FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:9495 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x55a57d8ef0f8 size 40 | libevent_malloc: new ptr-libevent@0x55a57d8ee738 size 40 | libevent_malloc: new ptr-libevent@0x55a57d8ee6b8 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x55a57d8f1838 size 56 | libevent_malloc: new ptr-libevent@0x55a57d8775f8 size 664 | libevent_malloc: new ptr-libevent@0x55a57d91f628 size 24 | libevent_malloc: new ptr-libevent@0x55a57d91f678 size 384 | libevent_malloc: new ptr-libevent@0x55a57d91f5e8 size 16 | libevent_malloc: new ptr-libevent@0x55a57d8ee638 size 40 | libevent_malloc: new ptr-libevent@0x55a57d8ee5b8 size 48 | libevent_realloc: new ptr-libevent@0x55a57d877288 size 256 | libevent_malloc: new ptr-libevent@0x55a57d91f828 size 16 | libevent_free: release ptr-libevent@0x55a57d8f1838 | libevent initialized | libevent_realloc: new ptr-libevent@0x55a57d8f1838 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) started thread for crypto helper 2 started thread for crypto helper 3 started thread for crypto helper 4 | starting up helper thread 3 started thread for crypto helper 5 | starting up helper thread 4 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 4) 22 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 3) 22 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 4 waiting (nothing to do) | starting up helper thread 2 started thread for crypto helper 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | checking IKEv1 state table | crypto helper 3 waiting (nothing to do) | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | crypto helper 5 waiting (nothing to do) | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) | crypto helper 6 waiting (nothing to do) | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55a57d91f348 | libevent_malloc: new ptr-libevent@0x55a57d91d858 size 128 | libevent_malloc: new ptr-libevent@0x55a57d924a48 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55a57d924db8 | libevent_malloc: new ptr-libevent@0x55a57d8f2308 size 128 | libevent_malloc: new ptr-libevent@0x55a57d925368 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55a57d925258 | libevent_malloc: new ptr-libevent@0x55a57d931138 size 128 | libevent_malloc: new ptr-libevent@0x55a57d93c408 size 16 | libevent_realloc: new ptr-libevent@0x55a57d93c448 size 256 | libevent_malloc: new ptr-libevent@0x55a57d93c578 size 8 | libevent_realloc: new ptr-libevent@0x55a57d8ee2e8 size 144 | libevent_malloc: new ptr-libevent@0x55a57d879e48 size 152 | libevent_malloc: new ptr-libevent@0x55a57d93c5b8 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x55a57d93c5f8 size 8 | libevent_malloc: new ptr-libevent@0x55a57d870538 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x55a57d93c638 size 8 | libevent_malloc: new ptr-libevent@0x55a57d870608 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x55a57d93c678 size 8 | libevent_realloc: release ptr-libevent@0x55a57d8ee2e8 | libevent_realloc: new ptr-libevent@0x55a57d93c6b8 size 256 | libevent_malloc: new ptr-libevent@0x55a57d93c7e8 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:9522) using fork+execve | forked child 9522 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.1.3.209 Kernel supports NIC esp-hw-offload adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.1.3.209:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.1.3.209:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x55a57d93cb58 | libevent_malloc: new ptr-libevent@0x55a57d931088 size 128 | libevent_malloc: new ptr-libevent@0x55a57d93cbc8 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x55a57d93cc08 | libevent_malloc: new ptr-libevent@0x55a57d8f23b8 size 128 | libevent_malloc: new ptr-libevent@0x55a57d93cc78 size 16 | setup callback for interface lo 127.0.0.1:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x55a57d93ccb8 | libevent_malloc: new ptr-libevent@0x55a57d8f4a58 size 128 | libevent_malloc: new ptr-libevent@0x55a57d93cd28 size 16 | setup callback for interface eth0 192.1.3.209:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x55a57d93cd68 | libevent_malloc: new ptr-libevent@0x55a57d8f1508 size 128 | libevent_malloc: new ptr-libevent@0x55a57d93cdd8 size 16 | setup callback for interface eth0 192.1.3.209:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x55a57d84ac48) PKK_PSK: %any | id type added to secret(0x55a57d84ac48) PKK_PSK: %any | Processing PSK at line 10: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x55a57d93cf58) PKK_PSK: @west | id type added to secret(0x55a57d93cf58) PKK_PSK: @east | Processing PSK at line 12: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x55a57d93d1f8) PKK_PSK: @roadrandom | id type added to secret(0x55a57d93d1f8) PKK_PSK: @east | Processing PSK at line 13: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.677 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.1.3.209 | no interfaces to sort | libevent_free: release ptr-libevent@0x55a57d931088 | free_event_entry: release EVENT_NULL-pe@0x55a57d93cb58 | add_fd_read_event_handler: new ethX-pe@0x55a57d93cb58 | libevent_malloc: new ptr-libevent@0x55a57d931088 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 20 | libevent_free: release ptr-libevent@0x55a57d8f23b8 | free_event_entry: release EVENT_NULL-pe@0x55a57d93cc08 | add_fd_read_event_handler: new ethX-pe@0x55a57d93cc08 | libevent_malloc: new ptr-libevent@0x55a57d8f23b8 size 128 | setup callback for interface lo 127.0.0.1:500 fd 19 | libevent_free: release ptr-libevent@0x55a57d8f4a58 | free_event_entry: release EVENT_NULL-pe@0x55a57d93ccb8 | add_fd_read_event_handler: new ethX-pe@0x55a57d93ccb8 | libevent_malloc: new ptr-libevent@0x55a57d8f4a58 size 128 | setup callback for interface eth0 192.1.3.209:4500 fd 18 | libevent_free: release ptr-libevent@0x55a57d8f1508 | free_event_entry: release EVENT_NULL-pe@0x55a57d93cd68 | add_fd_read_event_handler: new ethX-pe@0x55a57d93cd68 | libevent_malloc: new ptr-libevent@0x55a57d8f1508 size 128 | setup callback for interface eth0 192.1.3.209:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x55a57d84ac48) PKK_PSK: %any | id type added to secret(0x55a57d84ac48) PKK_PSK: %any | Processing PSK at line 10: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x55a57d93cf58) PKK_PSK: @west | id type added to secret(0x55a57d93cf58) PKK_PSK: @east | Processing PSK at line 12: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x55a57d93d1f8) PKK_PSK: @roadrandom | id type added to secret(0x55a57d93d1f8) PKK_PSK: @east | Processing PSK at line 13: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.187 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 9522 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0169 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection xauth-road-eastnet-psk with policy PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | ike (phase1) algorithm values: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536 | counting wild cards for @roadrandom is 0 | counting wild cards for @east is 0 | connect_to_host_pair: 192.1.3.209:500 192.1.2.23:500 -> hp@(nil): none | new hp@0x55a57d93e378 added connection description "xauth-road-eastnet-psk" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.1.3.209[@roadrandom,+XC+S=C]---192.1.3.254...192.1.2.23<192.1.2.23>[@east,+XS+S=C]===192.0.2.0/24 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.14 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | dup_any(fd@16) -> fd@21 (in whack_process() at rcv_whack.c:590) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "xauth-road-eastnet-psk" (in initiate_a_connection() at initiate.c:186) | empty esp_info, returning defaults for ENCRYPT | connection 'xauth-road-eastnet-psk' +POLICY_UP | dup_any(fd@21) -> fd@22 (in initiate_a_connection() at initiate.c:342) | FOR_EACH_STATE_... in find_phase1_state "xauth-road-eastnet-psk": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's | creating state object #1 at 0x55a57d93e8e8 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | parent state #1: UNDEFINED(ignore) => AGGR_I1(half-open IKE SA) | suspend processing: connection "xauth-road-eastnet-psk" (in aggr_outI1() at ikev1_aggr.c:1015) | start processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in aggr_outI1() at ikev1_aggr.c:1015) | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 "xauth-road-eastnet-psk" #1: multiple DH groups in aggressive mode can cause interop failure "xauth-road-eastnet-psk" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5 | oakley_alg_makedb() returning 0x55a57d93e608 | initiating aggressive mode with IKE=E=5-H=2-M=5 | dup_any(fd@22) -> fd@23 (in aggr_outI1() at ikev1_aggr.c:1031) | Queuing pending IPsec SA negotiating with 192.1.2.23 "xauth-road-eastnet-psk" IKE SA #1 "xauth-road-eastnet-psk" "xauth-road-eastnet-psk" #1: initiating Aggressive Mode | adding aggr_outI1 KE + nonce work-order 1 for state #1 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55a57d93e6f8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55a57d8f1608 size 128 | #1 spent 0.13 milliseconds in aggr_outI1() | processing: RESET whack log_fd (was fd@16) (in aggr_outI1() at ikev1_aggr.c:1054) | crypto helper 0 resuming | crypto helper 0 starting work-order 1 for state #1 | crypto helper 0 doing build KE and nonce (aggr_outI1 KE + nonce); request ID 1 | crypto helper 0 finished build KE and nonce (aggr_outI1 KE + nonce); request ID 1 time elapsed 0.000612 seconds | (#1) spent 0.618 milliseconds in crypto helper computing work-order 1: aggr_outI1 KE + nonce (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7faebc001af8 size 128 | crypto helper 0 waiting (nothing to do) | RESET processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in aggr_outI1() at ikev1_aggr.c:1054) | RESET processing: connection "xauth-road-eastnet-psk" (in aggr_outI1() at ikev1_aggr.c:1054) | processing: STOP connection NULL (in initiate_a_connection() at initiate.c:349) | close_any(fd@21) (in initiate_connection() at initiate.c:372) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.199 milliseconds in whack | processing resume sending helper answer for #1 | start processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x55a57c753b50 | aggr_outI1_continue for #1: calculated ke+nonce, sending I1 | aggr_outI1_tail for #1 | **emit ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 "xauth-road-eastnet-psk" #1: multiple DH groups in aggressive mode can cause interop