FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:15189 core dump dir: /run/pluto secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x563b2320f6d8 size 40 | libevent_malloc: new ptr-libevent@0x563b2320f658 size 40 | libevent_malloc: new ptr-libevent@0x563b2320f5d8 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x563b23201208 size 56 | libevent_malloc: new ptr-libevent@0x563b2318ad98 size 664 | libevent_malloc: new ptr-libevent@0x563b23249cf8 size 24 | libevent_malloc: new ptr-libevent@0x563b23249d48 size 384 | libevent_malloc: new ptr-libevent@0x563b23249cb8 size 16 | libevent_malloc: new ptr-libevent@0x563b2320f558 size 40 | libevent_malloc: new ptr-libevent@0x563b2320f4d8 size 48 | libevent_realloc: new ptr-libevent@0x563b2318aa28 size 256 | libevent_malloc: new ptr-libevent@0x563b23249ef8 size 16 | libevent_free: release ptr-libevent@0x563b23201208 | libevent initialized | libevent_realloc: new ptr-libevent@0x563b23201208 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | starting up helper thread 0 | crypto helper 1 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 0) 22 | starting up helper thread 2 | crypto helper 0 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 2 started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | checking IKEv1 state table | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x563b232093f8 | libevent_malloc: new ptr-libevent@0x563b23248468 size 128 | libevent_malloc: new ptr-libevent@0x563b2324f4f8 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x563b2324f488 | libevent_malloc: new ptr-libevent@0x563b23201eb8 size 128 | libevent_malloc: new ptr-libevent@0x563b2324f158 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x563b2324f928 | libevent_malloc: new ptr-libevent@0x563b2325b808 size 128 | libevent_malloc: new ptr-libevent@0x563b23266af8 size 16 | libevent_realloc: new ptr-libevent@0x563b23266b38 size 256 | libevent_malloc: new ptr-libevent@0x563b23266c68 size 8 | libevent_realloc: new ptr-libevent@0x563b23266ca8 size 144 | libevent_malloc: new ptr-libevent@0x563b2320d9c8 size 152 | libevent_malloc: new ptr-libevent@0x563b23266d68 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x563b23266da8 size 8 | libevent_malloc: new ptr-libevent@0x563b2318b708 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x563b23266de8 size 8 | libevent_malloc: new ptr-libevent@0x563b23266e28 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x563b23266ef8 size 8 | libevent_realloc: release ptr-libevent@0x563b23266ca8 | libevent_realloc: new ptr-libevent@0x563b23266f38 size 256 | libevent_malloc: new ptr-libevent@0x563b23267068 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:15250) using fork+execve | forked child 15250 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x563b23267648 | libevent_malloc: new ptr-libevent@0x563b2325b758 size 128 | libevent_malloc: new ptr-libevent@0x563b232676b8 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x563b232676f8 | libevent_malloc: new ptr-libevent@0x563b23201f68 size 128 | libevent_malloc: new ptr-libevent@0x563b23267768 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x563b232677a8 | libevent_malloc: new ptr-libevent@0x563b23201888 size 128 | libevent_malloc: new ptr-libevent@0x563b23267818 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x563b23267858 | libevent_malloc: new ptr-libevent@0x563b23209148 size 128 | libevent_malloc: new ptr-libevent@0x563b232678c8 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x563b23267908 | libevent_malloc: new ptr-libevent@0x563b23209248 size 128 | libevent_malloc: new ptr-libevent@0x563b23267978 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x563b232679b8 | libevent_malloc: new ptr-libevent@0x563b23209348 size 128 | libevent_malloc: new ptr-libevent@0x563b23267a28 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.53 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x563b2325b758 | free_event_entry: release EVENT_NULL-pe@0x563b23267648 | add_fd_read_event_handler: new ethX-pe@0x563b23267648 | libevent_malloc: new ptr-libevent@0x563b2325b758 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x563b23201f68 | free_event_entry: release EVENT_NULL-pe@0x563b232676f8 | add_fd_read_event_handler: new ethX-pe@0x563b232676f8 | libevent_malloc: new ptr-libevent@0x563b23201f68 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x563b23201888 | free_event_entry: release EVENT_NULL-pe@0x563b232677a8 | add_fd_read_event_handler: new ethX-pe@0x563b232677a8 | libevent_malloc: new ptr-libevent@0x563b23201888 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x563b23209148 | free_event_entry: release EVENT_NULL-pe@0x563b23267858 | add_fd_read_event_handler: new ethX-pe@0x563b23267858 | libevent_malloc: new ptr-libevent@0x563b23209148 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x563b23209248 | free_event_entry: release EVENT_NULL-pe@0x563b23267908 | add_fd_read_event_handler: new ethX-pe@0x563b23267908 | libevent_malloc: new ptr-libevent@0x563b23209248 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x563b23209348 | free_event_entry: release EVENT_NULL-pe@0x563b232679b8 | add_fd_read_event_handler: new ethX-pe@0x563b232679b8 | libevent_malloc: new ptr-libevent@0x563b23209348 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.624 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 15250 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0145 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection nss-cert with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | setting ID to ID_DER_ASN1_DN: 'E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading left certificate 'west' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b2326d228 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b2326d328 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b2326dd38 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b2326dc38 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b23269758 | unreference key: 0x563b2326ca18 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | warning: no secret key loaded for left certificate with nickname west: NSS: cert private key not found | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'east' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b23269758 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b2326db88 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b2326ed48 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b2326e8c8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563b23269658 | unreference key: 0x563b23272828 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x563b232751a8 added connection description "nss-cert" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org,+S-C]...192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org,+S-C]===192.0.1.