d2 eb c0 b6 f0 35 00 00 00 00 00 00 00 00 | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 | 00 00 00 0e | stop processing: from 192.1.2.254:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 3.31 milliseconds in comm_handle_cb() reading and processing packet | spent 0.0028 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 851 bytes from 192.1.2.254:500 on eth1 (192.1.2.23:500) | bc e3 d2 eb c0 b6 f0 35 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 53 22 00 01 b4 | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f | 28 00 01 08 00 0e 00 00 25 e8 af e0 d4 55 e1 7c | d9 a4 b5 47 03 b6 d8 ae ca 74 2b e9 ba 1a 57 bf | 37 fa c6 d3 61 a5 33 d6 e2 e0 38 54 ef 28 fb 9d | e5 3f 33 6d 53 60 70 91 49 c9 92 56 bf f8 12 c7 | 50 2c 1c 95 65 56 1f c9 11 aa 36 3f d4 9d 40 59 | b0 74 ab 8c 09 84 92 09 bf a7 b4 31 27 0a e7 c7 | 52 1a c4 d4 a9 45 ab 2d 98 4a c7 a6 80 5c 30 e0 | e2 53 f2 3f 5a 0c 07 c9 8a a2 0b b5 8d 6a 72 27 | 97 37 ea 4b 59 36 67 40 e8 80 83 37 00 67 c3 75 | 43 c2 62 95 71 6c 88 a5 37 ea 8c b6 20 b2 b4 67 | 4b db 95 ee 2c 1c c9 ee f1 4d a0 33 3d 64 8b ba | 2a b7 62 23 8b db cb 85 fc 2f 5f b7 a3 c3 02 92 | 9e 1d 4b 31 23 89 b2 54 5e da 56 ea ca 1d c5 64 | c7 a8 30 9b 34 7e 9d 73 58 bf 7f c8 c7 67 34 1b | 47 35 42 e9 05 56 af c9 39 76 6a 5d 5a 1d f2 17 | 83 eb 9b d9 dc b5 06 57 ec fe 5b 8f 86 3c 7a aa | e3 b6 16 c0 1e 24 7f e0 29 00 00 24 a5 bf fe 2b | 2d dd 3a 1e a7 78 5a 6b 53 30 aa bd 17 48 92 41 | ba d1 b8 8b 71 e7 ba 92 7c dd 45 27 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 89 35 e6 c6 | ff 3c 69 6f 34 d1 dc 15 ef 8c 67 5b a7 0f f1 af | 2b 00 00 1c 00 00 40 05 c5 14 b2 64 04 e7 7a 72 | 68 44 0f aa c6 d1 66 8e 62 f1 24 ce 00 00 00 17 | 4f 70 70 6f 72 74 75 6e 69 73 74 69 63 20 49 50 | 73 65 63 | start processing: from 192.1.2.254:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | bc e3 d2 eb c0 b6 f0 35 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 851 (0x353) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 436 (0x1b4) | processing payload: ISAKMP_NEXT_v2SA (len=432) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2V (0x2b) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2V) | ***parse IKEv2 Vendor ID Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 23 (0x17) | processing payload: ISAKMP_NEXT_v2V (len=19) | DDOS disabled and no cookie sent, continuing | VID_OPPORTUNISTIC received | Processing IKE request for Opportunistic IPsec | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=PSK+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=PSK+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=PSK+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy PSK+IKEV2_ALLOW | find_host_connection local=192.1.2.23:500 remote=192.1.2.254:500 policy=AUTHNULL+IKEV2_ALLOW but ignoring ports | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=AUTHNULL+IKEV2_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+SHUNT1+GROUP+GROUTED (block) | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL1+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private) | find_next_host_connection returns private | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | find_next_host_connection returns private-or-clear | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | find_next_host_connection returns clear-or-private | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | find_next_host_connection returns clear-or-private#192.1.3.0/24 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | find_next_host_connection returns empty | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (private-or-clear) | find_next_host_connection returns private-or-clear | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private) | find_next_host_connection returns clear-or-private | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTHNULL+ENCRYPT+TUNNEL+PFS+FAIL0+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (clear-or-private#192.1.3.0/24) | find_next_host_connection returns clear-or-private#192.1.3.0/24 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUP+GROUTED (clear) | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.2.253/32) | find_next_host_connection returns clear#192.1.2.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.253/32) | find_next_host_connection returns clear#192.1.3.253/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | found policy = AUTH_NEVER+SHUNT0+GROUPINSTANCE (clear#192.1.3.254/32) | find_next_host_connection returns clear#192.1.3.254/32 0.0.0.0 | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy AUTHNULL+IKEV2_ALLOW packet from 192.1.2.254:500: initial parent SA message received on 192.1.2.23:500 but no suitable connection found with IKEv2 policy packet from 192.1.2.254:500: responding to IKE_SA_INIT (34) message (Message ID 0) from 192.1.2.254:500 with unencrypted notification NO_PROPOSAL_CHOSEN | Opening output PBS unencrypted notification | **emit ISAKMP Message: | initiator cookie: | bc e3 d2 eb c0 b6 f0 35 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN (0xe) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'unencrypted notification' | emitting length of IKEv2 Notify Payload: 8 | emitting length of ISAKMP Message: 36 | sending 36 bytes for v2 notify through eth1 from 192.1.2.23:500 to 192.1.2.254:500 (using #0) | bc e3 d2 eb c0 b6 f0 35 00 00 00 00 00 00 00 00 | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 | 00 00 00 0e | stop processing: from 192.1.2.254:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.683 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00336 milliseconds in global timer EVENT_SHUNT_SCAN