failure "xauth-road-eastnet-psk" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5 | oakley_alg_makedb() returning 0x55a57d93e768 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 1 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 40 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 52 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value d6 fd b5 0b 69 0c c7 0b a1 37 90 17 bc c1 9f 95 | keyex value 3c 5c 8c 76 94 00 6e 0b f0 e1 91 12 a8 5d 09 36 | keyex value 09 76 33 6a 48 9e 85 ce 04 91 71 b2 99 d5 b9 69 | keyex value b6 54 e9 1a 29 b0 28 fb 87 d7 09 00 f4 49 7c b2 | keyex value 48 28 6b 74 ff c8 aa 62 7e 53 9f 75 9f 6d 56 5f | keyex value 4c e9 c5 e7 e8 eb cb bd de 6e 11 99 0e 38 9f 7a | keyex value fd c4 e6 3d 2d 63 cd a9 25 8a d9 a2 b7 80 9b 98 | keyex value 6b 3d d3 18 35 c7 a7 80 78 5c d5 b6 76 c2 b0 e5 | keyex value 57 c1 85 37 ca d4 a9 6a 99 e4 35 f0 68 22 9a 4f | keyex value 6a ba 18 a6 32 79 29 57 4c 59 d8 a1 d2 1a 71 a1 | keyex value 91 90 7d 2b 37 c3 9a c4 c1 f6 75 25 50 f8 ac 9b | keyex value d4 99 ff 4c 27 d4 f1 07 02 ab 8f c4 40 dd 97 3d | emitting length of ISAKMP Key Exchange Payload: 196 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni 11 57 94 71 f7 9f 4d 2d 37 25 e5 2e 8a 40 8e 23 | Ni 07 00 10 03 0e 94 0f 5e 4a 48 cc 13 b7 2f cb e5 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_VID (0xd) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 10 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 72 6f 61 64 72 61 6e 64 6f 6d | emitting length of ISAKMP Identification Payload (IPsec DOI): 18 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [XAUTH] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 09 00 26 89 df d6 b7 12 | emitting length of ISAKMP Vendor ID Payload: 12 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | nat add vid | sending draft and RFC NATT VIDs | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | skipping VID_NATT_RFC | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-03] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02_n] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 | emitting length of ISAKMP Vendor ID Payload: 20 | padding IKEv1 message with 2 bytes | emitting 2 zero bytes of message padding into ISAKMP Message | emitting length of ISAKMP Message: 464 | sending 464 bytes for aggr_outI1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1) | 7f bf 3c c4 b7 4e 59 de 00 00 00 00 00 00 00 00 | 01 10 04 00 00 00 00 00 00 00 01 d0 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd e9 80 04 00 05 | 0a 00 00 c4 d6 fd b5 0b 69 0c c7 0b a1 37 90 17 | bc c1 9f 95 3c 5c 8c 76 94 00 6e 0b f0 e1 91 12 | a8 5d 09 36 09 76 33 6a 48 9e 85 ce 04 91 71 b2 | 99 d5 b9 69 b6 54 e9 1a 29 b0 28 fb 87 d7 09 00 | f4 49 7c b2 48 28 6b 74 ff c8 aa 62 7e 53 9f 75 | 9f 6d 56 5f 4c e9 c5 e7 e8 eb cb bd de 6e 11 99 | 0e 38 9f 7a fd c4 e6 3d 2d 63 cd a9 25 8a d9 a2 | b7 80 9b 98 6b 3d d3 18 35 c7 a7 80 78 5c d5 b6 | 76 c2 b0 e5 57 c1 85 37 ca d4 a9 6a 99 e4 35 f0 | 68 22 9a 4f 6a ba 18 a6 32 79 29 57 4c 59 d8 a1 | d2 1a 71 a1 91 90 7d 2b 37 c3 9a c4 c1 f6 75 25 | 50 f8 ac 9b d4 99 ff 4c 27 d4 f1 07 02 ab 8f c4 | 40 dd 97 3d 05 00 00 24 11 57 94 71 f7 9f 4d 2d | 37 25 e5 2e 8a 40 8e 23 07 00 10 03 0e 94 0f 5e | 4a 48 cc 13 b7 2f cb e5 0d 00 00 12 02 00 00 00 | 72 6f 61 64 72 61 6e 64 6f 6d 0d 00 00 14 40 48 | b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 0d 00 | 00 0c 09 00 26 89 df d6 b7 12 0d 00 00 14 af ca | d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 0d 00 | 00 14 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 | 45 2f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f 2c 17 | 9d 92 15 52 9d 56 0d 00 00 14 90 cb 80 91 3e bb | 69 6e 08 63 81 b5 ec 42 7b 1f 00 00 00 14 cd 60 | 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 00 00 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55a57d8f1608 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55a57d93e6f8 | event_schedule: new EVENT_RETRANSMIT-pe@0x55a57d93e6f8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x55a57d8f1608 size 128 | #1 STATE_AGGR_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11255.639094 | stop processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in aggr_outI1_tail() at ikev1_aggr.c:1199) | complete v1 state transition with STF_IGNORE | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.532 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7faebc001af8 | spent 0.00289 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 468 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 01 10 04 00 00 00 00 00 00 00 01 d4 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd e9 80 04 00 05 | 0a 00 00 c4 c4 b0 b2 2f cf bf 0c 3c 8f a0 81 f4 | 08 cb 04 d4 29 f3 70 51 5b e7 85 ee 5f f8 1c 70 | 1c bc 0d bd 94 72 d3 0f 9e 56 c3 e8 e1 ae eb 00 | d8 ae df dd 41 3f d9 c2 a3 98 15 ea fe 18 23 55 | a8 c7 02 0f cb 85 82 fe 88 78 37 18 31 b8 77 1e | 75 cb 58 33 40 9c f6 e1 f3 2d eb 87 d2 24 61 cf | 26 ec 16 48 8e d9 8e a9 c1 5b 1e 88 f9 69 ba 1b | e1 3c 40 6a 07 28 b9 46 a3 7f de 27 4a be 2c e6 | f8 2b 55 09 ed 85 18 8b 35 ae fd b9 e6 82 90 a4 | 57 f6 2b bb 9d ad 4f 14 a7 19 89 17 39 05 0d f7 | 1e 24 f9 f6 22 96 fc 2b b0 1a 44 bb be 49 8b 9f | 0a 38 ff 93 af f3 4c 3a 7e 5f f0 85 ae 8a 61 8e | 50 95 ea cf 05 00 00 24 70 f3 e3 da f8 60 e2 4f | 30 4b 25 33 a7 8f 0a 7e ac 97 54 1c f2 40 b9 4f | 28 44 02 eb 5f d4 a8 ca 08 00 00 0c 02 00 00 00 | 65 61 73 74 0d 00 00 18 30 a8 ef 26 6a 7e c1 1d | ed f9 b9 41 b3 50 b4 c3 27 46 c3 3f 0d 00 00 14 | 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | 0d 00 00 0c 09 00 26 89 df d6 b7 12 0d 00 00 14 | af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | 14 00 00 14 4a 13 1c 81 07 03 58 45 5c 57 28 f2 | 0e 95 45 2f 14 00 00 18 c7 f8 89 b2 d5 9c 97 33 | 1e 5f 37 7e d7 61 f6 da ea 94 ef de 00 00 00 18 | 36 eb 24 47 62 43 84 eb c7 64 e8 12 ef 20 73 9d | 2b b4 38 87 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: none (0x0) | Message ID: 0 (0x0) | length: 468 (0x1d4) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_AGGR (4) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in AGGR_I1 (find_state_ikev1_init) | start processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x532 opt: 0x102000 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 52 (0x34) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x530 opt: 0x102000 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 196 (0xc4) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x520 opt: 0x102000 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 36 (0x24) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x120 opt: 0x102000 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_HASH (0x8) | length: 12 (0xc) | ID type: ID_FQDN (0x2) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 65 61 73 74 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x102000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 24 (0x18) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 12 (0xc) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 20 (0x14) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102000 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 24 (0x18) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102000 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 24 (0x18) | message 'aggr_inR1_outI2' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [XAUTH] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] "xauth-road-eastnet-psk" #1: Peer ID is ID_FQDN: '@east' | X509: no CERT payloads to process | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | started looking for secret for @roadrandom->@east of kind PKK_PSK | actually looking for secret for @roadrandom->@east of kind PKK_PSK | line 12: key type PKK_PSK(@roadrandom) to type PKK_PSK | 1: compared key @east to @roadrandom / @east -> 004 | 2: compared key @roadrandom to @roadrandom / @east -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x55a57d93d1f8 (line=12) | line 10: key type PKK_PSK(@roadrandom) to type PKK_PSK | 1: compared key @east to @roadrandom / @east -> 004 | 2: compared key @west to @roadrandom / @east -> 004 | line 10: match=004 | line 9: key type PKK_PSK(@roadrandom) to type PKK_PSK | 1: compared key %any to @roadrandom / @east -> 002 | 2: compared key %any to @roadrandom / @east -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x55a57d93d1f8 (lineno=12) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | OAKLEY proposal verified; matching alg_info found | Oakley Transform 0 accepted | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | State DB: re-hashing IKEv1 state #1 IKE SPIi and SPI[ir] | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55a57c828800(20) | natd_hash: icookie= 7f bf 3c c4 b7 4e 59 de | natd_hash: rcookie= 2a ec 8e 97 57 18 88 3a | natd_hash: ip= c0 01 03 d1 | natd_hash: port=500 | natd_hash: hash= c7 f8 89 b2 d5 9c 97 33 1e 5f 37 7e d7 61 f6 da | natd_hash: hash= ea 94 ef de | natd_hash: hasher=0x55a57c828800(20) | natd_hash: icookie= 7f bf 3c c4 b7 4e 59 de | natd_hash: rcookie= 2a ec 8e 97 57 18 88 3a | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 36 eb 24 47 62 43 84 eb c7 64 e8 12 ef 20 73 9d | natd_hash: hash= 2b b4 38 87 | expected NAT-D(me): c7 f8 89 b2 d5 9c 97 33 1e 5f 37 7e d7 61 f6 da | expected NAT-D(me): ea 94 ef de | expected NAT-D(him): | 36 eb 24 47 62 43 84 eb c7 64 e8 12 ef 20 73 9d | 2b b4 38 87 | received NAT-D: c7 f8 89 b2 d5 9c 97 33 1e 5f 37 7e d7 61 f6 da | received NAT-D: ea 94 ef de | received NAT-D: 36 eb 24 47 62 43 84 eb c7 64 e8 12 ef 20 73 9d | received NAT-D: 2b b4 38 87 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | started looking for secret for @roadrandom->@east of kind PKK_PSK | actually looking for secret for @roadrandom->@east of kind PKK_PSK | line 12: key type PKK_PSK(@roadrandom) to type PKK_PSK | 1: compared key @east to @roadrandom / @east -> 004 | 2: compared key @roadrandom to @roadrandom / @east -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x55a57d93d1f8 (line=12) | line 10: key type PKK_PSK(@roadrandom) to type PKK_PSK | 1: compared key @east to @roadrandom / @east -> 004 | 2: compared key @west to @roadrandom / @east -> 004 | line 10: match=004 | line 9: key type PKK_PSK(@roadrandom) to type PKK_PSK | 1: compared key %any to @roadrandom / @east -> 002 | 2: compared key %any to @roadrandom / @east -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x55a57d93d1f8 (lineno=12) | adding