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 2.41 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.448 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + suppress-retransmits | base impairing = suppress-retransmits | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.28 milliseconds in whack | spent 0.00267 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 792 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 2d 14 fe 25 fd 9f c6 72 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 792 (0x318) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (nss-cert) | find_next_host_connection returns nss-cert | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | creating state object #1 at 0x563b23272ae8 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) "nss-cert" #1: responding to Main Mode | **emit ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | attributes 80 03 00 03 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 144 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 144 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x563b232755d8 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x563b2326dc88 size 128 "nss-cert" #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.615 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00253 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 83 c6 62 80 2c 8b d3 4f 4d 19 a7 9f ba 6e 4e 35 | 9a c8 dd 24 98 9d 91 52 6e 2b f1 e9 01 8a 0e 69 | 12 7e e1 08 bf cc 2c c4 93 c1 ec 9e 03 99 00 f3 | 5a 0a c8 f1 99 91 7b 7b 24 ce 94 4a 78 bc b9 07 | ce 05 e5 36 b0 c2 3e c1 cc 22 e2 02 fd 51 7f 85 | d7 5b 90 d3 1a 7a 24 f3 9a ae 10 da 38 51 10 18 | 97 b8 68 00 47 d8 77 41 b7 f0 42 ad 05 15 85 ee | 6d 42 05 62 9f 1f b9 bb 12 45 3d 76 26 bf 47 25 | f5 59 c2 aa db fd 9e 4a 29 59 89 3c 37 d8 9d 42 | e8 cb 34 96 6d 3c 31 85 09 01 eb 08 b5 eb c3 a7 | b6 34 cf 5e 58 1b c9 e0 61 4d 5c 69 c4 e6 09 f9 | 12 9f 2b ba 90 a2 fb bf 3c f8 9f b7 82 70 2f 1d | 04 1c 2d 70 c4 e3 17 cf f1 02 9a cc e5 da a8 d0 | d6 62 f5 71 9f a0 74 5e cc 27 9c fd 36 a1 26 d5 | 1a f0 5b cd 07 cd 19 53 0f 32 68 86 51 40 48 2b | 4c db f2 2b 90 18 2a 7a 6f e4 70 23 3a ef 12 a9 | 14 00 00 24 8b 30 16 82 06 49 3f 62 d7 6e e7 61 | 6c cc fc de 64 60 ee de e4 cc 59 6e 9b 70 00 41 | 40 f9 6b 58 14 00 00 24 af 51 ae e9 c5 a8 ac 85 | 26 28 a5 99 40 1f 7b 58 14 86 47 42 3f 1e d6 40 | b1 8e 68 17 e8 4b 04 26 00 00 00 24 fd 59 62 d6 | 38 21 87 a1 4a 32 2a 22 57 5f 77 4f 2a 43 6d 88 | 62 9c a9 19 75 4c c9 94 40 ac 38 b3 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x563b219bdca0(32) | natd_hash: icookie= 2d 14 fe 25 fd 9f c6 72 | natd_hash: rcookie= c6 c5 70 a7 a3 e3 3e 2b | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= af 51 ae e9 c5 a8 ac 85 26 28 a5 99 40 1f 7b 58 | natd_hash: hash= 14 86 47 42 3f 1e d6 40 b1 8e 68 17 e8 4b 04 26 | natd_hash: hasher=0x563b219bdca0(32) | natd_hash: icookie= 2d 14 fe 25 fd 9f c6 72 | natd_hash: rcookie= c6 c5 70 a7 a3 e3 3e 2b | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= fd 59 62 d6 38 21 87 a1 4a 32 2a 22 57 5f 77 4f | natd_hash: hash= 2a 43 6d 88 62 9c a9 19 75 4c c9 94 40 ac 38 b3 | expected NAT-D(me): af 51 ae e9 c5 a8 ac 85 26 28 a5 99 40 1f 7b 58 | expected NAT-D(me): 14 86 47 42 3f 1e d6 40 b1 8e 68 17 e8 4b 04 26 | expected NAT-D(him): | fd 59 62 d6 38 21 87 a1 4a 32 2a 22 57 5f 77 4f | 2a 43 6d 88 62 9c a9 19 75 4c c9 94 40 ac 38 b3 | received NAT-D: af 51 ae e9 c5 a8 ac 85 26 28 a5 99 40 1f 7b 58 | received NAT-D: 14 86 47 42 3f 1e d6 40 b1 8e 68 17 e8 4b 04 26 | received NAT-D: fd 59 62 d6 38 21 87 a1 4a 32 2a 22 57 5f 77 4f | received NAT-D: 2a 43 6d 88 62 9c a9 19 75 4c c9 94 40 ac 38 b3 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x563b2326dc88 | free_event_entry: release EVENT_SO_DISCARD-pe@0x563b232755d8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563b232755d8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x563b232756b8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | crypto helper 1 resuming | crypto helper 1 starting work-order 1 for state #1 | crypto helper 1 doing build KE and nonce (inI2_outR2 KE); request ID 1 | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.128 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.277 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 1 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.000947 seconds | (#1) spent 0.94 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 1 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f3648002888 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 1 | calling continuation function 0x563b218e8b50 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 21 9e 94 c5 40 6f 96 14 d8 4c 84 66 d9 cc d5 78 | keyex value 86 5a b1 08 7b d7 f6 89 d8 60 1f 20 28 48 17 f0 | keyex value 9c 2e a0 1c d7 dd ab 9e 53 44 6e c7 69 a7 af 12 | keyex value 31 1f 1e 31 13 13 dc 2b b6 0a d0 e8 49 71 3e 28 | keyex value e5 54 0d 06 6c 4d cc 42 96 7f 53 fd dd c1 67 31 | keyex value ff 89 86 87 a1 f6 87 0d 4a 7c 43 5f 62 93 c7 e0 | keyex value 4a 3c 01 3d a7 69 44 c6 f2 e8 d9 2f 2a af c1 07 | keyex value 54 47 4e 2b c8 79 cf 1d d7 2e fd 0d 82 65 6d 73 | keyex value 12 d2 7d 64 d1 6d f8 1e 50 e6 b5 9e b5 41 d7 ef | keyex value 17 17 1f 45 ca f2 3a e7 17 bb 6a e4 6b 82 11 e3 | keyex value 56 00 9a c3 c4 7f 47 c3 57 3b 5b ea 64 4b 25 0d | keyex value d4 62 95 a8 f9 91 64 42 dd b2 c0 cd 8b 9e e0 db | keyex value a2 fc c8 95 8a 1c 48 96 d4 51 d8 21 f2 22 79 3d | keyex value 71 3b 97 5e 17 28 f0 2b b7 6e 45 d5 c1 71 5b c6 | keyex value e2 b1 f6 2f 76 79 c2 6c 00 23 4c 4b 48 2f 1b 85 | keyex value 84 63 7e a2 fe 6a 84 60 5f 0d 04 9a 81 c7 30 2f | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 7:ISAKMP_NEXT_CR | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 83 cb b6 9d a5 82 ad c7 6d db e6 8b 5d 5e e0 77 | Nr f8 e8 da 01 76 95 38 8b 33 de 1e 67 9e a8 68 a4 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_NONE (0x0) | cert type: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Certificate RequestPayload (7:ISAKMP_NEXT_CR) | next payload chain: saving location 'ISAKMP Certificate RequestPayload'.'next payload type' in 'reply packet' | emitting 175 raw bytes of CA into ISAKMP Certificate RequestPayload | CA 30 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 | CA 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | CA 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | CA 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | CA 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | CA 