FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:9266 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x5626503a5498 size 40 | libevent_malloc: new ptr-libevent@0x562650374cd8 size 40 | libevent_malloc: new ptr-libevent@0x562650374dd8 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x5626503f7838 size 56 | libevent_malloc: new ptr-libevent@0x5626503a3c88 size 664 | libevent_malloc: new ptr-libevent@0x5626503f78a8 size 24 | libevent_malloc: new ptr-libevent@0x5626503f78f8 size 384 | libevent_malloc: new ptr-libevent@0x5626503f77f8 size 16 | libevent_malloc: new ptr-libevent@0x562650374908 size 40 | libevent_malloc: new ptr-libevent@0x562650374d38 size 48 | libevent_realloc: new ptr-libevent@0x5626503a3918 size 256 | libevent_malloc: new ptr-libevent@0x5626503f7aa8 size 16 | libevent_free: release ptr-libevent@0x5626503f7838 | libevent initialized | libevent_realloc: new ptr-libevent@0x5626503f7838 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) started thread for crypto helper 2 | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5626503fd0b8 | libevent_malloc: new ptr-libevent@0x5626503e0a18 size 128 | libevent_malloc: new ptr-libevent@0x5626503fc618 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x5626503fc508 | libevent_malloc: new ptr-libevent@0x5626503a6e78 size 128 | libevent_malloc: new ptr-libevent@0x5626503fd008 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x5626503fd048 | libevent_malloc: new ptr-libevent@0x562650409288 size 128 | libevent_malloc: new ptr-libevent@0x562650414518 size 16 | libevent_realloc: new ptr-libevent@0x562650414558 size 256 | libevent_malloc: new ptr-libevent@0x562650414688 size 8 | libevent_realloc: new ptr-libevent@0x5626503a41c8 size 144 | libevent_malloc: new ptr-libevent@0x5626503a82f8 size 152 | libevent_malloc: new ptr-libevent@0x5626504146c8 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x562650414708 size 8 | libevent_malloc: new ptr-libevent@0x562650414748 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x562650414818 size 8 | libevent_malloc: new ptr-libevent@0x562650414858 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x562650414928 size 8 | libevent_realloc: release ptr-libevent@0x5626503a41c8 | libevent_realloc: new ptr-libevent@0x562650414968 size 256 | libevent_malloc: new ptr-libevent@0x562650414a98 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:9479) using fork+execve | forked child 9479 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.1.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.45 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.45:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.45:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.1.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.1.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x562650415078 | libevent_malloc: new ptr-libevent@0x5626504091d8 size 128 | libevent_malloc: new ptr-libevent@0x5626504150e8 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x562650415128 | libevent_malloc: new ptr-libevent@0x5626503a50d8 size 128 | libevent_malloc: new ptr-libevent@0x562650415198 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x5626504151d8 | libevent_malloc: new ptr-libevent@0x5626503a6f78 size 128 | libevent_malloc: new ptr-libevent@0x562650415248 size 16 | setup callback for interface eth0 192.0.1.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x562650415288 | libevent_malloc: new ptr-libevent@0x5626503a40c8 size 128 | libevent_malloc: new ptr-libevent@0x5626504152f8 size 16 | setup callback for interface eth0 192.0.1.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x562650415338 | libevent_malloc: new ptr-libevent@0x5626503754e8 size 128 | libevent_malloc: new ptr-libevent@0x5626504153a8 size 16 | setup callback for interface eth1 192.1.2.45:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x5626504153e8 | libevent_malloc: new ptr-libevent@0x5626503751d8 size 128 | libevent_malloc: new ptr-libevent@0x562650415458 size 16 | setup callback for interface eth1 192.1.2.45:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x562650370c48) PKK_PSK: @east | id type added to secret(0x562650370c48) PKK_PSK: @west | Processing PSK at line 1: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.528 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + suppress-retransmits | base impairing = suppress-retransmits | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0697 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection authenticate-ikev1-sha1 with policy PSK+AUTHENTICATE+TUNNEL+PFS+IKEV1_ALLOW+ESN_NO | from whack: got --esp=sha1 | ESP/AH string values: HMAC_SHA1_96 | counting wild cards for @west is 0 | counting wild cards for @east is 0 | connect_to_host_pair: 192.1.2.45:500 192.1.2.23:500 -> hp@(nil): none | new hp@0x562650416098 added connection description "authenticate-ikev1-sha1" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+AUTHENTICATE+TUNNEL+PFS+IKEV1_ALLOW+ESN_NO | 192.0.1.0/24===192.1.2.45[@west,+S?C]...192.1.2.23[@east,+S?C]===192.0.2.0/24 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.104 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | dup_any(fd@16) -> fd@23 (in whack_process() at rcv_whack.c:590) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "authenticate-ikev1-sha1" (in initiate_a_connection() at initiate.c:186) | kernel_alg_db_new() initial trans_cnt=9 | adding proposal: HMAC_SHA1_96 | kernel_alg_db_new() will return p_new->protoid=2, p_new->trans_cnt=1 | kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2 | returning new proposal from esp_info | connection 'authenticate-ikev1-sha1' +POLICY_UP | dup_any(fd@23) -> fd@24 (in initiate_a_connection() at initiate.c:342) | FOR_EACH_STATE_... in find_phase1_state | creating state object #1 at 0x562650416ac8 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | suspend processing: connection "authenticate-ikev1-sha1" (in main_outI1() at ikev1_main.c:118) | start processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in main_outI1() at ikev1_main.c:118) | parent state #1: UNDEFINED(ignore) => MAIN_I1(half-open IKE SA) | dup_any(fd@24) -> fd@25 (in main_outI1() at ikev1_main.c:123) | Queuing pending IPsec SA negotiating with 192.1.2.23 "authenticate-ikev1-sha1" IKE SA #1 "authenticate-ikev1-sha1" "authenticate-ikev1-sha1" #1: initiating Main Mode | **emit ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | no specific IKE algorithms specified - using defaults | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_256=4 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_512=6 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_256=4 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_512=6 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_256=4 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_512=6 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_256=4 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_512=6 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() returning 0x562650419598 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 18 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 1 (0x1) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 2 (0x2) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 3 (0x3) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 4 (0x4) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 5 (0x5) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 6 (0x6) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 7 (0x7) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 