aggr outR1 DH work-order 2 for state #1 | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_AGGR_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x55a57d8f1608 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55a57d93e6f8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55a57d93e6f8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55a57d8f1608 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2648) | crypto helper 1 resuming | suspending state #1 and saving MD | crypto helper 1 starting work-order 2 for state #1 | #1 is busy; has a suspended MD | crypto helper 1 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 | #1 spent 0.217 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.41 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 1 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 time elapsed 0.000544 seconds | (#1) spent 0.54 milliseconds in crypto helper computing work-order 2: aggr outR1 DH (pcr) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7faeb4000ed8 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 2 | calling continuation function 0x55a57c753b50 | aggr inR1_outI2: calculated DH, sending I2 "xauth-road-eastnet-psk" #1: Peer ID is ID_FQDN: '@east' | X509: no CERT payloads to process | received 'Aggr' message HASH_R data ok | thinking about whether to send my certificate: | I have RSA key: OAKLEY_PRESHARED_KEY cert.type: 0?? | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so do not send cert. | I did not send a certificate because digital signatures are not being used. (PSK) | **emit ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | sending NAT-D payloads | natd_hash: hasher=0x55a57c828800(20) | natd_hash: icookie= 7f bf 3c c4 b7 4e 59 de | natd_hash: rcookie= 2a ec 8e 97 57 18 88 3a | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 36 eb 24 47 62 43 84 eb c7 64 e8 12 ef 20 73 9d | natd_hash: hash= 2b b4 38 87 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 36 eb 24 47 62 43 84 eb c7 64 e8 12 ef 20 73 9d | NAT-D 2b b4 38 87 | emitting length of ISAKMP NAT-D Payload: 24 | natd_hash: hasher=0x55a57c828800(20) | natd_hash: icookie= 7f bf 3c c4 b7 4e 59 de | natd_hash: rcookie= 2a ec 8e 97 57 18 88 3a | natd_hash: ip= c0 01 03 d1 | natd_hash: port=500 | natd_hash: hash= c7 f8 89 b2 d5 9c 97 33 1e 5f 37 7e d7 61 f6 da | natd_hash: hash= ea 94 ef de | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_HASH (0x8) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 8:ISAKMP_NEXT_HASH | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D c7 f8 89 b2 d5 9c 97 33 1e 5f 37 7e d7 61 f6 da | NAT-D ea 94 ef de | emitting length of ISAKMP NAT-D Payload: 24 | next payload chain: creating a fake payload for hashing identity | **emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: no previous for current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID); assumed to be fake | emitting 10 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 72 6f 61 64 72 61 6e 64 6f 6d | emitting length of ISAKMP Identification Payload (IPsec DOI): 18 | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of HASH_I into ISAKMP Hash Payload | HASH_I 44 7b 15 68 09 12 e3 b2 12 f3 9e 58 89 73 61 95 | HASH_I c8 1b ed 9f | emitting length of ISAKMP Hash Payload: 24 | no IKEv1 message padding required | emitting length of ISAKMP Message: 100 | phase 1 complete | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2 | parent state #1: AGGR_I1(half-open IKE SA) => AGGR_I2(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55a57d8f1608 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55a57d93e6f8 | sending reply packet to 192.1.2.23:500 (from 192.1.3.209:500) | sending 100 bytes for STATE_AGGR_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 14 10 04 01 00 00 00 00 00 00 00 64 1d 80 b0 5e | 84 ad a0 34 67 41 65 7b dd 4e 57 5c 28 8c 5a 02 | 21 18 f8 15 e3 9a d3 c0 e2 df 36 3d 9f 33 4e 2a | cf 63 f4 b1 8a 94 26 aa 85 84 c6 8c c1 b4 10 ff | a3 9e 93 b6 72 b9 98 db 7f 4b d4 7c b1 40 1e 58 | a3 e0 58 d0 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55a57d93e6f8 | inserting event EVENT_SA_REPLACE, timeout in 2607 seconds for #1 | libevent_malloc: new ptr-libevent@0x55a57d93f8c8 size 128 | pstats #1 ikev1.isakmp established "xauth-road-eastnet-psk" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | XAUTH client is not yet authenticated | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.368 milliseconds in resume sending helper answer | stop processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7faeb4000ed8 | spent 0.00271 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 68 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 06 01 29 bc be 71 00 00 00 44 24 41 d6 e1 | 79 14 1f a8 26 a2 22 26 8b 42 2e 69 ac be b2 31 | e7 7e 14 d7 70 b9 47 48 46 b9 23 48 33 a5 87 b0 | db 8b ed 94 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 700235377 (0x29bcbe71) | length: 68 (0x44) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=29bcbe71 st_msgid=00000000 st_msgid_phase15=00000000 | State DB: IKEv1 state not found (find_v1_info_state) | No appropriate Mode Config state yet. See if we have a Main Mode state | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_AGGR_I2 | State DB: found IKEv1 state #1 in AGGR_I2 (find_v1_info_state) | start processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1678) | processing received isakmp_xchg_type ISAKMP_XCHG_MODE_CFG. | this is a xauthclient | call init_phase2_iv | set from_state to STATE_AGGR_I2 this is xauthclient and IS_PHASE1() is TRUE | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 24 (0x18) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | Attr Msg Type: ISAKMP_CFG_REQUEST (0x1) | Identifier: 0 (0x0) | xauth_inI0 HASH(1): | 1f c0 fd b5 bc 49 e3 fd 9b 83 d6 d2 69 64 8f e6 | 86 8f c7 f9 | received 'xauth_inI0' message HASH(1) data ok | **emit ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 700235377 (0x29bcbe71) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 8:ISAKMP_NEXT_HASH | arrived in xauth_inI0 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | length/value: 0 (0x0) | Received Cisco XAUTH username | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | length/value: 0 (0x0) | Received Cisco XAUTH password | XAUTH: Username or password request received | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_REPLY (0x2) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'reply packet' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | prompting for Username: | emitting 4 raw bytes of XAUTH username into ISAKMP ModeCfg attribute | XAUTH username 75 73 65 32 | emitting length of ISAKMP ModeCfg attribute: 4 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | started looking for xauth secret for use2 | line 12: key type PKK_XAUTH(@use2) to type PKK_PSK | line 10: key type PKK_XAUTH(@use2) to type PKK_PSK | line 9: key type PKK_XAUTH(@use2) to type PKK_PSK | concluding with best_match=000 best=(nil) (lineno=-1) | looked up username=use2, got=(nil) | prompting for Password: | emitting 8 raw bytes of XAUTH password into ISAKMP ModeCfg attribute | XAUTH password 75 73 65 31 70 61 73 73 | emitting length of ISAKMP ModeCfg attribute: 8 | emitting length of ISAKMP Mode Attribute: 28 "xauth-road-eastnet-psk" #1: XAUTH: Answering XAUTH challenge with user='use2' | XAUTH: client response HASH(1): | 0f 07 fc ad a9 b1 38 01 9a af e5 a3 44 5c 74 61 | d4 1e 94 77 | no IKEv1 message padding required | emitting length of ISAKMP Message: 80 | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 84 | xauth_inI0(STF_OK) | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 | parent state #1: AGGR_I2(established IKE SA) => XAUTH_I1(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55a57d93f8c8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55a57d93e6f8 | sending reply packet to 192.1.2.23:500 (from 192.1.3.209:500) | sending 84 bytes for STATE_XAUTH_I0 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 06 01 29 bc be 71 00 00 00 54 13 9b 2b 8b | e0 4d c1 ef eb b6 22 42 0d 98 3b 15 d7 dd 83 b4 | a5 9a 7e ce bb 9a d7 e6 e9 fb ad a2 42 bb a8 9e | 23 e5 02 5d 2b 73 73 7d 28 18 fc d4 19 2e d2 fc | 31 a8 f3 23 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55a57d93e6f8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x7faeb4000ed8 size 128 | #1 STATE_XAUTH_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11255.725151 | pstats #1 ikev1.isakmp established "xauth-road-eastnet-psk" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | XAUTH client is not yet authenticated | #1 spent 0.466 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.596 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00209 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 68 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 06 01 ea c4 ab 95 00 00 00 44 76 e6 48 5d | 99 ee dc 98 e3 e6 22 a8 3f fa 8d 92 cf 54 00 7c | 4b 3e 3e b6 e1 77 09 d6 7a 65 d0 1f df 2b 1f b0 | b5 6f 36 40 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3938757525 (0xeac4ab95) | length: 68 (0x44) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=eac4ab95 st_msgid=00000000 st_msgid_phase15=00000000 | State DB: IKEv1 state not found (find_v1_info_state) | No appropriate Mode Config state yet. See if we have a Main Mode state | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_XAUTH_I1 | State DB: found IKEv1 state #1 in XAUTH_I1 (find_v1_info_state) | start processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1678) | processing received isakmp_xchg_type ISAKMP_XCHG_MODE_CFG. | this is a xauthclient | call init_phase2_iv | set from_state to STATE_XAUTH_I1 this is xauthclient and state == STATE_XAUTH_I1 | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 24 (0x18) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | Attr Msg Type: ISAKMP_CFG_SET (0x3) | Identifier: 0 (0x0) | removing 4 bytes of padding | xauth_inI0 HASH(1): | 46 79 8e 40 fc e1 27 2d fc 6d 5c ee c0 d9 3e aa | 14 c1 ea 31 | received 'xauth_inI0' message HASH(1) data ok | **emit ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3938757525 (0xeac4ab95) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 8:ISAKMP_NEXT_HASH | arrived in xauth_inI0 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: AF+XAUTH-STATUS (0xc08f) | length/value: 1 (0x1) | Received Cisco XAUTH status: OK | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_ACK (0x4) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'reply