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | CA 6e 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 | CA 72 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 | CA 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a | CA 86 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e | CA 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Certificate RequestPayload: 180 | sending NAT-D payloads | natd_hash: hasher=0x563b219bdca0(32) | natd_hash: icookie= 2d 14 fe 25 fd 9f c6 72 | natd_hash: rcookie= c6 c5 70 a7 a3 e3 3e 2b | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= fd 59 62 d6 38 21 87 a1 4a 32 2a 22 57 5f 77 4f | natd_hash: hash= 2a 43 6d 88 62 9c a9 19 75 4c c9 94 40 ac 38 b3 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Certificate RequestPayload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D fd 59 62 d6 38 21 87 a1 4a 32 2a 22 57 5f 77 4f | NAT-D 2a 43 6d 88 62 9c a9 19 75 4c c9 94 40 ac 38 b3 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x563b219bdca0(32) | natd_hash: icookie= 2d 14 fe 25 fd 9f c6 72 | natd_hash: rcookie= c6 c5 70 a7 a3 e3 3e 2b | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= af 51 ae e9 c5 a8 ac 85 26 28 a5 99 40 1f 7b 58 | natd_hash: hash= 14 86 47 42 3f 1e d6 40 b1 8e 68 17 e8 4b 04 26 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D af 51 ae e9 c5 a8 ac 85 26 28 a5 99 40 1f 7b 58 | NAT-D 14 86 47 42 3f 1e d6 40 b1 8e 68 17 e8 4b 04 26 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 576 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x563b232756b8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563b232755d8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563b232755d8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x563b2326dc88 size 128 | #1 main_inI2_outR2_continue1_tail:1165 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle; has background offloaded task | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x563b2326dc88 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563b232755d8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 576 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 04 10 02 00 00 00 00 00 00 00 02 40 0a 00 01 04 | 21 9e 94 c5 40 6f 96 14 d8 4c 84 66 d9 cc d5 78 | 86 5a b1 08 7b d7 f6 89 d8 60 1f 20 28 48 17 f0 | 9c 2e a0 1c d7 dd ab 9e 53 44 6e c7 69 a7 af 12 | 31 1f 1e 31 13 13 dc 2b b6 0a d0 e8 49 71 3e 28 | e5 54 0d 06 6c 4d cc 42 96 7f 53 fd dd c1 67 31 | ff 89 86 87 a1 f6 87 0d 4a 7c 43 5f 62 93 c7 e0 | 4a 3c 01 3d a7 69 44 c6 f2 e8 d9 2f 2a af c1 07 | 54 47 4e 2b c8 79 cf 1d d7 2e fd 0d 82 65 6d 73 | 12 d2 7d 64 d1 6d f8 1e 50 e6 b5 9e b5 41 d7 ef | 17 17 1f 45 ca f2 3a e7 17 bb 6a e4 6b 82 11 e3 | 56 00 9a c3 c4 7f 47 c3 57 3b 5b ea 64 4b 25 0d | d4 62 95 a8 f9 91 64 42 dd b2 c0 cd 8b 9e e0 db | a2 fc c8 95 8a 1c 48 96 d4 51 d8 21 f2 22 79 3d | 71 3b 97 5e 17 28 f0 2b b7 6e 45 d5 c1 71 5b c6 | e2 b1 f6 2f 76 79 c2 6c 00 23 4c 4b 48 2f 1b 85 | 84 63 7e a2 fe 6a 84 60 5f 0d 04 9a 81 c7 30 2f | 07 00 00 24 83 cb b6 9d a5 82 ad c7 6d db e6 8b | 5d 5e e0 77 f8 e8 da 01 76 95 38 8b 33 de 1e 67 | 9e a8 68 a4 14 00 00 b4 04 30 81 ac 31 0b 30 09 | 06 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 | 04 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 | 03 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 | 10 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 | 6e 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 | 20 44 65 70 61 72 74 6d 65 6e 74 31 25 30 23 06 | 03 55 04 03 0c 1c 4c 69 62 72 65 73 77 61 6e 20 | 74 65 73 74 20 43 41 20 66 6f 72 20 6d 61 69 6e | 63 61 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 | 01 16 15 74 65 73 74 69 6e 67 40 6c 69 62 72 65 | 73 77 61 6e 2e 6f 72 67 14 00 00 24 fd 59 62 d6 | 38 21 87 a1 4a 32 2a 22 57 5f 77 4f 2a 43 6d 88 | 62 9c a9 19 75 4c c9 94 40 ac 38 b3 00 00 00 24 | af 51 ae e9 c5 a8 ac 85 26 28 a5 99 40 1f 7b 58 | 14 86 47 42 3f 1e d6 40 b1 8e 68 17 e8 4b 04 26 | !event_already_set at reschedule "nss-cert" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x563b232755d8 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x563b2326dc88 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11405.216044 "nss-cert" #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.412 milliseconds in resume sending helper answer | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3648002888 | crypto helper 0 resuming | crypto helper 0 starting work-order 2 for state #1 | crypto helper 0 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | crypto helper 0 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.001177 seconds | (#1) spent 1.18 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 0 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f3640000f48 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 2 | calling continuation function 0x563b218e8b50 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1015) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1028) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.0216 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3640000f48 | spent 0.0029 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 620 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 05 10 02 01 00 00 00 00 00 00 02 6c 80 62 e8 4d | 74 85 13 88 11 d4 7b 46 3d 58 7b 92 f4 63 ed 17 | 85 e7 b6 9a cf 4b 6a 5f 18 ea e3 98 7e 27 1d 8d | 88 cc 0c 03 89 23 81 b1 d3 99 0e 67 16 2e 67 17 | 0e 97 f6 2d 23 62 3a d0 1e 62 13 93 b4 ab 2a e1 | be 09 4a eb 89 40 4e 01 3a 53 2c 3b f0 eb c3 50 | 72 53 11 ef c4 2c 68 07 cb 81 9d 6a d5 39 b3 a1 | df 8b d3 fc 25 f6 34 59 4a ff 3e ea c1 3f c8 0c | be 1b 44 57 2d 93 9e 11 b3 8d 48 ac a4 77 9b 78 | e7 81 78 5c 68 f3 70 53 41 43 5c fe 5a db fb d9 | ab 35 cf 00 f8 ca 86 c5 15 cb a9 91 6b 38 63 0f | 17 f4 6f 93 72 b9 1e 6e bf a0 14 f2 01 ef 48 07 | 1a 6c e9 77 45 2e a9 0e ef 23 47 47 6c 26 6e 6a | 0d 63 da 1b c8 0e 2e ce e7 1c 80 34 2f ad 43 cc | d9 4a 04 c9 7a 41 34 6b 6e ee bc fb ce 61 47 74 | d0 b3 73 a0 e6 8f f9 ca 69 92 06 9e 95 88 eb 38 | 12 3e 58 38 a3 25 7b 99 f4 8f 12 2e 39 7d af ad | 0d 99 d3 d1 d3 d6 48 f3 e3 33 b1 bf 4c 3e 4a c7 | 5c b4 7b ab cc ad 71 db 81 04 4a 0d 79 4f be 5c | 87 17 72 8a 92 61 d0 6b ed 8f 7b 0d c0 d4 9a 22 | ac 59 e7 5d df 14 b1 32 c9 e1 69 3a e8 25 1a 8c | fc 13 f8 e7 02 16 f7 e2 46 37 a1 29 01 b9 2c 99 | 8f c5 d7 df 97 e5 23 da cf b5 50 10 b8 a8 0c 13 | ca e4 db 75 d6 9c ac c9 9b 3e 6a d8 97 cb 33 c8 | 09 e8 b3 23 e0 f4 e5 00 e1 a5 59 d9 66 a0 2b a6 | 52 12 cb 8d 55 24 10 22 4e c4 53 a5 ce d3 be 82 | e5 87 52 6c e1 33 42 40 23 b1 b5 bc 0c ed 6f 90 | 1b 80 a6 7b c7 f9 a9 bd a7 84 55 6b 25 de 38 19 | 08 5a f2 db 3f ef 8a 9e 70 04 2a d0 12 0e 34 a2 | 03 1c 7a 17 af 13 0f 