8 (0x8) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 9 (0x9) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 10 (0xa) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 11 (0xb) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 12 (0xc) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 13 (0xd) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 14 (0xe) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 15 (0xf) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 16 (0x10) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 17 (0x11) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 632 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 644 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | nat add vid | sending draft and RFC NATT VIDs | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | skipping VID_NATT_RFC | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-03] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02_n] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 772 | sending 772 bytes for reply packet for main_outI1 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #1) | b3 37 55 c6 a6 a2 91 c8 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 04 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 01 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 00 01 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 00 01 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 00 01 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 00 01 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 00 01 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 00 01 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 00 01 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 00 01 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 00 01 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 00 01 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 01 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 01 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 01 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 01 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05 | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45 | 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6 | 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14 | 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | 00 00 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc | 68 b6 a4 48 "authenticate-ikev1-sha1" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x562650416178 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x562650418808 size 128 | #1 STATE_MAIN_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29999.171996 | #1 spent 1.56 milliseconds in main_outI1() | stop processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in main_outI1() at ikev1_main.c:228) | resume processing: connection "authenticate-ikev1-sha1" (in main_outI1() at ikev1_main.c:228) | stop processing: connection "authenticate-ikev1-sha1" (in initiate_a_connection() at initiate.c:349) | close_any(fd@23) (in initiate_connection() at initiate.c:372) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.62 milliseconds in whack | spent 0.00271 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 144 bytes from 192.1.2.23:500 on eth1 (192.1.2.45:500) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 01 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 144 (0x90) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_I1 (find_state_ikev1_init) | start processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 56 (0x38) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inR1_outI2' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 44 (0x2c) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | started looking for secret for @west->@east of kind PKK_PSK | actually looking for secret for @west->@east of kind PKK_PSK | line 1: key type PKK_PSK(@west) to type PKK_PSK | 1: compared key @west to @west / @east -> 010 | 2: compared key @east to @west / @east -> 014 | line 1: match=014 | match 014 beats previous best_match 000 match=0x562650370c48 (line=1) | concluding with best_match=014 best=0x562650370c48 (lineno=1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | adding outI2 KE work-order 1 for state #1 | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x562650418808 | free_event_entry: release EVENT_RETRANSMIT-pe@0x562650416178 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x562650416178 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x562650418808 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #1 and saving MD | crypto helper 0 resuming | crypto helper 0 starting work-order 1 for state #1 | #1 is busy; has a suspended MD | crypto helper 0 doing build KE and nonce (outI2 KE); request ID 1 | #1 spent 0.155 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.304 milliseconds in comm_handle_cb() reading and processing packet | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.1.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.45 | no interfaces to sort | libevent_free: release ptr-libevent@0x5626504091d8 | free_event_entry: release EVENT_NULL-pe@0x562650415078 | add_fd_read_event_handler: new ethX-pe@0x562650415078 | libevent_malloc: new ptr-libevent@0x5626504091d8 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x5626503a50d8 | free_event_entry: release EVENT_NULL-pe@0x562650415128 | add_fd_read_event_handler: new ethX-pe@0x562650415128 | libevent_malloc: new ptr-libevent@0x5626503a50d8 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x5626503a6f78 | free_event_entry: release EVENT_NULL-pe@0x5626504151d8 | add_fd_read_event_handler: new ethX-pe@0x5626504151d8 | libevent_malloc: new ptr-libevent@0x5626503a6f78 size 128 | setup callback for interface eth0 192.0.1.254:4500 fd 20 | libevent_free: release ptr-libevent@0x5626503a40c8 | free_event_entry: release EVENT_NULL-pe@0x562650415288 | add_fd_read_event_handler: new ethX-pe@0x562650415288 | libevent_malloc: new ptr-libevent@0x5626503a40c8 size 128 | setup callback for interface eth0 192.0.1.254:500 fd 19 | libevent_free: release ptr-libevent@0x5626503754e8 | free_event_entry: release EVENT_NULL-pe@0x562650415338 | add_fd_read_event_handler: new ethX-pe@0x562650415338 | libevent_malloc: new ptr-libevent@0x5626503754e8 size 128 | setup callback for interface eth1 192.1.2.45:4500 fd 18 | libevent_free: release ptr-libevent@0x5626503751d8 | free_event_entry: release EVENT_NULL-pe@0x5626504153e8 | add_fd_read_event_handler: new ethX-pe@0x5626504153e8 | libevent_malloc: new ptr-libevent@0x5626503751d8 size 128 | setup callback for interface eth1 192.1.2.45:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x562650370c48) PKK_PSK: @east | id type added to secret(0x562650370c48) PKK_PSK: @west | Processing PSK at line 1: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.254 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 9479 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0166 milliseconds in signal handler PLUTO_SIGCHLD | crypto helper 0 finished build KE and nonce (outI2 KE); request ID 1 time elapsed 0.005182 seconds | (#1) spent 1.04 milliseconds in crypto helper computing work-order 1: outI2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f3178002888 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x56264fbd1b50 | main_inR1_outI2_continue for #1: calculated ke+nonce, sending I2 | **emit ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value f8 70 a5 fd 94 11 ae 53 68 