packet' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: AF+XAUTH-STATUS (0xc08f) | length/value: 1 (0x1) | no IKEv1 message padding required | emitting length of ISAKMP Mode Attribute: 12 | XAUTH: ack status HASH(1): | ca 85 30 7e c5 7e c7 64 eb 2a c9 12 55 e9 7d 17 | fd ed 74 f9 | no IKEv1 message padding required | emitting length of ISAKMP Message: 64 | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 68 "xauth-road-eastnet-psk" #1: XAUTH: Successfully Authenticated | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:yes | IKEv1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 "xauth-road-eastnet-psk" #1: XAUTH completed; ModeCFG skipped as per configuration | parent state #1: XAUTH_I1(established IKE SA) => AGGR_I2(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_AGGR_I2: retransmits: cleared | libevent_free: release ptr-libevent@0x7faeb4000ed8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55a57d93e6f8 | sending reply packet to 192.1.2.23:500 (from 192.1.3.209:500) | sending 68 bytes for STATE_XAUTH_I0 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 06 01 ea c4 ab 95 00 00 00 44 07 03 6d be | 48 5f be ec 84 a6 68 0e 33 2f e0 19 a1 8b 04 fb | 8d 8a 23 01 b0 3f 3a 28 72 e3 5d 94 2c a8 4f 69 | 1c 26 d2 ac | !event_already_set at reschedule | fixup XAUTH without ModeCFG event from EVENT_RETRANSMIT to EVENT_SA_REPLACE | event_schedule: new EVENT_SA_REPLACE-pe@0x55a57d93e6f8 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x55a57d93f8c8 size 128 | pstats #1 ikev1.isakmp established "xauth-road-eastnet-psk" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | creating state object #2 at 0x55a57d942b38 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "xauth-road-eastnet-psk" as #2 for IPSEC SA | #2 setting local endpoint to 192.1.3.209:500 from #1.st_localport (in duplicate_state() at state.c:1484) | suspend processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:685) | start processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:685) | child state #2: UNDEFINED(ignore) => QUICK_I1(established CHILD SA) "xauth-road-eastnet-psk" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:9a0698bb proposal=defaults pfsgroup=MODP1536} | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55a57d93f4c8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x55a57d93f818 size 128 | stop processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:764) | resume processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:764) | unqueuing pending Quick Mode with 192.1.2.23 "xauth-road-eastnet-psk" | removing pending policy for no connection {0x55a57d930408} | close_any(fd@22) (in release_whack() at state.c:654) | #1 spent 0.264 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.423 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 4 resuming | crypto helper 4 starting work-order 3 for state #2 | crypto helper 4 doing build KE and nonce (quick_outI1 KE); request ID 3 | crypto helper 4 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000352 seconds | (#2) spent 0.359 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 4 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7faeb8001af8 size 128 | libevent_realloc: release ptr-libevent@0x55a57d8f1838 | libevent_realloc: new ptr-libevent@0x7faeb8001a48 size 128 | crypto helper 4 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 4 replies to request ID 3 | calling continuation function 0x55a57c753b50 | quick_outI1_continue for #2: calculated ke+nonce, sending I1 | **emit ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2584123579 (0x9a0698bb) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | emitting quick defaults using policy none | empty esp_info, returning defaults for ENCRYPT | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 2 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x9040253e for esp.0@192.1.3.209 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 90 40 25 3e | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ESP): 32 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 1 (0x1) | ESP transform ID: ESP_3DES (0x3) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | emitting length of ISAKMP Transform Payload (ESP): 28 | emitting length of ISAKMP Proposal Payload: 72 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 84 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni be b8 76 a4 dc 69 48 21 fc 0a 1c ec 36 07 90 6d | Ni 93 e4 23 05 e3 15 5d b9 9e a2 00 30 79 f6 63 01 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 0b cb 62 36 9e 39 2b 18 dd 43 93 4d d2 df 64 be | keyex value 0b 7c 65 17 13 14 32 62 15 5a f0 b4 65 b1 a2 e4 | keyex value bc b5 86 18 d6 c4 fe 8b dc 91 35 37 d5 40 d1 b9 | keyex value 94 62 aa 9b 0b fd e2 db af 8d b5 47 05 71 1f 8c | keyex value ba ff b4 b4 35 ba 24 de 1c de 05 ad 38 d9 93 1b | keyex value 6c 1e 08 17 6c 75 14 84 c3 45 0f a9 a1 ea 3c a4 | keyex value f2 bd 6a 46 76 ca c7 c9 19 d7 87 be 74 d1 19 70 | keyex value 1d c4 a4 52 e9 ca b7 c4 2c d2 a5 46 d7 b1 f6 c0 | keyex value f6 2b e9 3d 16 b4 36 8a 09 74 d9 d5 01 c7 ad c1 | keyex value e3 61 3e 7c 3f 56 77 3c 79 c7 e0 98 41 5c e6 54 | keyex value 09 50 ea 3c d6 5a 29 90 d6 7b fa a4 81 ad 8b 2f | keyex value 35 0c fb 89 8e a6 59 b1 f9 a0 8e 44 43 89 4f e4 | emitting length of ISAKMP Key Exchange Payload: 196 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) | client network c0 01 03 d1 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) | client network c0 00 02 00 | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI) | client mask ff ff ff 00 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | outI1 HASH(1): | 33 8c 71 69 d8 df af 62 43 56 d6 97 a2 0f c8 39 | 92 e0 99 07 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | sending 396 bytes for reply packet from quick_outI1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #2) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 20 01 9a 06 98 bb 00 00 01 8c ea 3a 24 d5 | aa f8 cf bd de ab 05 7d 26 03 5a 49 3b 1c f3 dd | c6 f1 a8 c4 26 2a b1 55 43 d2 90 9a 62 b2 63 1b | fe c8 e8 ae 7e 90 8f 61 74 85 65 5a 75 51 ed c0 | 3f 6d a7 26 2d 34 52 9a fd cd 60 45 ee 03 53 54 | 64 f0 17 df eb 9e 46 e5 e7 dc 18 69 c5 7e e4 13 | 37 3b e3 d1 23 9a 83 07 9b 17 d6 d8 31 f0 32 34 | f3 62 9d e1 48 4c 70 33 00 db 7d 50 de e5 c4 32 | b3 b3 31 ac 9c 9b 68 ab 15 a7 7f 5c 48 b3 b0 06 | 21 f8 07 aa 79 e3 6c 11 3f 3c 3e 1c e3 aa 30 aa | 8a dc 78 11 41 32 b2 34 35 96 3a 0e a6 da 61 a6 | ee a7 ae f1 65 03 f3 b7 e8 53 b2 ee 0f 91 de c4 | e0 17 49 c9 86 bb 25 90 05 29 5f 0c 13 f9 69 22 | 1e 97 d4 29 89 9f 7d 7a 49 73 86 42 4a 6c f0 d2 | 84 73 dd 41 3d 78 77 bc 0a fd 86 93 c6 bc 37 40 | 54 11 cc 48 d5 08 a6 2d e6 eb a3 03 a8 83 c2 a5 | 78 60 c3 82 04 69 d1 df 7c 85 9d b8 42 a6 a7 8a | 18 32 8c 7e 12 0f d9 5f 93 4c 4d 62 ba c0 1a 25 | c1 a0 1f 88 99 f7 0f a4 94 c0 50 f1 27 b5 6e cd | 80 2d 6f 41 e1 fe a8 57 6a 7b 26 a9 ca 46 7b 09 | 87 60 77 f3 b3 d6 88 d8 0f 15 fb f5 6b 1a f3 d5 | 21 91 c4 3d 59 c2 31 bd cd 58 f8 e6 7e d5 b4 c1 | a6 9d bc b5 6a f7 10 c1 25 67 f4 23 91 13 4a 36 | 57 db f2 aa 4b 03 df e0 25 20 3b d2 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55a57d93f818 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55a57d93f4c8 | event_schedule: new EVENT_RETRANSMIT-pe@0x55a57d93f4c8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2 | libevent_malloc: new ptr-libevent@0x55a57d93fcc8 size 128 | #2 STATE_QUICK_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11255.726993 | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 0.495 milliseconds in resume sending helper answer | stop processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7faeb8001af8 | spent 0.00327 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 372 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 20 01 9a 06 98 bb 00 00 01 74 e0 65 06 e5 | 7b 74 52 b9 05 e8 da 91 f0 0b 16 f1 ad 28 2f 93 | bd 49 b0 d0 74 56 8a 40 a6 f8 22 49 8a b0 f6 7e | 10 b5 60 26 45 86 80 5b 81 f4 fd 73 55 df 36 7e | 13 e8 b3 6c 1f ec a7 d1 65 cb 71 24 41 0e 1f 66 | 2c c2 44 29 4f 15 f5 20 3c f4 cc f3 a1 b3 8c 84 | 27 eb 3e 57 bc 6b 13 25 d8 4a 4b f1 0c 40 62 8d | 87 c8 4f 0f a3 8b c5 fe 4c 09 77 7a f9 9c 10 a6 | 13 0c a7 98 46 23 cf 43 08 2d c9 7b 97 64 bd 16 | 9f 08 43 6b fb c0 a7 3b c8 40 63 5b fe 66 8f 76 | 92 92 c0 cc 77 d5 d5 f8 32 7e ae b2 15 5b c8 79 | 47 13 ba 10 eb 27 6c 12 c6 27 6c 75 23 e7 02 c1 | 1c a4 a5 3d 29 b7 1e c6 f1 a9 57 e1 07 56 ba c1 | d6 fb 1e 8d 9f 77 3f 21 93 dc 16 6b 6b 1a d5 36 | 92 ae 6a 9e 29 13 29 70 8a 16 52 be 69 48 f2 98 | 4b 3f 22 af 30 5e 69 ca 0e f4 60 ef 4d d5 9f a5 | 2f cf bf af 3d fc 35 6e e0 b3 56 c2 10 32 b8 4b | 90 0d 67 38 06 fd 3c 50 46 59 bf 56 73 33 aa c8 | 69 9b ad 63 6e 03 40 79 98 cc 9f 24 43 fd 87 4a | 39 21 88 8e 47 cc a7 f1 41 34 02 37 4f f0 ca d2 | 8b 24 d5 6f 21 5c 69 f0 a3 1c 6f 31 2c c7 1f 9e | 78 2a 41 7f f6 05 13 34 e8 df b0 91 60 da df 16 | 79 a2 47 58 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2584123579 (0x9a0698bb) | length: 372 (0x174) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_I1 (find_state_ikev1) | start processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1633) | #2 is idle | #2 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 24 (0x18) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 56 (0x38) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 196 (0xc4) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 01 03 d1 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 00 ff ff ff 00 | removing 4 bytes of padding | quick_inR1_outI2 HASH(2): | d8 10 26 21 bd b6 47 26 a1 b6 45 ea d5 c5 f2 c4 | 63 fe 05 00 | received 'quick_inR1_outI2' message HASH(2) data ok | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 44 (0x2c) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI d4 74 ce ff | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | started looking for secret for @roadrandom->@east of kind PKK_PSK | actually looking for secret for @roadrandom->@east of kind PKK_PSK | line 12: key type PKK_PSK(@roadrandom) to type PKK_PSK | 1: compared key @east to @roadrandom / @east -> 004 | 2: compared key @roadrandom to @roadrandom / @east -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x55a57d93d1f8 (line=12) | line 10: key type PKK_PSK(@roadrandom) to type PKK_PSK | 1: compared key @east to @roadrandom / @east -> 004 | 2: compared key @west to @roadrandom / @east -> 004 | line 10: match=004 | line 9: key type PKK_PSK(@roadrandom) to