39 43 18 1b 9a 8a ab b7 69 | a7 4f 21 99 cd 28 f2 7a c1 9e b3 74 78 52 48 93 | 7c 7c d2 54 59 ac 26 ce 66 88 0e 9b 60 ff 9e d7 | eb 1f 28 b1 da f0 36 02 46 51 3c cd e4 6a 4f d9 | b3 63 de 81 81 d5 1e 8c 51 6e a8 04 c1 30 10 95 | c2 06 e0 90 87 ed 59 93 20 a8 0f 17 6e 00 34 05 | fe 05 6c ba 47 84 4c 30 db 51 9b d9 cd 7d 23 03 | f7 ea 66 2e f2 ab a9 91 59 72 c1 68 8b 5f 95 bf | 8f 67 be 87 6b 2e f2 ce c3 a7 1e 59 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 620 (0x26c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | obj: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | obj: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | obj: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 13 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 "nss-cert" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | X509: no CERT payloads to process | refine_host_connection for IKEv1: starting with "nss-cert" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: happy with starting point: "nss-cert" | The remote did not specify an IDr and our current connection is good enough | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | required RSA CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'user-east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid '@east.testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid '192.1.2.23' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAZd0v [preloaded key] | #1 spent 0.17 milliseconds in try_all_RSA_keys() trying a pubkey "nss-cert" #1: Authenticated using RSA | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE | sendcert: CERT_NEVERSEND and I did not get a certificate request | so do not send cert. | INVALID AUTH SETTING: 3 | **emit ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_SIG (0x9) | ID type: ID_DER_ASN1_DN (0x9) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Identification Payload (IPsec DOI): 191 | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 384 raw bytes of SIG_R into ISAKMP Signature Payload | SIG_R 74 41 9c c6 d5 c0 4e ba 09 1c 32 c8 ad 16 41 05 | SIG_R dc 35 46 00 97 73 3a af 9d 0c cd 70 85 01 4d b5 | SIG_R 72 2c f7 5a a0 e2 1c e8 0f 9a 29 7c 24 b5 a1 ae | SIG_R 44 86 26 97 ba dc 75 1d 2e 3f 57 df b0 ab f5 14 | SIG_R cf 97 35 29 56 67 7a 94 82 a1 a9 31 06 fe 53 52 | SIG_R b1 5e 2a 58 30 b0 da 08 58 cb cd cc 2f 06 60 ca | SIG_R ff 25 c1 29 43 5c fb 67 6a ed 84 d9 69 6b fe 9b | SIG_R 38 9c da 19 bd c0 46 a4 5e 0f c3 67 17 fe 54 af | SIG_R 54 ee ff 7d 4b 92 10 89 22 b9 2d ba ea c7 23 b7 | SIG_R e0 74 6e 23 c8 7e 4c 11 ca ca 05 8b 8f a2 e8 bd | SIG_R ff 35 ee 5f fe 50 24 52 36 51 29 1f 5b 16 15 e2 | SIG_R 1f 51 9d 6e f3 9b f4 86 e4 ac 04 cf 05 c2 4e 5a | SIG_R f2 2b 4d c4 b3 aa c7 6e 41 1b 59 f0 78 09 44 17 | SIG_R a1 7c 29 0d a3 b6 02 49 8a 5e 62 72 50 67 31 86 | SIG_R fd 82 1c e8 aa c7 35 dc 4e 4d 38 17 4a c4 c2 e4 | SIG_R d3 fc 95 25 78 fb 49 6e 34 de 7f 45 cc f0 48 64 | SIG_R 59 80 46 e5 f8 e6 1b 60 cd 8b c3 0d 35 ef 71 cc | SIG_R 9f 93 13 5d f8 be 4c 09 01 fb 56 be ed 45 38 fb | SIG_R 57 46 57 ea 1d c5 07 c5 51 b7 22 f9 ab f4 2a 2a | SIG_R 40 48 42 6f 28 97 b2 17 7d ac 4c 0c e0 17 5d 42 | SIG_R bf 62 06 0c 67 1b 03 20 4f ec d8 8d 60 9d 33 04 | SIG_R 7c be 73 26 72 54 3b 85 e5 5f 87 53 ed 24 ab 1f | SIG_R b3 74 e7 19 18 f1 92 f7 78 c5 5a 62 8f 42 c5 3d | SIG_R 24 12 53 fc ea 18 59 e8 1d 58 41 c5 64 4b d7 7f | emitting length of ISAKMP Signature Payload: 388 | emitting 13 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 620 | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 | parent state #1: MAIN_R2(open IKE SA) => MAIN_R3(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_R3: retransmits: cleared | libevent_free: release ptr-libevent@0x563b2326dc88 | free_event_entry: release EVENT_RETRANSMIT-pe@0x563b232755d8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 620 bytes for STATE_MAIN_R2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 05 10 02 01 00 00 00 00 00 00 02 6c 04 97 a0 04 | 54 ae 3f 80 d3 5b 02 ba 63 cd 05 da 42 35 b1 dd | 3e 84 6b 24 78 9e 18 8f ea 21 dc 7c e4 54 cd 0c | 7e 10 26 6f 7a ac 68 4f 43 7b 36 9f 84 1d e0 d6 | 7a e7 e6 48 54 72 25 6c 6c 57 89 6b 20 29 60 55 | 97 16 d5 f6 94 c1 ff 33 06 76 39 c4 bc a6 c7 9d | 57 eb c5 f4 8b 3f 4f 60 2c f6 8b 28 15 4e 46 3c | 45 d6 49 85 03 ba 7f 3d 8d 40 10 89 e6 c1 0e c8 | 54 e8 7c e1 d1 b7 13 f9 77 70 35 7b e8 5e 92 e5 | 7f e9 fd fd c7 a1 16 44 98 a2 03 55 1b 61 d3 4d | 9c 68 d7 80 8e 30 6d 59 53 0d 81 31 af 6d 82 fe | 41 d8 6e 90 36 80 de 6b b0 e5 9c 35 7d 7a 90 9d | 88 99 e6 9f b0 3d 00 64 36 8e 2b ce 26 3d 9a 76 | 6f 9d 3b f2 bd 36 c4 03 25 0c 08 b3 40 2c a3 55 | 24 8f ce 29 32 40 6d ea ad fc bd 48 92 3e 1d 30 | 33 4a 77 9b df 2b d4 3f 99 68 2f b7 6b 6c 39 e1 | fc 10 63 e2 67 aa 5f fc 39 b6 95 f4 12 38 ec 2b | a4 37 51 e7 77 2a a6 01 91 62 4b 81 f0 e1 1f b4 | 62 6e ad 94 0c d5 d1 fa 9e 8f 52 e3 94 7b 40 96 | 25 b5 ff 51 a7 34 cc 8a 5e e0 24 dc 8c bf 3b 6a | 61 d9 1d 96 c0 1f 07 f5 73 02 b8 ba b4 00 6e c3 | cb 85 79 7e 54 ae 04 2d 89 bf 2b 66 79 d1 9a 8a | 2a a7 82 4c 31 7b d3 57 9a b0 2d 90 0d 5a e7 46 | 24 74 54 c1 01 64 67 99 35 dc a4 8b 95 ad 01 13 | 9d bc 3e 34 d7 82 24 02 31 82 61 99 3c 73 29 79 | 34 dd a3 59 3c 96 98 99 e2 79 be 96 97 a8 b6 9d | 7b a8 53 7d 2f 4f 44 d5 eb 69 d0 81 16 a5 7c 48 | b1 41 81 0c 85 a2 6f 95 c3 1f 59 53 3a f4 28 5f | 7a aa 65 1b 54 8c d8 85 cb dc 24 18 0c 99 49 23 | 6a 3c 7f d5 25 05 3f 64 40 c6 b8 74 0f 63 32 6d | eb 59 88 86 9a a2 3b d1 4e 68 b5 4a da ab 47 68 | c3 e1 34 a7 ff ac 68 93 2f d6 13 56 b5 c4 74 d8 | 8d 6a 9b 2c 1f cd a2 0d 13 6a 24 35 b5 0e 85 ba | 6c 5a af ca 87 f8 48 2d b2 d5 de 03 56 7e 22 25 | ea d7 0f 3b 84 54 d5 ec 71 1c fc 19 c1 8e c2 0f | 8b b4 2e 27 75 28 2f 67 ec 49 3d 75 a8 41 39 98 | 42 f9 00 61 47 fb 25 29 30 98 88 7f d0 a5 ff d2 | e4 9c 6f fc dd 43 09 c0 6d 60 e7 58 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x563b232755d8 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x7f3648002888 size 128 | pstats #1 ikev1.isakmp established "nss-cert" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | #1 spent 8.27 milliseconds | #1 spent 8.64 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 8.85 milliseconds in comm_handle_cb() reading and processing packet | spent 0.0027 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 08 10 20 01 23 08 92 cf 00 00 01 dc ab f4 5c 51 | 0f 5a 49 6e 4d 8a 77 35 0f f0 38 1d b4 ac 86 2c | 29 c7 a0 76 06 de 62 38 36 6d 30 48 35 25 da c9 | 2a 8b 54 7e 16 b3 60 0f 05 d3 6c c7 26 ba 5b c2 | fd c6 f4 56 e6 3c 98 b9 8e 2b 2d 9e ce bc c2 9b | 7f 76 46 be e0 b5 ff 3e 33 0f 89 10 33 63 df 78 | 53 9f af 0b 56 bc fd 60 d7 27 fc a7 b6 95 57 f9 | 89 a3 d8 56 00 89 3f a3 3a e6 66 83 52 dc 67 