5b d9 33 0f 07 2d 1f | keyex value 5c 64 43 24 9b 9e 6b 54 ec 5c dc 8c 37 36 d3 b3 | keyex value 7f 95 f6 f5 f8 19 20 f0 7f 33 83 86 84 92 07 54 | keyex value fc 9f a5 ed a3 4a 3a 95 c7 96 57 0c 6a 2b 51 49 | keyex value 41 34 27 6f f1 20 6b 02 b2 b2 f4 da 78 d4 9f 85 | keyex value e8 fd e2 83 eb 7f f1 b1 10 e4 9a e1 1b e5 bf 5f | keyex value 73 5b f4 ff 99 bf 13 47 a3 6c 42 64 a7 8c 0e 18 | keyex value 4c 6c 07 5f f2 36 1f 39 6e ab 2d ad f4 9c 01 24 | keyex value 93 ca 1f 11 d8 4a 2c 5c e7 fc 2d 79 cf 9c 1b fd | keyex value 4b 61 0f df 19 fc 1d b5 02 a8 f5 24 d3 82 54 5b | keyex value a6 41 7a ac 2d 09 25 f9 9f 50 d2 ad 67 8d 26 5c | keyex value f7 0c c4 dc 30 f2 48 ba b8 6c d7 a3 54 7c e2 1a | keyex value 58 ca 0f 06 48 ad c3 c5 84 1d 65 c0 0c a9 0d 53 | keyex value eb 21 a6 17 eb 13 8b c7 ec 16 03 8c 76 d5 6d 7f | keyex value d0 84 d4 7c 91 a6 cb 7b e6 a9 9e 75 f5 29 cb bf | keyex value d5 9f 64 03 47 ec 8e 6b 5d 1c 26 9b 51 11 5e ef | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni 85 d5 61 cc 73 e3 d5 87 9e e3 f8 dd 5a 9c 4c a0 | Ni c9 5e aa 4b 75 bf 6c 2c 73 3d 8a 62 1f 75 0b 89 | emitting length of ISAKMP Nonce Payload: 36 | NAT-T checking st_nat_traversal | NAT-T found (implies NAT_T_WITH_NATD) | sending NAT-D payloads | natd_hash: hasher=0x56264fca6ca0(32) | natd_hash: icookie= b3 37 55 c6 a6 a2 91 c8 | natd_hash: rcookie= c0 4d c4 27 39 52 61 4a | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 09 ba e0 67 03 bc 54 c2 80 3c 3a fe ff c5 36 a3 | natd_hash: hash= 4b 4b 84 5f 3d 41 91 6d ee 05 bd 20 39 36 fd ed | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 09 ba e0 67 03 bc 54 c2 80 3c 3a fe ff c5 36 a3 | NAT-D 4b 4b 84 5f 3d 41 91 6d ee 05 bd 20 39 36 fd ed | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x56264fca6ca0(32) | natd_hash: icookie= b3 37 55 c6 a6 a2 91 c8 | natd_hash: rcookie= c0 4d c4 27 39 52 61 4a | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= d5 69 81 d0 b8 f9 e8 46 f1 f5 c9 1e 4c 38 9c 41 | natd_hash: hash= a3 0f 67 ea ce 5f 53 62 95 06 8c ad 6a a9 fd cc | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D d5 69 81 d0 b8 f9 e8 46 f1 f5 c9 1e 4c 38 9c 41 | NAT-D a3 0f 67 ea ce 5f 53 62 95 06 8c ad 6a a9 fd cc | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | State DB: re-hashing IKEv1 state #1 IKE SPIi and SPI[ir] | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 | parent state #1: MAIN_I1(half-open IKE SA) => MAIN_I2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x562650418808 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x562650416178 | sending reply packet to 192.1.2.23:500 (from 192.1.2.45:500) | sending 396 bytes for STATE_MAIN_I1 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #1) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | f8 70 a5 fd 94 11 ae 53 68 5b d9 33 0f 07 2d 1f | 5c 64 43 24 9b 9e 6b 54 ec 5c dc 8c 37 36 d3 b3 | 7f 95 f6 f5 f8 19 20 f0 7f 33 83 86 84 92 07 54 | fc 9f a5 ed a3 4a 3a 95 c7 96 57 0c 6a 2b 51 49 | 41 34 27 6f f1 20 6b 02 b2 b2 f4 da 78 d4 9f 85 | e8 fd e2 83 eb 7f f1 b1 10 e4 9a e1 1b e5 bf 5f | 73 5b f4 ff 99 bf 13 47 a3 6c 42 64 a7 8c 0e 18 | 4c 6c 07 5f f2 36 1f 39 6e ab 2d ad f4 9c 01 24 | 93 ca 1f 11 d8 4a 2c 5c e7 fc 2d 79 cf 9c 1b fd | 4b 61 0f df 19 fc 1d b5 02 a8 f5 24 d3 82 54 5b | a6 41 7a ac 2d 09 25 f9 9f 50 d2 ad 67 8d 26 5c | f7 0c c4 dc 30 f2 48 ba b8 6c d7 a3 54 7c e2 1a | 58 ca 0f 06 48 ad c3 c5 84 1d 65 c0 0c a9 0d 53 | eb 21 a6 17 eb 13 8b c7 ec 16 03 8c 76 d5 6d 7f | d0 84 d4 7c 91 a6 cb 7b e6 a9 9e 75 f5 29 cb bf | d5 9f 64 03 47 ec 8e 6b 5d 1c 26 9b 51 11 5e ef | 14 00 00 24 85 d5 61 cc 73 e3 d5 87 9e e3 f8 dd | 5a 9c 4c a0 c9 5e aa 4b 75 bf 6c 2c 73 3d 8a 62 | 1f 75 0b 89 14 00 00 24 09 ba e0 67 03 bc 54 c2 | 80 3c 3a fe ff c5 36 a3 4b 4b 84 5f 3d 41 91 6d | ee 05 bd 20 39 36 fd ed 00 00 00 24 d5 69 81 d0 | b8 f9 e8 46 f1 f5 c9 1e 4c 38 9c 41 a3 0f 67 ea | ce 5f 53 62 95 06 8c ad 6a a9 fd cc | !event_already_set at reschedule "authenticate-ikev1-sha1" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x562650416178 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x562650418808 size 128 | #1 STATE_MAIN_I2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29999.180932 "authenticate-ikev1-sha1" #1: STATE_MAIN_I2: sent MI2, expecting MR2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.375 milliseconds in resume sending helper answer | stop processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3178002888 | spent 0.00225 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.23:500 on eth1 (192.1.2.45:500) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 82 8f fa 88 5d 53 00 db 0e 35 d6 39 56 dc 34 f8 | c7 12 43 a0 70 73 ca 9f ed 65 3b ca 1c 94 48 ec | ed 08 96 81 b1 4d ff 23 e7 6d 10 8c db a4 d6 9e | 79 61 53 7a f5 95 3e dd eb e3 95 bd 48 2b 88 a9 | a6 16 16 19 5a 21 96 b2 9d 84 4e a7 75 62 88 d6 | 6d 68 fc 7c b0 79 25 cd d9 42 98 9b ed 1b 45 c9 | 8b f0 06 7e 00 88 84 cb fc 18 46 dd 0e 4c 56 d9 | 98 3b 7c 23 5c c9 79 04 6e b7 c3 23 ab 9d 88 a8 | 3e 65 4b a6 b0 ee e2 ab c2 d0 b7 9c 73 77 4a df | 29 08 a2 d8 5d cd d7 e2 02 f5 8f 8a de b2 3d 78 | 9f a9 7d 6e cf 95 eb ca b8 6d d4 88 3d 66 e7 d3 | 6b f8 f9 d9 78 50 2e 46 15 b7 b6 22 97 58 71 ac | aa 63 e1 29 8a 5d f1 8c a5 95 34 09 30 cc 7e e5 | 20 45 71 6d 06 26 47 50 07 e7 69 89 c5 1b 3f 96 | 2f 2c 45 63 80 36 fa 1c 24 ac b6 c3 85 87 62 8e | 75 a3 0c d5 40 ce 8d c1 11 c9 31 48 94 1b 9b 65 | 14 00 00 24 e9 fa da 4a 3b b8 ac 9f 66 21 f5 df | 1d 01 06 21 ae cb 72 6e 0b 32 ae 00 6b 72 6f 59 | c6 0a 43 d7 14 00 00 24 d5 69 81 d0 b8 f9 e8 46 | f1 f5 c9 1e 4c 38 9c 41 a3 0f 67 ea ce 5f 53 62 | 95 06 8c ad 6a a9 fd cc 00 00 00 24 09 ba e0 67 | 03 bc 54 c2 80 3c 3a fe ff c5 36 a3 4b 4b 84 5f | 3d 41 91 6d ee 05 bd 20 39 36 fd ed | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_I2 (find_state_ikev1) | start processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inR2_outI3' HASH payload not checked early | started looking for secret for @west->@east of kind PKK_PSK | actually looking for secret for @west->@east of kind PKK_PSK | line 1: key type PKK_PSK(@west) to type PKK_PSK | 1: compared key @west to @west / @east -> 010 | 2: compared key @east to @west / @east -> 014 | line 1: match=014 | match 014 beats previous best_match 000 match=0x562650370c48 (line=1) | concluding with best_match=014 best=0x562650370c48 (lineno=1) | adding aggr outR1 DH work-order 2 for state #1 | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I2: retransmits: cleared | libevent_free: release ptr-libevent@0x562650418808 | free_event_entry: release EVENT_RETRANSMIT-pe@0x562650416178 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x562650416178 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x562650418808 size 128 | crypto helper 1 resuming | crypto helper 1 starting work-order 2 for state #1 | crypto helper 1 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 | crypto helper 1 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 time elapsed 0.001144 seconds | (#1) spent 1.15 milliseconds in crypto helper computing work-order 2: aggr outR1 DH (pcr) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f3170003978 size 128 | crypto helper 1 waiting (nothing to do) | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.0585 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.201 milliseconds in comm_handle_cb() reading and processing packet | processing resume sending helper answer for #1 | start processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 2 | calling continuation function 0x56264fbd1b50 | main_inR2_outI3_cryptotail