type PKK_PSK | 1: compared key %any to @roadrandom / @east -> 002 | 2: compared key %any to @roadrandom / @east -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x55a57d93d1f8 (lineno=12) | adding quick outI2 DH work-order 4 for state #2 | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_QUICK_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x55a57d93fcc8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55a57d93f4c8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55a57d93f4c8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7faeb8001af8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #2 and saving MD | #2 is busy; has a suspended MD | #2 spent 0.199 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.482 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 3 resuming | crypto helper 3 starting work-order 4 for state #2 | crypto helper 3 doing compute dh (V1 Phase 2 PFS) (quick outI2 DH); request ID 4 | crypto helper 3 finished compute dh (V1 Phase 2 PFS) (quick outI2 DH); request ID 4 time elapsed 0.000401 seconds | (#2) spent 0.407 milliseconds in crypto helper computing work-order 4: quick outI2 DH (pcr) | crypto helper 3 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7faeac001aa8 size 128 | crypto helper 3 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 4 | calling continuation function 0x55a57c753b50 | quick_inR1_outI2_continue for #2: calculated ke+nonce, calculating DH | **emit ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2584123579 (0x9a0698bb) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 01 03 d1 | our client is 192.1.3.209/32 | our client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff 00 | peer client is subnet 192.0.2.0/24 | peer client protocol/port is 0/0 | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | quick_inR1_outI2 HASH(3): | 14 01 b5 d9 b8 4e d3 99 9b ae 88 29 e5 0e 55 30 | 08 a1 ce 9e | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | install_ipsec_sa() for #2: inbound and outbound | could_route called for xauth-road-eastnet-psk (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | route owner of "xauth-road-eastnet-psk" unrouted: NULL; eroute owner: NULL | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'xauth-road-eastnet-psk' not available on interface eth0 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.d474ceff@192.1.2.23 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'xauth-road-eastnet-psk' not available on interface eth0 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.9040253e@192.1.3.209 included non-error error | priority calculation of connection "xauth-road-eastnet-psk" is 0xfdfe7 | add inbound eroute 192.0.2.0/24:0 --0-> 192.1.3.209/32:0 => tun.10000@192.1.3.209 (raw_eroute) | IPsec Sa SPD priority set to 1040359 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | route owner of "xauth-road-eastnet-psk" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: xauth-road-eastnet-psk (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "xauth-road-eastnet-psk" is 0xfdfe7 | eroute_connection add eroute 192.1.3.209/32:0 --0-> 192.0.2.0/24:0 => tun.0@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1040359 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-host | executing up-host: PLUTO_VERB='up-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFA | popen cmd is 1092 chars long | cmd( 0):PLUTO_VERB='up-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-ps: | cmd( 80):k' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PL: | cmd( 160):UTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='19: | cmd( 240):2.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PRO: | cmd( 320):TOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLU: | cmd( 400):TO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0: | cmd( 480):.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROT: | cmd( 560):OCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLI: | cmd( 640):CY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_: | cmd( 720):ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_: | cmd( 800):FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PL: | cmd( 880):UTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIE: | cmd( 960):NT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI: | cmd(1040):_IN=0xd474ceff SPI_OUT=0x9040253e ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-host | executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED=' | popen cmd is 1097 chars long | cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastn: | cmd( 80):et-psk' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.20: | cmd( 160):9' PLUTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NE: | cmd( 240):T='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_M: | cmd( 320):Y_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23: | cmd( 400):' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET=': | cmd( 480):192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER: | cmd( 560):_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN: | cmd( 640):_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_: | cmd( 720):FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' X: | cmd( 800):AUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO=: | cmd( 880):'' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG: | cmd( 960):_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no: | cmd(1040):' SPI_IN=0xd474ceff SPI_OUT=0x9040253e ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-host | executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' V | popen cmd is 1095 chars long | cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet: | cmd( 80):-psk' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209': | cmd( 160): PLUTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=: | cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_: | cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' : | cmd( 400):PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='19: | cmd( 480):2.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_P: | cmd( 560):ROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_P: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FR: | cmd( 720):AG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAU: | cmd( 800):TH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='': | cmd( 880): PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_C: | cmd( 960):LIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' : | cmd(1040):SPI_IN=0xd474ceff SPI_OUT=0x9040253e ipsec _updown 2>&1: | route_and_eroute: instance "xauth-road-eastnet-psk", setting eroute_owner {spd=0x55a57d93d978,sr=0x55a57d93d978} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 1.87 milliseconds in install_ipsec_sa() | no IKEv1 message padding required | emitting length of ISAKMP Message: 52 | inR1_outI2: instance xauth-road-eastnet-psk[0], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #2 is idle | doing_xauth:no, t_xauth_client_done:yes | IKEv1: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 | child state #2: QUICK_I1(established CHILD SA) => QUICK_I2(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7faeb8001af8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55a57d93f4c8 | sending reply packet to 192.1.2.23:500 (from 192.1.3.209:500) | sending 52 bytes for STATE_QUICK_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #2) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 20 01 9a 06 98 bb 00 00 00 34 ba 19 fb a1 | 11 04 9f 19 ee 3a 8b d0 c2 d7 b2 96 22 44 8e 71 | 86 62 89 85 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55a57d93fba8 | inserting event EVENT_SA_REPLACE, timeout in 28048 seconds for #2 | libevent_malloc: new ptr-libevent@0x55a57d93fcc8 size 128 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "xauth-road-eastnet-psk" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xd474ceff <0x9040253e xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive username=use2} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | close_any(fd@23) (in release_whack() at state.c:654) | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 2.27 milliseconds in resume sending helper answer | stop processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7faeac001aa8 | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.005 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00322 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00308 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_STATE_... in show_traffic_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.9040253e@192.1.3.209 | get_sa_info esp.d474ceff@192.1.2.23 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.425 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.9040253e@192.1.3.209 | get_sa_info esp.d474ceff@192.1.2.23 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.565 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.9040253e@192.1.3.209 | get_sa_info esp.d474ceff@192.1.2.23 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.357 milliseconds in whack | spent 0.00267 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 68 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 05 01 4f 91 b7 53 00 00 00 44 ca 41 e0 25 | 4d bd 17 d6 54 78 06 31 a3 e2 37 3e b6 b4 3f 33 | d0 50 94 29 4e a9 31 02 dd 7b b7 2a b5 48 1a 5e | f4 67 12 5a | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1334949715 (0x4f91b753) | length: 68 (0x44) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | peer and cookies match on #2; msgid=00000000 st_msgid=9a0698bb st_msgid_phase15=00000000 | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_AGGR_I2 | State DB: found IKEv1 state #1 in AGGR_I2 (find_v1_info_state) | start processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1479) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_D (0xc) | length: 24 (0x18) | got payload 0x1000 (ISAKMP_NEXT_D) needed: 0x0 opt: 0x0 | ***parse ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | informational HASH(1): | 7a fa 95 5a ff d0 fa ba 2b 49 60 43 31 0c 02 ba | f9 f1 25 2c | received 'informational' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Delete Payload into SPI | SPI d4 74 ce ff | FOR_EACH_STATE_... in find_phase2_state_to_delete | start processing: connection "xauth-road-eastnet-psk" (BACKGROUND) (in accept_delete() at ikev1_main.c:2515) "xauth-road-eastnet-psk" #1: received Delete SA payload: replace IPsec