ad | 9a 50 f2 45 02 a5 5a e9 73 3a 1c 96 b5 42 55 1b | 05 90 52 91 17 cd 3c de 0d d1 b6 53 7b be 00 79 | ce e3 e1 38 56 3a e6 25 5f 72 14 bd 7d 28 23 50 | 5b c0 b5 48 e3 7f 54 ae 62 d5 9d 1c 1f 23 da dd | 6e 28 e7 b4 fb 3f a0 54 bd b0 44 c0 39 c2 06 ea | 8d cd d0 72 70 45 c7 2f 38 dc f8 06 2a 7c 4d 6f | fa f1 fe b5 46 2e c2 62 cf 4b a4 b4 6d bc 43 a0 | a9 c7 13 ce 2d 66 bf 8f b1 1f be 32 a2 a9 f4 8c | 7c 3f e5 dd 35 29 d9 57 17 43 8c 52 a6 f5 25 b1 | e5 94 1d c8 ca 4c 70 8d b9 29 22 1c d4 5d 1d 38 | dc 7e f6 6d a2 ff ce f7 11 ec 69 52 32 c6 f7 45 | ea 50 2b d6 8f 7b 83 a8 a7 51 1e a8 f4 97 74 ff | 6c 45 98 ac 3c ad 19 4a 4b 8a cd d8 59 72 fd 36 | a1 f8 3a 5a 90 fe 38 26 4a d2 9c 82 d8 1d 46 3e | 3b da 3c 58 d3 91 ff e7 f4 77 e3 1b 89 4e 76 c6 | d2 52 1f 66 5b f8 7a 6f 6d ef 7d 1f ef da f1 8a | 61 b7 f9 2c ac 12 ad 2a f2 bf fe a0 a6 5e fd a6 | a9 a9 e5 bc 83 b2 64 23 2a b1 4b 53 4c b9 ae be | 10 dc 1b 29 ae a2 3a c1 fb 6d 4a a7 4a c2 7f 1d | 4e d6 7f 8c 90 ab e7 6e cf ee fc e4 b9 08 f9 3d | a9 00 1a 54 87 55 e3 1e 1a 3e d5 f1 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 587764431 (0x230892cf) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 fe | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 fe | removing 8 bytes of padding | quick_inI1_outR1 HASH(1): | 98 45 25 93 54 58 c6 3a bb a0 ee d5 0f 83 36 22 | 4a f8 dc e5 5d 13 ff 23 b7 90 65 c2 1b a0 4d 03 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 fe | peer client is 192.0.1.254/32 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 fe | our client is 192.0.2.254/32 | our client protocol/port is 0/0 "nss-cert" #1: the peer proposed: 192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 | find_client_connection starting with nss-cert | looking for 192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 | concrete checking against sr#0 192.0.2.254/32 -> 192.0.1.254/32 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | fc_try trying nss-cert:192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 vs nss-cert:192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 | fc_try concluding with nss-cert [129] | fc_try nss-cert gives nss-cert | concluding with d = nss-cert | client wildcard: no port wildcard: no virtual: no | creating state object #2 at 0x563b2327e838 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "nss-cert" as #2 for IPSEC SA | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | suspend processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #2: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI d0 0a 35 fc | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f3648002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x563b2327a5c8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #2 and saving MD | crypto helper 2 resuming | crypto helper 2 starting work-order 3 for state #2 | #2 is busy; has a suspended MD | crypto helper 2 doing build KE and nonce (quick_outI1 KE); request ID 3 | #1 spent 0.21 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.459 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 2 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000986 seconds | (#2) spent 0.969 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 2 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f3644003f28 size 128 | libevent_realloc: release ptr-libevent@0x563b23201208 | libevent_realloc: new ptr-libevent@0x7f3644003e78 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 3 | calling continuation function 0x563b218e8b50 | quick_inI1_outR1_cryptocontinue1 for #2: calculated ke+nonce, calculating DH | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 4 for state #2 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x563b2327a5c8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f3648002b78 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f3648002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x563b2327a5c8 size 128 | suspending state #2 and saving MD | #2 is busy; has a suspended MD | resume sending helper answer for #2 suppresed complete_v1_state_transition() and stole MD | crypto helper 3 resuming | crypto helper 3 starting work-order 4 for state #2 | #2 spent 0.0503 milliseconds in resume sending helper answer | crypto helper 3 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 | stop processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3644003f28 | crypto helper 3 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 time elapsed 0.000982 seconds | (#2) spent 0.987 milliseconds in crypto helper computing work-order 4: quick outR1 DH (pcr) | crypto helper 3 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f3638003618 size 128 | crypto helper 3 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 4 | calling continuation function 0x563b218e8b50 | quick_inI1_outR1_cryptocontinue2 for #2: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 587764431 (0x230892cf) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI d0 0a 35 fc | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0xd40b9cd for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 0d 40 b9 cd | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "nss-cert" #2: responding to Quick Mode proposal {msgid:230892cf} "nss-cert" #2: us: 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org,+S-C] "nss-cert" #2: them: 192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org,+S-C]===192.0.1.254/32 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 17 2f 15 a0 94 f5 c9 67 08 8b 7a 63 57 23 66 1e | Nr 9d 1c 60 13 72 9a 6e 4f 1d c2 b9 d2 ca d3 8a b8 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value a9 6a e7 26 56 4d 7c 8d a0 91 b7 ba 2a aa f4 27 | keyex value 53 5d 16 de de 0a 84 f0 e8 8d fe 46 ef 0b 75 22 | keyex value 3f c8 57 a2 0b cd e6 e9 20 06 81 f5 9c c0 98 09 | keyex value d6 6b a5 2f 66 56 bd ab 19 5e 40 c1 5a 04 34 1c | keyex value 26 40 e6 08 5c 8a 77 97 67 68 38 ce 94 54 6b 0b | keyex value c0 fd 05 10 75 5b 91 7b 59 88 a0 a5 fa f0 3a a1 | keyex value e9 1b 01 08 01 d4 8f 4d fd 59 5e 0e 51 8b b4 f7 | keyex value bc 50 a7 49 56 d2 16 91 9e 91 97 91 06 7b a5 bd | keyex value 69 26 e9 83 3f 0d 1a 9b 0e d3 25 e3 fc 0a 1c 82 | keyex value 57 21 01 b3 a4 b3 e6 04 52 0a 6f be 07 83 1c 7a | keyex value b1 fd e0 f8 b9 02 c2 dc 2f 92 fa 98 df 58 15 1b | keyex value c9 bd f7 83 73 02 db dd 37 7d b8 0c f6 2e 43 56 | keyex value f2 50 b8 ff 56 55 59 fc 0e 5f d4 44 a9 be 79 d5 | keyex value 76 c6 76 b8 54 a6 a2 49 fb 93 f1 2c 51 29 48 e5 | keyex value 0e 8e 6b 1f 3f 95 c2 39 ed 8c 6e 11 a7 29 d5 10 | keyex value b4 ff 02 c3 46 56 fb dd c7 fa c3 fc d6 a5 34 76 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 fe | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 