for #1: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | thinking about whether to send my certificate: | I have RSA key: OAKLEY_PRESHARED_KEY cert.type: 0?? | sendcert: CERT_SENDIFASKED and I did not get a certificate request | so do not send cert. | I did not send a certificate because digital signatures are not being used. (PSK) | I am not sending a certificate request | I will NOT send an initial contact payload | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x56264fca6ca0(32) | natd_hash: icookie= b3 37 55 c6 a6 a2 91 c8 | natd_hash: rcookie= c0 4d c4 27 39 52 61 4a | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= d5 69 81 d0 b8 f9 e8 46 f1 f5 c9 1e 4c 38 9c 41 | natd_hash: hash= a3 0f 67 ea ce 5f 53 62 95 06 8c ad 6a a9 fd cc | natd_hash: hasher=0x56264fca6ca0(32) | natd_hash: icookie= b3 37 55 c6 a6 a2 91 c8 | natd_hash: rcookie= c0 4d c4 27 39 52 61 4a | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 09 ba e0 67 03 bc 54 c2 80 3c 3a fe ff c5 36 a3 | natd_hash: hash= 4b 4b 84 5f 3d 41 91 6d ee 05 bd 20 39 36 fd ed | expected NAT-D(me): d5 69 81 d0 b8 f9 e8 46 f1 f5 c9 1e 4c 38 9c 41 | expected NAT-D(me): a3 0f 67 ea ce 5f 53 62 95 06 8c ad 6a a9 fd cc | expected NAT-D(him): | 09 ba e0 67 03 bc 54 c2 80 3c 3a fe ff c5 36 a3 | 4b 4b 84 5f 3d 41 91 6d ee 05 bd 20 39 36 fd ed | received NAT-D: d5 69 81 d0 b8 f9 e8 46 f1 f5 c9 1e 4c 38 9c 41 | received NAT-D: a3 0f 67 ea ce 5f 53 62 95 06 8c ad 6a a9 fd cc | received NAT-D: 09 ba e0 67 03 bc 54 c2 80 3c 3a fe ff c5 36 a3 | received NAT-D: 4b 4b 84 5f 3d 41 91 6d ee 05 bd 20 39 36 fd ed | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_HASH (0x8) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 8:ISAKMP_NEXT_HASH | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 77 65 73 74 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of HASH_I into ISAKMP Hash Payload | HASH_I 5c 3e f8 6b db 1c dd 10 30 de 37 2a af 70 bc c6 | HASH_I 27 6c c5 58 26 f8 12 d8 c0 fc 98 a1 28 f0 63 3d | emitting length of ISAKMP Hash Payload: 36 | Not sending INITIAL_CONTACT | no IKEv1 message padding required | emitting length of ISAKMP Message: 76 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 | parent state #1: MAIN_I2(open IKE SA) => MAIN_I3(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x562650418808 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x562650416178 | sending reply packet to 192.1.2.23:500 (from 192.1.2.45:500) | sending 76 bytes for STATE_MAIN_I2 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #1) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 05 10 02 01 00 00 00 00 00 00 00 4c bd 71 21 04 | a8 c3 a2 1e fa 1f da c1 8d db 9c 5a e9 d9 0b 44 | 63 bb 8f ed aa 4a 69 dd 79 e4 a1 9d 48 b9 8c de | 6b 34 a4 d0 0b bb 68 66 3d 12 a4 2f | !event_already_set at reschedule "authenticate-ikev1-sha1" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x562650416178 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x5626504166f8 size 128 | #1 STATE_MAIN_I3: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29999.182675 "authenticate-ikev1-sha1" #1: STATE_MAIN_I3: sent MI3, expecting MR3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.31 milliseconds in resume sending helper answer | stop processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3170003978 | spent 0.00278 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.23:500 on eth1 (192.1.2.45:500) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 05 10 02 01 00 00 00 00 00 00 00 4c 7a 66 3b 89 | 2f ba a9 ab 9d b7 7c f7 91 cc 65 b4 e9 2d b5 c5 | ff 25 0d 7e ca 32 5a ac 65 13 34 f5 13 0e 11 c2 | 1b 0a ed 6d ef a2 71 1c a3 9c f2 e2 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_I3 (find_state_ikev1) | start processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_HASH (0x8) | length: 12 (0xc) | ID type: ID_FQDN (0x2) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 65 61 73 74 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x2080 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inR3' HASH payload not checked early "authenticate-ikev1-sha1" #1: Peer ID is ID_FQDN: '@east' | X509: no CERT payloads to process | received 'Main' message HASH_R data ok | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 | parent state #1: MAIN_I3(open IKE SA) => MAIN_I4(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I4: retransmits: cleared | libevent_free: release ptr-libevent@0x5626504166f8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x562650416178 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x562650416178 | inserting event EVENT_SA_REPLACE, timeout in 2607 seconds for #1 | libevent_malloc: new ptr-libevent@0x7f3170003978 size 128 | pstats #1 ikev1.isakmp established "authenticate-ikev1-sha1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | creating state object #2 at 0x5626504175b8 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "authenticate-ikev1-sha1" as #2 for IPSEC SA | #2 setting local endpoint to 192.1.2.45:500 from #1.st_localport (in duplicate_state() at state.c:1484) | suspend processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:685) | start processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:685) | child state #2: UNDEFINED(ignore) => QUICK_I1(established CHILD SA) "authenticate-ikev1-sha1" #2: initiating Quick Mode PSK+AUTHENTICATE+TUNNEL+PFS+UP+IKEV1_ALLOW+ESN_NO {using isakmp#1 msgid:e15fb2b3 proposal=HMAC_SHA1_96 pfsgroup=MODP2048} | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f3178002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x562650416518 size 128 | stop processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:764) | resume processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in quick_outI1() at ikev1_quick.c:764) | unqueuing pending Quick Mode with 192.1.2.23 "authenticate-ikev1-sha1" | crypto helper 2 resuming | crypto helper 2 starting work-order 3 for state #2 | removing pending policy for no connection {0x5626503fd1c8} | crypto helper 2 doing build KE and nonce (quick_outI1 KE); request ID 3 | close_any(fd@24) (in release_whack() at state.c:654) | #1 spent 0.268 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.387 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 2 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000996 seconds | (#2) spent 1 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 2 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f3174003f28 size 128 | libevent_realloc: release ptr-libevent@0x5626503f7838 | libevent_realloc: new ptr-libevent@0x7f3174003e78 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 3 | calling continuation function 0x56264fbd1b50 | quick_outI1_continue for #2: calculated ke+nonce, sending I1 | **emit ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3781145267 (0xe15fb2b3) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | emitting quick defaults using policy none | kernel_alg_db_new() initial trans_cnt=9 | adding proposal: HMAC_SHA1_96 | kernel_alg_db_new() will return p_new->protoid=2, p_new->trans_cnt=1 | kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2 | returning new proposal from esp_info | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 1 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_AH (0x2) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x60d83b2d for ah.0@192.1.2.45 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 60 d8 3b 2d | *****emit ISAKMP Transform Payload (AH): | next payload type: ISAKMP_NEXT_NONE (0x0) | AH transform number: 0 (0x0) | AH transform ID: AH_SHA (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (AH)'.'next payload type' | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | emitting length of ISAKMP Transform Payload (AH): 28 | emitting length of ISAKMP Proposal Payload: 40 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (AH)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 52 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni 55 96 23 79 d9 ee ad e1 e4 6a 0d 6e fd dd 01 2e | Ni 4f d5 52 05 81 5c fd 4c aa 4b 13 b6 81 a5 67 1c | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value eb bf df 94 2c fe d6 bb a5 aa 72 2f 4d 47 32 65 | keyex value 49 32 b9 d5 f0 de bd 31 96 51 a0 72 b5 1d 81 b7 | keyex value c4 f9 2e 3c 90 dd 26 19 31 a7 cf 5c ba 1e e7 49 | keyex value 8e 34 80 e7 b7 96 cb 0e 0b e7 e5 4e 4e 02 20 e7 | keyex value 3e 07 4b 56 5b 76 99 85 af ec 2f b5 b1 b1 77 0d | keyex value b3 e9 dd e2 d8 1e f0 59 91 84 31 a1 ae 7e 8c 02 | keyex value e7 4a d2 c1 00 28 ed 63 a7 79 00 e8 be cc a4 6e | keyex value 6e 52 64 58 a0 ec fd b5 79 c9 bc 67 53 39 32 e1 | keyex value db 26 17 55 41 83 ca 27 bb 3b 55 61 ed cd 8a 09 | keyex value 08 bb a5 6f 3a 23 79 c1 ab 4a e4 af 0a e2 f0 3b | keyex value c6 8e dc 1e d4 f7 5f 4d ad 49 bf 46 f0 52 e8 44 | keyex value ee 58 3f f3 a3 c7 5d 5f 67 97 bd 2f a7 12 5f 15 | keyex value c4 e6 64 9f b2 de 95 9b 82 97 70 85 f3 db d8 03 | keyex value 21 6a 7c a2 af e9 48 d7 cd 60 b4 1e a2 18 c2 87 | keyex value 8b 20 72 7c 35 05 f1 d5 26 93 97 2e 52 f5 4f fc | keyex value 22 ec 70 0b 48 b7 0c be 33 40 b3 de 2d 9f 05 4a | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) | client network c0 00 01 00 | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI) | client mask ff ff ff 00 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) | client network c0 00 02 00 | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI) | client mask ff ff ff 00 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | outI1 HASH(1): | a3 b9 ad 62 5a ec 43 34 0b 18 ff ce 17 82 01 d1 | 2a d8 d0 d0 6e 9e 99 a9 d4 83 26 cd c6 00 24 e0 | no IKEv1 message padding required | emitting length of ISAKMP Message: 444 | sending 444 bytes for reply packet from quick_outI1 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #2) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 08 10 20 01 e1 5f b2 b3 00 00 01 bc f1 40 7a f1 | 0e 19 55 d0 7c 84 99 03 36 3f 38 93 30 96 10 3f | 31 a9 55 32 a0 34 f0 a9 f4 64 f5 a4 cc 2b 6e 40 | 74 b0 ef 9a fe f4 19 17 e0 1d 88 87 93 5d 06 64 | 09 e2 da 96 5e fb ce 61 30 42 05 53 87 8f 10 e8 | 5e dc 03 07 7b 13 e4 f2 47 46 18 6c 0f 2c 3b 0e | f4 9f be e0 48 aa e8 f7 5e 29 94 9d 20 a5 3a 34 | e5 40 45 df 41 25 18 1f 60 90 96 f6 c1 81 29 41 | 60 59 74 26 60 8c f9 f5 08 02 4b 2c c4 0c ec da | 26 0f bc d8 80 50 bc 07 ed 16 0c c1 e6 4d 12 47 | 50 fe 7d 64 67 b0 ac bc ba 6a 84 09 ca 4b f0 c2 | fb b5 09 fc 41 07 05 99 45 2d 7c 10 cf 20 9c 05 | 22 d6 81 7b 56 c1 34 e1 fd 5d d1 0c 00 79 27 1d | 4f 70 cf 4c 0e 40 d1 99 b7 80 f7 61 46 ce bf 61 | 66 1d 30 7d 9c 66 49 f0 08 f8 3a 3d b2 b3 42 ab | a4 42 05 e7 64 dd 7d 82 76 d4 1d c4 20 3a d7 b3 | 09 34 ec 9e f8 f3 85 a7 f7 8b b3 41 27 99 7d 86 | e7 4f cf fe d3 e0 48 a3 25 d2 63 7e 25 a4 a7 4c | 66 f8 98 32 fc c6 8c 71 92 49 e6 c9 7b e7 ae ab | 76 17 db b2 6a 4e 13 aa 71 cb 7a 05 c9 97 37 42 | 75 39 db 63 ad 16 fd 7d 81 2e e9 bd 64 95 71 06 | cc d1 79 af 40 3a 8d df 82 7a db 87 1e 56 ae 84 | b4 05 ec ae 23 63 e8 79 82 df d5 29 ea 83 10 92 | 6e e6 1f 1d 7f cf 38 20 3d e3 79 42 5f 0c f1 c3 | cb e3 c5 cc 66 a9 17 c9 f8 b1 04 ae a5 e4 9c aa | 9b d4 6f a9 f5 5d 09 b6 32 f1 bb a8 ea 44 c2 84 | ce b0 57 0c be 77 b9 fe 96 c0 5e 8a | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x562650416518 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f3178002b78 "authenticate-ikev1-sha1" #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x7f3178002b78 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x56265041ebe8 size 128 | #2 STATE_QUICK_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29999.189141 | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 0.392 milliseconds in resume sending helper answer | stop processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3174003f28 | spent 0.00527 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 444 bytes from 192.1.2.23:500 on eth1 (192.1.2.45:500) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 08 10 20 01 e1 5f b2 b3 00 00 01 bc f5 c0 20 53 | e7 37 a3 01 af 2c 4e 6b 1c 02 60 83 6d 96 72 53 | 87 bb 0a a5 ef 6f 1d 8c 8d 17 84 c4 c2 d1 c9 75 | f5 d7 13 d1 50 db c1 5a e5 8c a6 e0 4a bc 94 b5 | 4e a9 48 df 52 2f ff 62 c9 d4 40 ad 66 96 48 b3 | fd 01 98 57 a7 90 cc da 96 a8 df 0e 66 bd e7 1c | 84 b3 1b f8 01 42 56 29 a3 e0 de 92 01 53 1b 50 | db 7c 15 41 7d b2 71 68 db 33 32 1d 20 3c c2 34 | 38 e4 b0 2a da 3f 1d 37 19 f5 f6 f8 7d 39 93 5b | c1 77 67 8d 7d 06 3b 00 34 4a 6b 3c b8 bd 76 3a | 09 36 f8 19 29 94 b9 cc 96 91 74 6a fc 2e cc 14 | a8 b4 9c c2 8d 4d 68 af 79 df ab d1 50 9b c5 d6 | c7 bd 33 5c 19 56 3b b5 9d 3c 74 6a 1e 5b 29 bc | 91 f5 65 c1 ee 3f f6 7b ba 37 7f c7 21 65 6a 14 | 8d d0 5c 18 67 d1 7e fa bf e5 ae e2 e9 3d 01 40 | 50 cb d7 e4 8b d6 47 5c 96 08 f7 34 c1 1c 78 31 | c2 64 b0 46 44 f4 84 2f 3e 86 8e 98 19 df bc 53 | c6 7c 8c 34 b0 f9 18 30 d1 61 a1 ca ed 68 12 13 | b1 2d 8a 1c 15 77 39 e3 df 66 52 bc ea fe 2c 60 | 7c 5e 43 93 f0 4c b3 8c c4 2c 88 70 ec 28 e3 d7 | c0 b1 f8 2b 3f 3c 88 73 b5 26 97 25 17 b7 63 c5 | 81 4f e7 6b 47 73 46 af ae cc 91 03 28 c0 47 90 | a2 85 4a 03 47 b2 43 9e 42 9e cb a4 7c 54 fd ad | 0a 2b a2 07 00 ff 76 45 65 eb 2e fb 5a 30 6e cc | c4 87 3a 16 37 b7 3c af 22 71 fe 4c 4a 52 73 b6 | fa 3b a3 3b 44 31 27 95 f3 34 ac fb dd f5 55 7b | 08 83 78 a9 c1 62 d3 58 0c 6a e4 a0 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3781145267 (0xe15fb2b3) | length: 444 (0x1bc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_I1 (find_state_ikev1) | start processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in process_v1_packet() at ikev1.c:1633) | #2 is idle | #2 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 52 (0x34) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 00 ff ff ff 00 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 00 ff ff ff 00 | quick_inR1_outI2 HASH(2): | a8 f2 a9 02 70 80 81 20 d7 41 e9 69 f1 e5 f1 44 | 63 56 9a b8 b6 16 7a 40 b1 5c 2b 3f 4b 09 72 a1 | received 'quick_inR1_outI2' message HASH(2) data ok | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_AH (0x2) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 9c 28 cb 35 | *****parse ISAKMP Transform Payload (AH): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 28 (0x1c) | AH transform number: 0 (0x0) | AH transform ID: AH_SHA (0x3) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ESP IPsec Transform verified; matches alg_info entry | started looking for secret for @west->@east of kind PKK_PSK | actually looking for secret for @west->@east of kind PKK_PSK | line 1: key type PKK_PSK(@west) to type PKK_PSK | 1: compared key @west to @west / @east -> 010 | 2: compared key @east to @west / @east -> 014 | line 1: match=014 | match 014 beats previous best_match 000 match=0x562650370c48 (line=1) | concluding with best_match=014 best=0x562650370c48 (lineno=1) | adding quick outI2 DH work-order 4 for state #2 | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_QUICK_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x56265041ebe8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f3178002b78 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f3178002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7f3174003f28 