State #2 now | state #2 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55a57d93fcc8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55a57d93fba8 | event_schedule: new EVENT_SA_REPLACE-pe@0x55a57d93fba8 | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #2 | libevent_malloc: new ptr-libevent@0x7faeac001aa8 size 128 | stop processing: connection "xauth-road-eastnet-psk" (BACKGROUND) (in accept_delete() at ikev1_main.c:2559) | del: | complete v1 state transition with STF_IGNORE | #1 spent 0.00284 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.16 milliseconds in comm_handle_cb() reading and processing packet | timer_event_cb: processing event@0x55a57d93fba8 | handling event EVENT_SA_REPLACE for child state #2 | start processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in timer_event_cb() at timer.c:250) | picked newest_ipsec_sa #2 for #2 | replacing stale IPsec SA | dup_any(fd@-1) -> fd@-1 (in ipsecdoi_replace() at ipsec_doi.c:351) | FOR_EACH_STATE_... in find_phase1_state | creating state object #3 at 0x55a57d945738 | State DB: adding IKEv1 state #3 in UNDEFINED | pstats #3 ikev1.ipsec started | duplicating state object #1 "xauth-road-eastnet-psk" as #3 for IPSEC SA | #3 setting local endpoint to 192.1.3.209:500 from #1.st_localport (in duplicate_state() at state.c:1484) | suspend processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:685) | start processing: state #3 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:685) | child state #3: UNDEFINED(ignore) => QUICK_I1(established CHILD SA) "xauth-road-eastnet-psk" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #2 {using isakmp#1 msgid:356d968b proposal=defaults pfsgroup=MODP1536} | adding quick_outI1 KE work-order 5 for state #3 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7faeac001408 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 | libevent_malloc: new ptr-libevent@0x55a57d93fc18 size 128 | stop processing: state #3 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:764) | resume processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:764) | crypto helper 5 resuming | event_schedule: new EVENT_SA_EXPIRE-pe@0x55a57d943ea8 | crypto helper 5 starting work-order 5 for state #3 | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #2 | libevent_malloc: new ptr-libevent@0x55a57d93f768 size 128 | crypto helper 5 doing build KE and nonce (quick_outI1 KE); request ID 5 | libevent_free: release ptr-libevent@0x7faeac001aa8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55a57d93fba8 | #2 spent 0.0899 milliseconds in timer_event_cb() EVENT_SA_REPLACE | stop processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in timer_event_cb() at timer.c:557) | timer_event_cb: processing event@0x55a57d943ea8 | handling event EVENT_SA_EXPIRE for child state #2 | start processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in timer_event_cb() at timer.c:250) | picked newest_ipsec_sa #2 for #2 | un-established partial CHILD SA timeout (SA expired) | pstats #2 ikev1.ipsec re-failed exchange-timeout | pstats #2 ikev1.ipsec deleted completed | [RE]START processing: state #2 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in delete_state() at state.c:879) "xauth-road-eastnet-psk" #2: deleting state (STATE_QUICK_I2) aged 9.986s and sending notification | child state #2: QUICK_I2(established CHILD SA) => delete | get_sa_info esp.d474ceff@192.1.2.23 | get_sa_info esp.9040253e@192.1.3.209 "xauth-road-eastnet-psk" #2: ESP traffic information: in=336B out=336B XAUTHuser=use2 | #2 send IKEv1 delete notification for STATE_QUICK_I2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1170521655 (0x45c4be37) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload 90 40 25 3e | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | 01 71 89 99 14 1f a3 f3 2e 56 9b 96 5c d6 83 fb | 20 fe b9 c5 | no IKEv1 message padding required | emitting length of ISAKMP Message: 68 | sending 68 bytes for delete notify through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 05 01 45 c4 be 37 00 00 00 44 0f 82 45 52 | 55 e0 05 34 4c 4a 7f 50 7e f7 2f 7a 54 6c 04 cb | e9 09 79 79 74 6d 0c 76 f3 4f a7 68 1f 0a e8 04 | 75 c6 03 70 | running updown command "ipsec _updown" for verb down | command executing down-host | executing down-host: PLUTO_VERB='down-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825969' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURE | popen cmd is 1103 chars long | cmd( 0):PLUTO_VERB='down-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-: | cmd( 80):psk' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' : | cmd( 160):PLUTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=': | cmd( 240):192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_P: | cmd( 320):ROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' P: | cmd( 400):LUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192: | cmd( 480):.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 560):OTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566825969' PLUT: | cmd( 640):O_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRAC: | cmd( 720):K+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='i: | cmd( 800):pv4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS: | cmd( 880):_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLU: | cmd( 960):TO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR: | cmd(1040):ED='no' SPI_IN=0xd474ceff SPI_OUT=0x9040253e ipsec _updown 2>&1: | crypto helper 5 finished build KE and nonce (quick_outI1 KE); request ID 5 time elapsed 0.000711 seconds | (#3) spent 0.575 milliseconds in crypto helper computing work-order 5: quick_outI1 KE (pcr) | crypto helper 5 sending results from work-order 5 for state #3 to event queue | scheduling resume sending helper answer for #3 | libevent_malloc: new ptr-libevent@0x7faeb0001af8 size 128 | crypto helper 5 waiting (nothing to do) | shunt_eroute() called for connection 'xauth-road-eastnet-psk' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "xauth-road-eastnet-psk" is 0xfdfe7 | IPsec Sa SPD priority set to 1040359 | delete esp.d474ceff@192.1.2.23 | netlink response for Del SA esp.d474ceff@192.1.2.23 included non-error error | priority calculation of connection "xauth-road-eastnet-psk" is 0xfdfe7 | delete inbound eroute 192.0.2.0/24:0 --0-> 192.1.3.209/32:0 => unk255.10000@192.1.3.209 (raw_eroute) | raw_eroute result=success | delete esp.9040253e@192.1.3.209 | netlink response for Del SA esp.9040253e@192.1.3.209 included non-error error | in connection_discard for connection xauth-road-eastnet-psk | State DB: deleting IKEv1 state #2 in QUICK_I2 | child state #2: QUICK_I2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.2.23 (in delete_state() at state.c:1143) | libevent_free: release ptr-libevent@0x55a57d93f768 | free_event_entry: release EVENT_SA_EXPIRE-pe@0x55a57d943ea8 | in statetime_stop() and could not find #2 | processing: STOP state #0 (in timer_event_cb() at timer.c:557) | spent 0.00247 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 84 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 05 01 54 ad 03 c1 00 00 00 54 37 57 a1 5b | e8 6c 27 0c d0 10 0e d7 0e 54 2e d5 fa e0 df 59 | 0e bb a5 0e 9e 89 63 50 ed 2d cd c4 ec 61 09 a4 | 6d ef 24 17 65 bf 87 67 22 9e 5d 10 1a 48 1f 06 | f7 29 69 27 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1420624833 (0x54ad03c1) | length: 84 (0x54) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | peer and cookies match on #3; msgid=00000000 st_msgid=356d968b st_msgid_phase15=00000000 | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_AGGR_I2 | State DB: found IKEv1 state #1 in AGGR_I2 (find_v1_info_state) | start processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1479) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_D (0xc) | length: 24 (0x18) | got payload 0x1000 (ISAKMP_NEXT_D) needed: 0x0 opt: 0x0 | ***parse ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 28 (0x1c) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | removing 4 bytes of padding | informational HASH(1): | 0f 22 7f 93 bd 22 40 8e 00 f1 31 8a 7d 7c b7 a4 | 23 52 86 6e | received 'informational' message HASH(1) data ok | parsing 8 raw bytes of ISAKMP Delete Payload into iCookie | iCookie 7f bf 3c c4 b7 4e 59 de | parsing 8 raw bytes of ISAKMP Delete Payload into rCookie | rCookie 2a ec 8e 97 57 18 88 3a | State DB: found IKEv1 state #1 in AGGR_I2 (find_state_ikev1) | del: "xauth-road-eastnet-psk" #1: received Delete SA payload: self-deleting ISAKMP State #1 | pstats #1 ikev1.isakmp deleted completed | [RE]START processing: state #1 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in delete_state() at state.c:879) "xauth-road-eastnet-psk" #1: deleting state (STATE_AGGR_I2) aged 10.086s and sending notification | parent state #1: AGGR_I2(established IKE SA) => delete | #1 send IKEv1 delete notification for STATE_AGGR_I2 | **emit ISAKMP Message: | initiator cookie: | 7f bf 3c c4 b7 4e 59 de | responder cookie: | 2a ec 8e 97 57 18 88 3a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2294100320 (0x88bd3160) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload | initiator SPI 7f bf 3c c4 b7 4e 59 de | emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload | responder SPI 2a ec 8e 97 57 18 88 3a | emitting length of ISAKMP Delete Payload: 28 | send delete HASH(1): | 22 ce 72 99 71 0a 6c 7d 9e 22 2f 6e a8 4e 68 aa | 66 59 c2 8f | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 84 | sending 84 bytes for delete notify through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1) | 7f bf 3c c4 b7 4e 59 de 2a ec 8e 97 57 18 88 3a | 08 10 05 01 88 bd 31 60 00 00 00 54 aa 42 4a 20 | 1b 37 7e 5f 72 f4 ef 87 ec 05 b6 53 b3 07 25 1f | a9 49 15 3a a7 56 3d be 95 e5 0d a2 cb 49 d9 24 | 0e af 04 6e 1e 55 1e 9d 83 aa c7 5b fb d4 f6 ed | 10 39 d8 fa | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55a57d93f8c8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55a57d93e6f8 "xauth-road-eastnet-psk" #1: reschedule pending child #3 STATE_QUICK_I1 of connection "xauth-road-eastnet-psk" - the parent is going away | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55a57d93fc18 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7faeac001408 | event_schedule: new EVENT_SA_REPLACE-pe@0x7faeac001408 | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #3 | libevent_malloc: new ptr-libevent@0x55a57d93fcc8 size 128 | State DB: IKEv1 state not found (flush_incomplete_children) | picked newest_isakmp_sa #0 for #1 "xauth-road-eastnet-psk" #1: deleting IKE SA for connection 'xauth-road-eastnet-psk' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS | add revival: connection 'xauth-road-eastnet-psk' added to the list and scheduled for 0 seconds | global one-shot timer EVENT_REVIVE_CONNS scheduled in 0 seconds | in connection_discard for connection xauth-road-eastnet-psk | State DB: deleting IKEv1 state #1 in AGGR_I2 | parent state #1: AGGR_I2(established IKE SA) => UNDEFINED(ignore) | stop processing: state #1 from 192.1.2.23 (in delete_state() at state.c:1143) | in statetime_start() with no state | complete v1 state transition with STF_IGNORE | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.539 milliseconds in comm_handle_cb() reading and processing packet | processing resume sending helper answer for #3 | start processing: state #3 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 5 replies to request ID 5 | calling continuation function 0x55a57c753b50 | work-order 5 state #3 crypto result suppressed | resume sending helper answer for #3 suppresed complete_v1_state_transition() | #3 spent 0.0161 milliseconds in resume sending helper answer | stop processing: state #3 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7faeb0001af8 | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00433 milliseconds in signal handler PLUTO_SIGCHLD | timer_event_cb: processing event@0x7faeac001408 | handling event EVENT_SA_REPLACE for child state #3 | start processing: state #3 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in timer_event_cb() at timer.c:250) | picked newest_ipsec_sa #0 for #3 | replacing stale IPsec SA | dup_any(fd@-1) -> fd@-1 (in ipsecdoi_replace() at ipsec_doi.c:351) | FOR_EACH_STATE_... in find_phase1_state "xauth-road-eastnet-psk" #3: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's | creating state object #4 at 0x55a57d93e8e8 | State DB: adding IKEv1 state #4 in UNDEFINED | pstats #4 ikev1.isakmp started | parent state #4: UNDEFINED(ignore) => AGGR_I1(half-open IKE SA) | suspend processing: state #3 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in aggr_outI1() at ikev1_aggr.c:1015) | start processing: state #4 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in aggr_outI1() at ikev1_aggr.c:1015) | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 "xauth-road-eastnet-psk" #4: multiple DH groups in aggressive mode can cause interop failure "xauth-road-eastnet-psk" #4: Deleting previous proposal in the hopes of selecting DH 2 or DH 5 | oakley_alg_makedb() returning 0x7faeb80030e8 | initiating aggressive mode with IKE=E=5-H=2-M=5 | dup_any(fd@-1) -> fd@-1 (in aggr_outI1() at ikev1_aggr.c:1031) | Queuing pending IPsec SA negotiating with 192.1.2.23 "xauth-road-eastnet-psk" IKE SA #4 "xauth-road-eastnet-psk" "xauth-road-eastnet-psk" #4: initiating Aggressive Mode | adding aggr_outI1 KE + nonce work-order 6 for state #4 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55a57d9400a8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 | libevent_malloc: new ptr-libevent@0x7faebc002d28 size 128 | #4 spent 0.074 milliseconds in aggr_outI1() | RESET processing: state #4 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in aggr_outI1() at ikev1_aggr.c:1054) | crypto helper 2 resuming | crypto helper 2 starting work-order 6 for state #4 | crypto helper 2 doing build KE and nonce (aggr_outI1 KE + nonce); request ID 6 | event_schedule: new EVENT_SA_EXPIRE-pe@0x55a57d93e6f8 | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #3 | libevent_malloc: new ptr-libevent@0x55a57d94a948 size 128 | libevent_free: release ptr-libevent@0x55a57d93fcc8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7faeac001408 | #3 spent 0.122 milliseconds in timer_event_cb() EVENT_SA_REPLACE | processing: STOP state #0 (in timer_event_cb() at timer.c:557) | processing global timer EVENT_REVIVE_CONNS Initiating connection xauth-road-eastnet-psk which received a Delete/Notify but must remain up per local policy | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "xauth-road-eastnet-psk" (in initiate_a_connection() at initiate.c:186) | empty esp_info, returning defaults for ENCRYPT | connection 'xauth-road-eastnet-psk' +POLICY_UP | dup_any(fd@-1) -> fd@-1 (in initiate_a_connection() at initiate.c:342) | FOR_EACH_STATE_... in find_phase1_state | Ignored already queued up pending IPsec SA negotiation with 192.1.2.23 "xauth-road-eastnet-psk" | stop processing: connection "xauth-road-eastnet-psk" (in initiate_a_connection() at initiate.c:349) | spent 0.0283 milliseconds in global timer EVENT_REVIVE_CONNS | timer_event_cb: processing event@0x55a57d93e6f8 | handling event EVENT_SA_EXPIRE for child state #3 | start processing: state #3 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in timer_event_cb() at timer.c:250) | picked newest_ipsec_sa #0 for #3 | un-established partial CHILD SA timeout (SA expired) | pstats #3 ikev1.ipsec failed exchange-timeout | pstats #3 ikev1.ipsec deleted exchange-timeout | [RE]START processing: state #3 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in delete_state() at state.c:879) "xauth-road-eastnet-psk" #3: deleting state (STATE_QUICK_I1) aged 0.012s and NOT sending notification | child state #3: QUICK_I1(established CHILD SA) => delete | child state #3: QUICK_I1(established CHILD SA) => CHILDSA_DEL(informational) | priority calculation of connection "xauth-road-eastnet-psk" is 0xfdfe7 | delete inbound eroute 192.0.2.0/24:0 --0-> 192.1.3.209/32:0 => unk255.10000@192.1.3.209 (raw_eroute) | raw_eroute result=success | in connection_discard for connection xauth-road-eastnet-psk | State DB: deleting IKEv1 state #3 in CHILDSA_DEL | child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore) | stop processing: state #3 from 192.1.2.23 (in delete_state() at state.c:1143) | libevent_free: release ptr-libevent@0x55a57d94a948 | free_event_entry: release EVENT_SA_EXPIRE-pe@0x55a57d93e6f8 | in statetime_stop() and could not find #3 | processing: STOP state #0 (in timer_event_cb() at timer.c:557) | crypto helper 2 finished build KE and nonce (aggr_outI1 KE + nonce); request ID 6 time elapsed 0.000511 seconds | (#4) spent 0.504 milliseconds in crypto helper computing work-order 6: aggr_outI1 KE + nonce (pcr) | crypto helper 2 sending results from work-order 6 for state #4 to event queue | scheduling resume sending helper answer for #4 | libevent_malloc: new ptr-libevent@0x7faea4001af8 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #4 | start processing: state #4 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 6 | calling continuation function 0x55a57c753b50 | aggr_outI1_continue for #4: calculated ke+nonce, sending I1 | aggr_outI1_tail for #4 | **emit ISAKMP Message: | initiator cookie: | 16 57 0f 64 20 bc 18 da | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 "xauth-road-eastnet-psk" #4: multiple DH groups in aggressive mode can cause interop failure "xauth-road-eastnet-psk" #4: Deleting previous proposal in the hopes of selecting DH 2 or DH 5 | oakley_alg_makedb() returning 0x7faeb8002568 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 1 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 40 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 52 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value bc ad 34 dd b0 14 4d 5b 44 ce c9 64 e0 47 de 15 | keyex value e8 bc 0e 5c 3c 32 a4 e1 eb c8 ee 0b 03 62 cf 4f | keyex value 07 ad 5a 0a 9e 8f c2 cb 0b 37 cd 15 a5 12 92 bd | keyex value db a5 1f 2c e1 79 24 f7 22 10 c4 7c 65 36 28 0c | keyex value 00 ab 29 f8 1e 99 26 8b a1 ed 5a 1d 2e c7 54 c1 | keyex value ad ba 2d 6b f9 b0 6c ae de ab f5 6b 73 af 61 38 | keyex value 85 64 fc 42 2d ec a0 e1 73 f5 1b 4d 8d 79 a8 3e | keyex value ee 74 f3 54 a9 08 c9 1f 0f 94 ef 8d 8f 79 1c ac | keyex value 73 58 47 a6 96 90 26 dc 97 32 f6 a9 db e1 a2 a1 | keyex value 9d e2 eb f6 f0 6d 3e c2 53 22 01 64 af 15 10 ad | keyex value 22 55 a8 b3 e2 48 42 43 b6 40 1f e5 35 3d 39 46 | keyex value 5a 41 02 97 d9 6a 01 3d 0a 74 4e 31 ab e4 1a d9 | emitting length of ISAKMP Key Exchange Payload: 196 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni 9c 7f 88 3b 4a fc 4f 14 a6 a9 c9 a0 15 ed cc 7f | Ni 98 ad b0 1d c2 45 dd 2b 0d 9f c7 b1 b3 37 11 ba | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_VID (0xd) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 10 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 72 6f 61 64 72 61 6e 64 6f 6d | emitting length of ISAKMP Identification Payload (IPsec DOI): 18 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [XAUTH] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 09 00 26 89 df d6 b7 12 | emitting length of ISAKMP Vendor ID Payload: 12 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | nat add vid | sending draft and RFC NATT VIDs | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | skipping VID_NATT_RFC | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-03] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02_n] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 | emitting length of ISAKMP Vendor ID Payload: 20 | padding IKEv1 message with 2 bytes | emitting 2 zero bytes of message padding into ISAKMP Message | emitting length of ISAKMP Message: 464 | sending 464 bytes for aggr_outI1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #4) | 16 57 0f 64 20 bc 18 da 00 00 00 00 00 00 00 00 | 01 10 04 00 00 00 00 00 00 00 01 d0 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd e9 80 04 00 05 | 0a 00 00 c4 bc ad 34 dd b0 14 4d 5b 44 ce c9 64 | e0 47 de 15 e8 bc 0e 5c 3c 32 a4 e1 eb c8 ee 0b | 03 62 cf 4f 07 ad 5a 0a 9e 8f c2 cb 0b 37 cd 15 | a5 12 92 bd db a5 1f 2c e1 79 24 f7 22 10 c4 7c | 65 36 28 0c 00 ab 29 f8 1e 99 26 8b a1 ed 5a 1d | 2e c7 54 c1 ad ba 2d 6b f9 b0 6c ae de ab f5 6b | 73 af 61 38 85 64 fc 42 2d ec a0 e1 73 f5 1b 4d | 8d 79 a8 3e ee 74 f3 54 a9 08 c9 1f 0f 94 ef 8d | 8f 79 1c ac 73 58 47 a6 96 90 26 dc 97 32 f6 a9 | db e1 a2 a1 9d e2 eb f6 f0 6d 3e c2 53 22 01 64 | af 15 10 ad 22 55 a8 b3 e2 48 42 43 b6 40 1f e5 | 35 3d 39 46 5a 41 02 97 d9 6a 01 3d 0a 74 4e 31 | ab e4 1a d9 05 00 00 24 9c 7f 88 3b 4a fc 4f 14 | a6 a9 c9 a0 15 ed cc 7f 98 ad b0 1d c2 45 dd 2b | 0d 9f c7 b1 b3 37 11 ba 0d 00 00 12 02 00 00 00 | 72 6f 61 64 72 61 6e 64 6f 6d 0d 00 00 14 40 48 | b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 0d 00 | 00 0c 09 00 26 89 df d6 b7 12 0d 00 00 14 af ca | d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 0d 00 | 00 14 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 | 45 2f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f 2c 17 | 9d 92 15 52 9d 56 0d 00 00 14 90 cb 80 91 3e bb | 69 6e 08 63 81 b5 ec 42 7b 1f 00 00 00 14 cd 60 | 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 00 00 | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7faebc002d28 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55a57d9400a8 | event_schedule: new EVENT_RETRANSMIT-pe@0x55a57d9400a8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #4 | libevent_malloc: new ptr-libevent@0x55a57d94a948 size 128 | #4 STATE_AGGR_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 11265.725737 | stop processing: state #4 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in aggr_outI1_tail() at ikev1_aggr.c:1199) | complete v1 state transition with STF_IGNORE | resume sending helper answer for #4 suppresed complete_v1_state_transition() | #4 spent 0.498 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7faea4001af8 | timer_event_cb: processing event@0x55a57d9400a8 | handling event EVENT_RETRANSMIT for parent state #4 | start processing: state #4 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in timer_event_cb() at timer.c:250) | IKEv1 retransmit event | [RE]START processing: state #4 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in retransmit_v1_msg() at retry.c:61) | handling event EVENT_RETRANSMIT for 192.1.2.23 "xauth-road-eastnet-psk" #4 keying attempt 1 of 0; retransmit 1 | retransmits: current time 11266.226341; retransmit count 0 exceeds limit? NO; deltatime 0.5 exceeds limit? NO; monotime 0.500604 exceeds limit? NO | event_schedule: new EVENT_RETRANSMIT-pe@0x7faeac001408 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #4 | libevent_malloc: new ptr-libevent@0x7faea4001af8 size 128 "xauth-road-eastnet-psk" #4: STATE_AGGR_I1: retransmission; will wait 0.5 seconds for response | sending 464 bytes for EVENT_RETRANSMIT through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #4) | 16 57 0f 64 20 bc 18 da 00 00 00 00 00 00 00 00 | 01 10 04 00 00 00 00 00 00 00 01 d0 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd e9 80 04 00 05 | 0a 00 00 c4 bc ad 34 dd b0 14 4d 5b 44 ce c9 64 | e0 47 de 15 e8 bc 0e 5c 3c 32 a4 e1 eb c8 ee 0b | 03 62 cf 4f 07 ad 5a 0a 9e 8f c2 cb 0b 37 cd 15 | a5 12 92 bd db a5 1f 2c e1 79 24 f7 22 10 c4 7c | 65 36 28 0c 00 ab 29 f8 1e 99 26 8b a1 ed 5a 1d | 2e c7 54 c1 ad ba 2d 6b f9 b0 6c ae de ab f5 6b | 73 af 61 38 85 64 fc 42 2d ec a0 e1 73 f5 1b 4d | 8d 79 a8 3e ee 74 f3 54 a9 08 c9 1f 0f 94 ef 8d | 8f 79 1c ac 73 58 47 a6 96 90 26 dc 97 32 f6 a9 | db e1 a2 a1 9d e2 eb f6 f0 6d 3e c2 53 22 01 64 | af 15 10 ad 22 55 a8 b3 e2 48 42 43 b6 40 1f e5 | 35 3d 39 46 5a 41 02 97 d9 6a 01 3d 0a 74 4e 31 | ab e4 1a d9 05 00 00 24 9c 7f 88 3b 4a fc 4f 14 | a6 a9 c9 a0 15 ed cc 7f 98 ad b0 1d c2 45 dd 2b | 0d 9f c7 b1 b3 37 11 ba 0d 00 00 12 02 00 00 00 | 72 6f 61 64 72 61 6e 64 6f 6d 0d 00 00 14 40 48 | b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 0d 00 | 00 0c 09 00 26 89 df d6 b7 12 0d 00 00 14 af ca | d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 0d 00 | 00 14 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 | 45 2f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f 2c 17 | 9d 92 15 52 9d 56 0d 00 00 14 90 cb 80 91 3e bb | 69 6e 08 63 81 b5 ec 42 7b 1f 00 00 00 14 cd 60 | 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 00 00 | libevent_free: release ptr-libevent@0x55a57d94a948 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55a57d9400a8 | #4 spent 0.528 milliseconds in timer_event_cb() EVENT_RETRANSMIT | stop processing: state #4 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in timer_event_cb() at timer.c:557) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | start processing: connection "xauth-road-eastnet-psk" (in delete_connection() at connections.c:189) | removing pending policy for no connection {0x55a57d93f978} | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #4 | suspend processing: connection "xauth-road-eastnet-psk" (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #4 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #4 ikev1.isakmp deleted other | [RE]START processing: state #4 connection "xauth-road-eastnet-psk" from 192.1.2.23 (in delete_state() at state.c:879) "xauth-road-eastnet-psk" #4: deleting state (STATE_AGGR_I1) aged 0.671s and NOT sending notification | parent state #4: AGGR_I1(half-open IKE SA) => delete | state #4 requesting EVENT_RETRANSMIT to be deleted | #4 STATE_AGGR_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x7faea4001af8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7faeac001408 | State DB: IKEv1 state not found (flush_incomplete_children) | picked newest_isakmp_sa #0 for #4 "xauth-road-eastnet-psk" #4: deleting IKE SA for connection 'xauth-road-eastnet-psk' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS | add revival: connection 'xauth-road-eastnet-psk' added to the list and scheduled for 5 seconds | global one-shot timer EVENT_REVIVE_CONNS scheduled in 5 seconds | stop processing: connection "xauth-road-eastnet-psk" (BACKGROUND) (in update_state_connection() at connections.c:4076) | start processing: connection NULL (in update_state_connection() at connections.c:4077) | in connection_discard for connection xauth-road-eastnet-psk | State DB: deleting IKEv1 state #4 in AGGR_I1 | parent state #4: AGGR_I1(half-open IKE SA) => UNDEFINED(ignore) | stop processing: state #4 from 192.1.2.23 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'xauth-road-eastnet-psk' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "xauth-road-eastnet-psk" is 0xfdfe7 | priority calculation of connection "xauth-road-eastnet-psk" is 0xfdfe7 | FOR_EACH_CONNECTION_... in route_owner | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | route owner of "xauth-road-eastnet-psk" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-host | executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_R | popen cmd is 1062 chars long | cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastn: | cmd( 80):et-psk' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.20: | cmd( 160):9' PLUTO_MY_ID='@roadrandom' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NE: | cmd( 240):T='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_M: | cmd( 320):Y_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.2: | cmd( 400):3' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET=: | cmd( 480):'192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEE: | cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CON: | cmd( 640):N_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE: | cmd( 720):_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' : | cmd( 800):XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_: | cmd( 880):INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_: | cmd( 960):CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=: | cmd(1040):0x0 ipsec _updown 2>&1: unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. unroute-host output: Error: Peer netns reference is invalid. | free hp@0x55a57d93e378 | flush revival: connection 'xauth-road-eastnet-psk' revival flushed | processing: STOP connection NULL (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.1.3.209:4500 shutting down interface eth0/eth0 192.1.3.209:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x55a57d931088 | free_event_entry: release EVENT_NULL-pe@0x55a57d93cb58 | libevent_free: release ptr-libevent@0x55a57d8f23b8 | free_event_entry: release EVENT_NULL-pe@0x55a57d93cc08 | libevent_free: release ptr-libevent@0x55a57d8f4a58 | free_event_entry: release EVENT_NULL-pe@0x55a57d93ccb8 | libevent_free: release ptr-libevent@0x55a57d8f1508 | free_event_entry: release EVENT_NULL-pe@0x55a57d93cd68 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x55a57d931138 | free_event_entry: release EVENT_NULL-pe@0x55a57d925258 | libevent_free: release ptr-libevent@0x55a57d8f2308 | free_event_entry: release EVENT_NULL-pe@0x55a57d924db8 | libevent_free: release ptr-libevent@0x55a57d91d858 | free_event_entry: release EVENT_NULL-pe@0x55a57d91f348 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x55a57d879e48 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x55a57d870538 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x55a57d870608 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x55a57d93c7e8 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x55a57d93c6b8 | libevent_free: release ptr-libevent@0x55a57d91f678 | libevent_free: release ptr-libevent@0x55a57d91f628 | libevent_free: release ptr-libevent@0x7faeb8001a48 | libevent_free: release ptr-libevent@0x55a57d91f5e8 | libevent_free: release ptr-libevent@0x55a57d93c408 | libevent_free: release ptr-libevent@0x55a57d93c5b8 | libevent_free: release ptr-libevent@0x55a57d91f828 | libevent_free: release ptr-libevent@0x55a57d924a48 | libevent_free: release ptr-libevent@0x55a57d925368 | libevent_free: release ptr-libevent@0x55a57d93cdd8 | libevent_free: release ptr-libevent@0x55a57d93cd28 | libevent_free: release ptr-libevent@0x55a57d93cc78 | libevent_free: release ptr-libevent@0x55a57d93cbc8 | libevent_free: release ptr-libevent@0x55a57d877288 | libevent_free: release ptr-libevent@0x55a57d93c638 | libevent_free: release ptr-libevent@0x55a57d93c5f8 | libevent_free: release ptr-libevent@0x55a57d93c578 | libevent_free: release ptr-libevent@0x55a57d93c678 | libevent_free: release ptr-libevent@0x55a57d93c448 | libevent_free: release ptr-libevent@0x55a57d8ee638 | libevent_free: release ptr-libevent@0x55a57d8ee5b8 | libevent_free: release ptr-libevent@0x55a57d8775f8 | releasing global libevent data | libevent_free: release ptr-libevent@0x55a57d8ef0f8 | libevent_free: release ptr-libevent@0x55a57d8ee738 | libevent_free: release ptr-libevent@0x55a57d8ee6b8 leak: sa copy attrs array, item size: 40 leak: sa copy trans array, item size: 24 leak: sa copy prop array, item size: 24 leak: sa copy prop conj array, item size: 16 leak: sa copy prop_conj, item size: 24 leak: msg_digest in read_packet, item size: 5080 leak: msg_digest by aggr_outI1, item size: 5080 leak: sa copy attrs array, item size: 40 leak: sa copy trans array, item size: 24 leak: sa copy prop array, item size: 24 leak: sa copy prop conj array, item size: 16 leak: sa copy prop_conj, item size: 24 leak detective found 12 leaks, total size 10416