fe | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | quick inR1 outI2 HASH(2): | 17 02 85 f9 cd 91 93 84 1a c6 60 b9 46 1f e0 d8 | 0e 22 3c 93 34 8d 0a 10 c6 ce a1 b2 c6 2d 73 07 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL | install_inbound_ipsec_sa() checking if we can route | could_route called for nss-cert (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x563b2327e838 ost=(nil) st->serialno=#2 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'nss-cert' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.d00a35fc@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'nss-cert' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.d40b9cd@192.1.2.23 included non-error error | priority calculation of connection "nss-cert" is 0xfdfdf | add inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.254/32:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 444 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #2: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x563b2327a5c8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f3648002b78 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 444 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 08 10 20 01 23 08 92 cf 00 00 01 bc 06 7a 21 41 | cd ec e8 a2 2f 2c 7e 83 fd a2 5b 31 c5 cc 83 55 | 33 1e 24 c4 b0 df d8 37 b5 11 1e 84 78 1b 76 85 | 5f d1 48 9d 44 30 97 6f d8 15 57 9a dd 1a 0c 40 | ab 5a 75 b8 70 18 a2 54 fe ed e5 e4 24 04 69 ba | 02 e9 0d 60 37 09 11 70 e3 9f 96 46 82 da 19 9b | f9 78 d6 f1 14 23 a8 ee 57 83 ad 5e 3e 1a 40 67 | b1 15 75 10 6b 08 e2 13 80 32 e7 8f c4 4a 68 55 | d1 c7 88 3d 7f 89 be b4 cf 17 29 98 76 6f 78 a6 | e7 96 08 40 2c 86 e4 d1 88 39 2a 11 df f5 a4 a6 | f3 c4 08 e5 11 9a ae c4 87 20 0e 9b 1a 76 a4 a0 | c4 4b f6 c3 8e f1 ea 26 9f ce 77 5e da c8 4e 11 | d4 3a f1 53 b0 70 75 ad 56 75 0e b6 4f cf 2d 61 | 1b 5c ac d8 91 b1 61 6c bc df cf 6f b7 85 9d b8 | 0d 1d c8 be 31 92 92 a7 3f 36 43 65 82 f3 5b ba | e0 99 49 2a d8 e7 ed e8 90 30 8a d4 f6 48 97 d9 | 4f 3f 30 90 7b 57 70 9d cc 46 7d 86 ea 65 da 5a | 3d 3f 4c aa 3e 9d 70 ee 96 c0 ad 76 59 a3 20 4f | a3 83 a5 0b 17 a9 34 af 5a 09 b7 11 45 f1 69 86 | 05 11 d9 e8 1c f1 70 04 5f ec 03 89 4a 67 b6 e8 | 66 1e 28 2e c3 78 12 af 09 29 51 38 87 66 20 74 | 50 62 13 c1 b9 68 f8 cb 80 bc 86 48 39 ac 35 35 | 6e 39 dc 06 a4 30 f0 ee a0 67 0e 20 bb 14 5f e1 | f9 c7 66 4e b7 4d 9d 84 f6 5e 6c 3e 8a 76 47 67 | 5d ad 5c 31 4a e8 63 2e 79 8a ff 4f c8 b7 97 ef | 94 0c 77 ce f1 37 42 7b 34 ee c1 70 ba 9c 2a 40 | 52 fd 07 5f 23 9f 96 96 f6 91 99 77 | !event_already_set at reschedule "nss-cert" #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x7f3648002b78 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7f3644003f28 size 128 | #2 STATE_QUICK_R1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11405.242173 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "nss-cert" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xd00a35fc <0x0d40b9cd xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 0.835 milliseconds in resume sending helper answer | stop processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3638003618 | spent 0.00281 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 08 10 20 01 23 08 92 cf 00 00 00 4c 2e aa d6 9b | bf 7e 21 21 bb 42 7b ef b1 82 1f 2b a2 f0 fb b6 | 0e de 08 77 5d df 50 6b 60 c4 6c 47 95 1d e5 b3 | 49 1d b7 28 4c 1c e8 a8 bb 67 a2 e9 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 587764431 (0x230892cf) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_R1 (find_state_ikev1) | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #2 is idle | #2 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | ba 62 6c b4 58 a7 00 cb 55 bf 8b 98 56 a1 39 31 | 4c 40 7a 3b 24 36 f9 b3 60 cb 0e 85 da 76 6e 7e | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #2: outbound only | could_route called for nss-cert (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL; eroute owner: NULL | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: nss-cert (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "nss-cert" is 0xfdfdf | eroute_connection add eroute 192.0.2.254/32:0 --0-> 192.0.1.254/32:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG | popen cmd is 1430 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INT: | cmd( 80):ERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=C: | cmd( 160):A, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libre: | cmd( 240):swan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PL: | cmd( 320):UTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_: | cmd( 400):PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_: | cmd( 480):PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Te: | cmd( 560):st Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org': | cmd( 640): PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PE: | cmd( 720):ER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: | cmd( 800):TO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Lib: | cmd( 880):reswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_A: | cmd( 960):DDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+: | cmd(1040):IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv: | cmd(1120):4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_: | cmd(1200):PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER: | cmd(1280):='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' : | cmd(1360):VTI_SHARED='no' SPI_IN=0xd00a35fc SPI_OUT=0xd40b9cd ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLI | popen cmd is 1435 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUT: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: | cmd( 160):='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.: | cmd( 240):libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/3: | cmd( 320):2' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUT: | cmd( 400):O_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' P: | cmd( 480):LUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, : | cmd( 560):OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan: | cmd( 640):.