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #2 and saving MD | crypto helper 3 resuming | crypto helper 3 starting work-order 4 for state #2 | crypto helper 3 doing compute dh (V1 Phase 2 PFS) (quick outI2 DH); request ID 4 | crypto helper 3 finished compute dh (V1 Phase 2 PFS) (quick outI2 DH); request ID 4 time elapsed 0.000927 seconds | (#2) spent 0.935 milliseconds in crypto helper computing work-order 4: quick outI2 DH (pcr) | crypto helper 3 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f3168001f78 size 128 | crypto helper 3 waiting (nothing to do) | #2 is busy; has a suspended MD | #2 spent 0.143 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.394 milliseconds in comm_handle_cb() reading and processing packet | processing resume sending helper answer for #2 | start processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 4 | calling continuation function 0x56264fbd1b50 | quick_inR1_outI2_continue for #2: calculated ke+nonce, calculating DH | **emit ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3781145267 (0xe15fb2b3) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff 00 | our client is subnet 192.0.1.0/24 | our client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff 00 | peer client is subnet 192.0.2.0/24 | peer client protocol/port is 0/0 | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | quick_inR1_outI2 HASH(3): | f1 02 51 2d 36 06 ce f2 3e 56 fb f5 d3 2e bf 75 | 20 70 25 d4 00 ec 65 8a 87 ab c0 a5 33 06 75 d6 | install_ipsec_sa() for #2: inbound and outbound | could_route called for authenticate-ikev1-sha1 (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn authenticate-ikev1-sha1 mark 0/00000000, 0/00000000 vs | conn authenticate-ikev1-sha1 mark 0/00000000, 0/00000000 | route owner of "authenticate-ikev1-sha1" unrouted: NULL; eroute owner: NULL | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: aligning IPv4 AH to 32bits as per RFC-4302, Section 3.3.3.2.1 | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA ah.9c28cb35@192.1.2.23 included non-error error | set up outgoing SA, ref=0/0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: aligning IPv4 AH to 32bits as per RFC-4302, Section 3.3.3.2.1 | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA ah.60d83b2d@192.1.2.45 included non-error error | priority calculation of connection "authenticate-ikev1-sha1" is 0xfe7e7 | add inbound eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.10000@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn authenticate-ikev1-sha1 mark 0/00000000, 0/00000000 vs | conn authenticate-ikev1-sha1 mark 0/00000000, 0/00000000 | route owner of "authenticate-ikev1-sha1" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: authenticate-ikev1-sha1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "authenticate-ikev1-sha1" is 0xfe7e7 | eroute_connection add eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.0@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-ikev1-sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.0.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='AH' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+AUTHENTICATE+TUNNEL+PFS+UP+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x9c28cb35 SPI_OUT=0x60d8 | popen cmd is 1019 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-ikev1-: | cmd( 80):sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.45' P: | cmd( 160):LUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.0.1.0: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: | cmd( 320):LUTO_SA_REQID='16388' PLUTO_SA_TYPE='AH' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID=': | cmd( 400):@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_: | cmd( 480):PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: | cmd( 560):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+AUTH: | cmd( 640):ENTICATE+TUNNEL+PFS+UP+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_: | cmd( 720):CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INF: | cmd( 800):O='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_C: | cmd( 880):FG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED=': | cmd( 960):no' SPI_IN=0x9c28cb35 SPI_OUT=0x60d83b2d ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-ikev1-sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.0.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='AH' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+AUTHENTICATE+TUNNEL+PFS+UP+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x9c28cb35 SPI_ | popen cmd is 1024 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-i: | cmd( 80):kev1-sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.: | cmd( 160):45' PLUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):0.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL=: | cmd( 320):'0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='AH' PLUTO_PEER='192.1.2.23' PLUTO_PEER: | cmd( 400):_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' P: | cmd( 480):LUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0: | cmd( 560):' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK: | cmd( 640):+AUTHENTICATE+TUNNEL+PFS+UP+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' P: | cmd( 720):LUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DN: | cmd( 800):S_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PL: | cmd( 880):UTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHA: | cmd( 960):RED='no' SPI_IN=0x9c28cb35 SPI_OUT=0x60d83b2d ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-ikev1-sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.0.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='AH' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+AUTHENTICATE+TUNNEL+PFS+UP+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x9c28cb35 SPI_OUT= | popen cmd is 1022 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-ike: | cmd( 80):v1-sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.45: | cmd( 160):' PLUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.0.: | cmd( 240):1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: | cmd( 320):' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='AH' PLUTO_PEER='192.1.2.23' PLUTO_PEER_I: | cmd( 400):D='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLU: | cmd( 480):TO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : | cmd( 560):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+A: | cmd( 640):UTHENTICATE+TUNNEL+PFS+UP+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLU: | cmd( 720):TO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_: | cmd( 800):INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUT: | cmd( 880):O_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE: | cmd( 960):D='no' SPI_IN=0x9c28cb35 SPI_OUT=0x60d83b2d ipsec _updown 2>&1: | route_and_eroute: instance "authenticate-ikev1-sha1", setting eroute_owner {spd=0x562650415aa8,sr=0x562650415aa8} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 1.99 milliseconds in install_ipsec_sa() | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 76 | inR1_outI2: instance authenticate-ikev1-sha1[0], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in complete_v1_state_transition() at ikev1.c:2673) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 | child state #2: QUICK_I1(established CHILD SA) => QUICK_I2(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7f3174003f28 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f3178002b78 | sending reply packet to 192.1.2.23:500 (from 192.1.2.45:500) | sending 76 bytes for STATE_QUICK_I1 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #2) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 08 10 20 01 e1 5f b2 b3 00 00 00 4c 45 62 ed 38 | bf 4c b9 62 91 7d 5c 1a 40 87 e9 0d a6 70 9b 1f | 30 fd ab a6 54 17 ee 25 03 be 7c 51 55 3b bb 35 | 21 c2 75 94 e4 59 72 b9 9f e1 46 ef | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7f3178002b78 | inserting event EVENT_SA_REPLACE, timeout in 28048 seconds for #2 | libevent_malloc: new ptr-libevent@0x56265041cf68 size 128 | pstats #2 ikev1.ipsec established "authenticate-ikev1-sha1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {AH=>0x9c28cb35 <0x60d83b2d xfrm=HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | close_any(fd@25) (in release_whack() at state.c:654) | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 2.4 milliseconds in resume sending helper answer | stop processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3168001f78 | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00468 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00281 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00281 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "authenticate-ikev1-sha1" (in terminate_a_connection() at terminate.c:69) "authenticate-ikev1-sha1": terminating SAs using this connection | connection 'authenticate-ikev1-sha1' -POLICY_UP | FOR_EACH_STATE_... in shared_phase1_connection | connection not shared - terminating IKE and IPsec SA | Deleting states for connection - not including other IPsec SA's | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #2 | suspend processing: connection "authenticate-ikev1-sha1" (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #2 ikev1.ipsec deleted completed | [RE]START processing: state #2 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in delete_state() at state.c:879) "authenticate-ikev1-sha1" #2: deleting state (STATE_QUICK_I2) aged 0.110s and sending notification | child state #2: QUICK_I2(established CHILD SA) => delete | get_sa_info ah.9c28cb35@192.1.2.23 | get_sa_info ah.60d83b2d@192.1.2.45 "authenticate-ikev1-sha1" #2: AH traffic information: in=84B out=84B | #2 send IKEv1 delete notification for STATE_QUICK_I2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2842748107 (0xa970e4cb) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 2 (0x2) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload 60 d8 3b 2d | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | 3b 27 76 9c 2d bd 60 80 b3 72 cd f1 c1 93 71 28 | e8 57 a9 0d e3 24 4a 47 1c 1f 60 51 d9 69 5b 0c | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #1) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 08 10 05 01 a9 70 e4 cb 00 00 00 5c 43 0f 05 39 | 52 03 ec 47 7f c9 22 c8 c8 00 1c 46 12 b8 40 28 | 12 91 9c 56 f3 46 96 a2 ce b4 86 d2 c8 a0 43 6c | 11 a9 0c 64 62 72 98 b9 6c 7a 0c b1 8a fc c6 48 | 3f 15 89 07 12 f0 13 c7 84 84 98 e4 | state #2 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x56265041cf68 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7f3178002b78 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-ikev1-sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.0.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='AH' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+AUTHENTICATE+TUNNEL+PFS+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x9c28cb35 SPI_OUT=0x60d | popen cmd is 1018 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-ikev: | cmd( 80):1-sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.45': | cmd( 160): PLUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.0.1: | cmd( 240):.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0': | cmd( 320): PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='AH' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID: | cmd( 400):='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUT: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+AU: | cmd( 640):THENTICATE+TUNNEL+PFS+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_C: | cmd( 720):ONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO: | cmd( 800):='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CF: | cmd( 880):G_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n: | cmd( 960):o' SPI_IN=0x9c28cb35 SPI_OUT=0x60d83b2d ipsec _updown 2>&1: | shunt_eroute() called for connection 'authenticate-ikev1-sha1' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "authenticate-ikev1-sha1" is 0xfe7e7 | IPsec Sa SPD priority set to 1042407 | delete ah.9c28cb35@192.1.2.23 | netlink response for Del SA ah.9c28cb35@192.1.2.23 included non-error error | priority calculation of connection "authenticate-ikev1-sha1" is 0xfe7e7 | delete inbound eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => unk255.10000@192.1.2.45 (raw_eroute) | raw_eroute result=success | delete ah.60d83b2d@192.1.2.45 | netlink response for Del SA ah.60d83b2d@192.1.2.45 included non-error error | stop processing: connection "authenticate-ikev1-sha1" (BACKGROUND) (in update_state_connection() at connections.c:4076) | start processing: connection NULL (in update_state_connection() at connections.c:4077) | in connection_discard for connection authenticate-ikev1-sha1 | State DB: deleting IKEv1 state #2 in QUICK_I2 | child state #2: QUICK_I2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.2.23 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #1 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | start processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #1 ikev1.isakmp deleted completed | [RE]START processing: state #1 connection "authenticate-ikev1-sha1" from 192.1.2.23 (in delete_state() at state.c:879) "authenticate-ikev1-sha1" #1: deleting state (STATE_MAIN_I4) aged 0.138s and sending notification | parent state #1: MAIN_I4(established IKE SA) => delete | #1 send IKEv1 delete notification for STATE_MAIN_I4 | **emit ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2705069393 (0xa13c1551) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload | initiator SPI b3 37 55 c6 a6 a2 91 c8 | emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload | responder SPI c0 4d c4 27 39 52 61 4a | emitting length of ISAKMP Delete Payload: 28 | send delete HASH(1): | 47 7e 6a 3f 76 b1 65 4c 09 ff bb 39 22 4d 65 02 | 2e 70 1f e7 53 c3 ce 00 2c ee b7 69 01 f6 32 7f | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.45:500 to 192.1.2.23:500 (using #1) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 08 10 05 01 a1 3c 15 51 00 00 00 5c 34 de bd fa | 44 cc 8e d7 f8 19 29 a3 27 3a d9 8a ba ae 25 61 | 14 5a 4c 5c e9 1a 0b a6 e8 9d 87 d9 7e 19 d4 30 | 86 bc 60 34 a8 a2 17 47 e7 04 dd f3 41 83 e2 ef | 3f 26 75 29 b7 ea 0f 84 fd f9 e1 9b | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7f3170003978 | free_event_entry: release EVENT_SA_REPLACE-pe@0x562650416178 | State DB: IKEv1 state not found (flush_incomplete_children) | in connection_discard for connection authenticate-ikev1-sha1 | State DB: deleting IKEv1 state #1 in MAIN_I4 | parent state #1: MAIN_I4(established IKE SA) => UNDEFINED(ignore) | stop processing: state #1 from 192.1.2.23 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | processing: STOP connection NULL (in terminate_a_connection() at terminate.c:87) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "authenticate-ikev1-sha1" (in delete_connection() at connections.c:189) | Deleting states for connection - not including other IPsec SA's | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'authenticate-ikev1-sha1' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "authenticate-ikev1-sha1" is 0xfe7e7 | priority calculation of connection "authenticate-ikev1-sha1" is 0xfe7e7 | FOR_EACH_CONNECTION_... in route_owner | conn authenticate-ikev1-sha1 mark 0/00000000, 0/00000000 vs | conn authenticate-ikev1-sha1 mark 0/00000000, 0/00000000 | route owner of "authenticate-ikev1-sha1" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-ikev1-sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.0.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+AUTHENTICATE+TUNNEL+PFS+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 | popen cmd is 1009 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='authenticate-i: | cmd( 80):kev1-sha1' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.: | cmd( 160):45' PLUTO_MY_ID='@west' PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.: | cmd( 240):0.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL=: | cmd( 320):'0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PE: | cmd( 400):ER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0': | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: | cmd( 640):SK+AUTHENTICATE+TUNNEL+PFS+IKEV1_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PL: | cmd( 720):UTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS: | cmd( 800):_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLU: | cmd( 880):TO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR: | cmd( 960):ED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. "authenticate-ikev1-sha1": unroute-client output: Error: Peer netns reference is invalid. | free hp@0x562650416098 | flush revival: connection 'authenticate-ikev1-sha1' wasn't on the list | stop processing: connection "authenticate-ikev1-sha1" (in discard_connection() at connections.c:249) | FOR_EACH_CONNECTION_... in conn_by_name | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 2.21 milliseconds in whack | spent 0.00285 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 92 bytes from 192.1.2.23:500 on eth1 (192.1.2.45:500) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 08 10 05 01 33 9c 34 61 00 00 00 5c 84 fb 5b 2b | 6d 1f 35 c4 7f 78 1b 00 45 c4 35 2c 3c 9a 00 32 | 99 46 3e 04 aa 46 02 10 ee 21 fa a0 32 27 df 98 | 92 c6 79 46 11 27 8d a7 03 9a 60 60 fb 11 ee 10 | ad 9f 20 80 00 9f 4d a0 57 7b 9e b1 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 865875041 (0x339c3461) | length: 92 (0x5c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | State DB: IKEv1 state not found (find_v1_info_state) | State DB: IKEv1 state not found (find_state_ikev1_init) | Informational Exchange is for an unknown (expired?) SA with MSGID:0x339c3461 | - unknown SA's md->hdr.isa_ike_initiator_spi.bytes: | b3 37 55 c6 a6 a2 91 c8 | - unknown SA's md->hdr.isa_ike_responder_spi.bytes: | c0 4d c4 27 39 52 61 4a | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.0805 milliseconds in comm_handle_cb() reading and processing packet | kernel_process_msg_cb process netlink message | netlink_get: XFRM_MSG_UPDPOLICY message | spent 0.00782 milliseconds in kernel message | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00408 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00268 milliseconds in signal handler PLUTO_SIGCHLD | spent 0.00179 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 92 bytes from 192.1.2.23:500 on eth1 (192.1.2.45:500) | b3 37 55 c6 a6 a2 91 c8 c0 4d c4 27 39 52 61 4a | 08 10 05 01 c7 05 ff 88 00 00 00 5c b1 84 15 92 | 77 2d 05 f9 fd 61 b0 a9 14 20 1f c4 0f 34 70 11 | a3 ea ca 35 70 c5 c0 3e 7d 51 b1 ce 70 cd 2c ba | b6 4e cf c7 88 ea c3 b3 d7 e5 0b 28 ba 39 7d a9 | ae 85 6d 58 72 58 84 5c 5b cb 28 2e | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b3 37 55 c6 a6 a2 91 c8 | responder cookie: | c0 4d c4 27 39 52 61 4a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3339059080 (0xc705ff88) | length: 92 (0x5c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | State DB: IKEv1 state not found (find_v1_info_state) | State DB: IKEv1 state not found (find_state_ikev1_init) | Informational Exchange is for an unknown (expired?) SA with MSGID:0xc705ff88 | - unknown SA's md->hdr.isa_ike_initiator_spi.bytes: | b3 37 55 c6 a6 a2 91 c8 | - unknown SA's md->hdr.isa_ike_responder_spi.bytes: | c0 4d c4 27 39 52 61 4a | stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.0732 milliseconds in comm_handle_cb() reading and processing packet | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.251 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.1.254:4500 shutting down interface eth0/eth0 192.0.1.254:500 shutting down interface eth1/eth1 192.1.2.45:4500 shutting down interface eth1/eth1 192.1.2.45:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x5626504091d8 | free_event_entry: release EVENT_NULL-pe@0x562650415078 | libevent_free: release ptr-libevent@0x5626503a50d8 | free_event_entry: release EVENT_NULL-pe@0x562650415128 | libevent_free: release ptr-libevent@0x5626503a6f78 | free_event_entry: release EVENT_NULL-pe@0x5626504151d8 | libevent_free: release ptr-libevent@0x5626503a40c8 | free_event_entry: release EVENT_NULL-pe@0x562650415288 | libevent_free: release ptr-libevent@0x5626503754e8 | free_event_entry: release EVENT_NULL-pe@0x562650415338 | libevent_free: release ptr-libevent@0x5626503751d8 | free_event_entry: release EVENT_NULL-pe@0x5626504153e8 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x562650409288 | free_event_entry: release EVENT_NULL-pe@0x5626503fd048 | libevent_free: release ptr-libevent@0x5626503a6e78 | free_event_entry: release EVENT_NULL-pe@0x5626503fc508 | libevent_free: release ptr-libevent@0x5626503e0a18 | free_event_entry: release EVENT_NULL-pe@0x5626503fd0b8 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x5626503a82f8 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x562650414748 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x562650414858 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x562650414a98 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x562650414968 | libevent_free: release ptr-libevent@0x5626503f78f8 | libevent_free: release ptr-libevent@0x5626503f78a8 | libevent_free: release ptr-libevent@0x7f3174003e78 | libevent_free: release ptr-libevent@0x5626503f77f8 | libevent_free: release ptr-libevent@0x562650414518 | libevent_free: release ptr-libevent@0x5626504146c8 | libevent_free: release ptr-libevent@0x5626503f7aa8 | libevent_free: release ptr-libevent@0x5626503fc618 | libevent_free: release ptr-libevent@0x5626503fd008 | libevent_free: release ptr-libevent@0x562650415458 | libevent_free: release ptr-libevent@0x5626504153a8 | libevent_free: release ptr-libevent@0x5626504152f8 | libevent_free: release ptr-libevent@0x562650415248 | libevent_free: release ptr-libevent@0x562650415198 | libevent_free: release ptr-libevent@0x5626504150e8 | libevent_free: release ptr-libevent@0x5626503a3918 | libevent_free: release ptr-libevent@0x562650414818 | libevent_free: release ptr-libevent@0x562650414708 | libevent_free: release ptr-libevent@0x562650414688 | libevent_free: release ptr-libevent@0x562650414928 | libevent_free: release ptr-libevent@0x562650414558 | libevent_free: release ptr-libevent@0x562650374908 | libevent_free: release ptr-libevent@0x562650374d38 | libevent_free: release ptr-libevent@0x5626503a3c88 | releasing global libevent data | libevent_free: release ptr-libevent@0x5626503a5498 | libevent_free: release ptr-libevent@0x562650374cd8 | libevent_free: release ptr-libevent@0x562650374dd8 leak detective found no leaks