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLU: | cmd( 720):TO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0: | cmd( 800):' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, C: | cmd( 880):N=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PL: | cmd( 960):UTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_T: | cmd(1040):RACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY: | cmd(1120):='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' P: | cmd(1200):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: | cmd(1280):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: | cmd(1360):'no' VTI_SHARED='no' SPI_IN=0xd00a35fc SPI_OUT=0xd40b9cd ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=' | popen cmd is 1433 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_: | cmd( 80):INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=': | cmd( 160):C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.li: | cmd( 240):breswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32': | cmd( 320): PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_: | cmd( 400):MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLU: | cmd( 480):TO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU: | cmd( 560):=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.o: | cmd( 640):rg' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO: | cmd( 720):_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : | cmd( 800):PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=: | cmd( 880):Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUT: | cmd( 960):O_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRA: | cmd(1040):CK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY=': | cmd(1120):ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLU: | cmd(1200):TO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SER: | cmd(1280):VER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n: | cmd(1360):o' VTI_SHARED='no' SPI_IN=0xd00a35fc SPI_OUT=0xd40b9cd ipsec _updown 2>&1: "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. | route_and_eroute: instance "nss-cert", setting eroute_owner {spd=0x563b23268048,sr=0x563b23268048} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 2 milliseconds in install_ipsec_sa() | inI2: instance nss-cert[0], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #2: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7f3644003f28 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f3648002b78 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7f3648002b78 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #2 | libevent_malloc: new ptr-libevent@0x7f3638003618 size 128 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "nss-cert" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xd00a35fc <0x0d40b9cd xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #2 spent 2.09 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 2.2 milliseconds in comm_handle_cb() reading and processing packet | kernel_process_msg_cb process netlink message | netlink_get: XFRM_MSG_EXPIRE message | spent 0.00739 milliseconds in kernel message | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00358 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00193 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.0019 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.d40b9cd@192.1.2.23 | get_sa_info esp.d00a35fc@192.1.2.45 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.736 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | unreference key: 0x563b23274d48 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x563b23274b38 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x563b23274418 @east.testing.libreswan.org cnt 1-- | unreference key: 0x563b232741b8 east@testing.libreswan.org cnt 1-- | unreference key: 0x563b23273ca8 192.1.2.23 cnt 1-- | unreference key: 0x563b2326f378 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | unreference key: 0x563b2326f1a8 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x563b2326eb38 @west.testing.libreswan.org cnt 1-- | unreference key: 0x563b2326d0a8 west@testing.libreswan.org cnt 1-- | unreference key: 0x563b2326ce88 192.1.2.45 cnt 1-- | start processing: connection "nss-cert" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #2 | suspend processing: connection "nss-cert" (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #2 ikev1.ipsec deleted completed | [RE]START processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in delete_state() at state.c:879) "nss-cert" #2: deleting state (STATE_QUICK_R2) aged 1.455s and sending notification | child state #2: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.d00a35fc@192.1.2.45 | get_sa_info esp.d40b9cd@192.1.2.23 "nss-cert" #2: ESP traffic information: in=0B out=0B | #2 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3899927656 (0xe8742c68) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload 0d 40 b9 cd | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | a3 21 6a aa c6 87 d0 ad 86 4a c1 e1 1f d8 2b 2d | 7f 77 3f 1f fb 14 7b 64 6f 16 2c a3 3a b9 26 81 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 08 10 05 01 e8 74 2c 68 00 00 00 5c cf 52 7a ba | 71 fe 97 61 d3 c7 9f 84 f8 4b f7 ad 9e 88 75 d7 | ed 5b f8 53 d6 68 6e 55 b2 5c fc ef ad 64 f1 dd | 9b 6f 44 d6 88 0f 62 7b bb ba 35 64 55 14 3f 5b | 1d a5 69 43 c7 81 e4 91 0e 4f b1 95 | state #2 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7f3638003618 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7f3648002b78 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826119' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_C | popen cmd is 1323 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_I: | cmd( 80):NTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C: | cmd( 160):=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.lib: | cmd( 240):reswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' : | cmd( 320):PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_M: | cmd( 400):Y_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUT: | cmd( 480):O_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=: | cmd( 560):Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.or: | cmd( 640):g' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_: | cmd( 720):PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: | cmd( 800):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566826119' PLUTO_CONN_POLIC: | cmd( 880):Y='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: | cmd( 960):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_: | cmd(1040):SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER: | cmd(1120):_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' P: | cmd(1200):LUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xd0: | cmd(1280):0a35fc SPI_OUT=0xd40b9cd ipsec _updown 2>&1: | shunt_eroute() called for connection 'nss-cert' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "nss-cert" is 0xfdfdf | IPsec Sa SPD priority set to 1040351 | delete esp.d00a35fc@192.1.2.45 | netlink response for Del SA esp.d00a35fc@192.1.2.45 included non-error error | priority calculation of connection "nss-cert" is 0xfdfdf | delete inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.254/32:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.d40b9cd@192.1.2.23 | netlink response for Del SA esp.d40b9cd@192.1.2.23 included non-error error | stop processing: connection "nss-cert" (BACKGROUND) (in update_state_connection() at connections.c:4076) | start processing: connection NULL (in update_state_connection() at connections.c:4077) | in connection_discard for connection nss-cert | State DB: deleting IKEv1 state #2 in QUICK_R2 | child state #2: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #1 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #1 ikev1.isakmp deleted completed | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in delete_state() at state.c:879) "nss-cert" #1: deleting state (STATE_MAIN_R3) aged 1.494s and sending notification | parent state #1: MAIN_R3(established IKE SA) => delete | #1 send IKEv1 delete notification for STATE_MAIN_R3 | **emit ISAKMP Message: | initiator cookie: | 2d 14 fe 25 fd 9f c6 72 | responder cookie: | c6 c5 70 a7 a3 e3 3e 2b | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2531336699 (0x96e121fb) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload | initiator SPI 2d 14 fe 25 fd 9f c6 72 | emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload | responder SPI c6 c5 70 a7 a3 e3 3e 2b | emitting length of ISAKMP Delete Payload: 28 | send delete HASH(1): | 0b 93 84 26 23 1b 77 2e ff cb 7c 56 68 38 96 66 | b8 b0 5a 76 0d 81 69 8b 1a 9f cd 1d 7e 9d 4c ea | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 2d 14 fe 25 fd 9f c6 72 c6 c5 70 a7 a3 e3 3e 2b | 08 10 05 01 96 e1 21 fb 00 00 00 5c 5b aa c7 15 | 75 73 f9 b2 95 04 20 cb 73 9f 43 92 fd a8 2e fd | 26 f3 44 5f a2 f7 b9 cd c4 64 ff cf 53 bc 99 44 | 55 1e fe 77 e0 3b 76 fa 33 16 75 ad b2 1f 79 33 | be 72 1b 3e 40 4e 5b ea 84 e6 d7 9f | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7f3648002888 | free_event_entry: release EVENT_SA_REPLACE-pe@0x563b232755d8 | State DB: IKEv1 state not found (flush_incomplete_children) | in connection_discard for connection nss-cert | State DB: deleting IKEv1 state #1 in MAIN_R3 | parent state #1: MAIN_R3(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x563b2326f378 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | shunt_eroute() called for connection 'nss-cert' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "nss-cert" is 0xfdfdf | priority calculation of connection "nss-cert" is 0xfdfdf | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CON | popen cmd is 1305 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUT: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: | cmd( 160):='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.: | cmd( 240):libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/3: | cmd( 320):2' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUT: | cmd( 400):O_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' : | cmd( 480):PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan,: | cmd( 560): OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswa: | cmd( 640):n.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PL: | cmd( 720):UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': | cmd( 800):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RS: | cmd( 880):ASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: | cmd( 960):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURC: | cmd(1040):EIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMA: | cmd(1120):IN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_: | cmd(1200):NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O: | cmd(1280):UT=0x0 ipsec _updown 2>&1: unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. | free hp@0x563b232751a8 | flush revival: connection 'nss-cert' wasn't on the list | processing: STOP connection NULL (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x563b2325b758 | free_event_entry: release EVENT_NULL-pe@0x563b23267648 | libevent_free: release ptr-libevent@0x563b23201f68 | free_event_entry: release EVENT_NULL-pe@0x563b232676f8 | libevent_free: release ptr-libevent@0x563b23201888 | free_event_entry: release EVENT_NULL-pe@0x563b232677a8 | libevent_free: release ptr-libevent@0x563b23209148 | free_event_entry: release EVENT_NULL-pe@0x563b23267858 | libevent_free: release ptr-libevent@0x563b23209248 | free_event_entry: release EVENT_NULL-pe@0x563b23267908 | libevent_free: release ptr-libevent@0x563b23209348 | free_event_entry: release EVENT_NULL-pe@0x563b232679b8 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x563b2325b808 | free_event_entry: release EVENT_NULL-pe@0x563b2324f928 | libevent_free: release ptr-libevent@0x563b23201eb8 | free_event_entry: release EVENT_NULL-pe@0x563b2324f488 | libevent_free: release ptr-libevent@0x563b23248468 | free_event_entry: release EVENT_NULL-pe@0x563b232093f8 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x563b2320d9c8 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x563b2318b708 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x563b23266e28 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x563b23267068 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x563b23266f38 | libevent_free: release ptr-libevent@0x563b23249d48 | libevent_free: release ptr-libevent@0x563b23249cf8 | libevent_free: release ptr-libevent@0x7f3644003e78 | libevent_free: release ptr-libevent@0x563b23249cb8 | libevent_free: release ptr-libevent@0x563b23266af8 | libevent_free: release ptr-libevent@0x563b23266d68 | libevent_free: release ptr-libevent@0x563b23249ef8 | libevent_free: release ptr-libevent@0x563b2324f4f8 | libevent_free: release ptr-libevent@0x563b2324f158 | libevent_free: release ptr-libevent@0x563b23267a28 | libevent_free: release ptr-libevent@0x563b23267978 | libevent_free: release ptr-libevent@0x563b232678c8 | libevent_free: release ptr-libevent@0x563b23267818 | libevent_free: release ptr-libevent@0x563b23267768 | libevent_free: release ptr-libevent@0x563b232676b8 | libevent_free: release ptr-libevent@0x563b2318aa28 | libevent_free: release ptr-libevent@0x563b23266de8 | libevent_free: release ptr-libevent@0x563b23266da8 | libevent_free: release ptr-libevent@0x563b23266c68 | libevent_free: release ptr-libevent@0x563b23266ef8 | libevent_free: release ptr-libevent@0x563b23266b38 | libevent_free: release ptr-libevent@0x563b2320f558 | libevent_free: release ptr-libevent@0x563b2320f4d8 | libevent_free: release ptr-libevent@0x563b2318ad98 | releasing global libevent data | libevent_free: release ptr-libevent@0x563b2320f6d8 | libevent_free: release ptr-libevent@0x563b2320f658 | libevent_free: release ptr-libevent@0x563b2320f5d8 leak detective found no leaks