FIPS Product: YES
FIPS Kernel: NO
FIPS Mode: NO
NSS DB directory: sql:/etc/ipsec.d
Initializing NSS
Opening NSS database "sql:/etc/ipsec.d" read-only
NSS initialized
NSS crypto library initialized
FIPS HMAC integrity support [enabled]
FIPS mode disabled for pluto daemon
FIPS HMAC integrity verification self-test FAILED
libcap-ng support [enabled]
Linux audit support [enabled]
Linux audit activated
Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:1952
core dump dir: /tmp
secrets file: /etc/ipsec.secrets
leak-detective enabled
NSS crypto [enabled]
XAUTH PAM support [enabled]
| libevent is using pluto's memory allocator
Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
| libevent_malloc: new ptr-libevent@0x55ca5b77ea28 size 40
| libevent_malloc: new ptr-libevent@0x55ca5b77e9a8 size 40
| libevent_malloc: new ptr-libevent@0x55ca5b77e928 size 40
| creating event base
| libevent_malloc: new ptr-libevent@0x55ca5b770558 size 56
| libevent_malloc: new ptr-libevent@0x55ca5b6fa0d8 size 664
| libevent_malloc: new ptr-libevent@0x55ca5b7b9048 size 24
| libevent_malloc: new ptr-libevent@0x55ca5b7b9098 size 384
| libevent_malloc: new ptr-libevent@0x55ca5b7b9008 size 16
| libevent_malloc: new ptr-libevent@0x55ca5b77e8a8 size 40
| libevent_malloc: new ptr-libevent@0x55ca5b77e828 size 48
| libevent_realloc: new ptr-libevent@0x55ca5b6f9d68 size 256
| libevent_malloc: new ptr-libevent@0x55ca5b7b9248 size 16
| libevent_free: release ptr-libevent@0x55ca5b770558
| libevent initialized
| libevent_realloc: new ptr-libevent@0x55ca5b770558 size 64
| global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds
| init_nat_traversal() initialized with keep_alive=0s
NAT-Traversal support  [enabled]
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized
| global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds
| v2_cookie_secret  99 59 d3 5e  70 9c a4 d9  7f 49 76 9e  d0 60 66 8f
| v2_cookie_secret  b3 d9 fa 26  dd fa fe dc  d9 ad 0f d0  3b 3e bf 63
| global one-shot timer EVENT_REVIVE_CONNS initialized
| global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds
| global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds
Encryption algorithms:
  AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
  AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_b
  AES_CCM_8               IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_a
  3DES_CBC                IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  3des
  CAMELLIA_CTR            IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
  CAMELLIA_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  camellia
  AES_GCM_16              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm, aes_gcm_c
  AES_GCM_12              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_b
  AES_GCM_8               IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_a
  AES_CTR                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aesctr
  AES_CBC                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes
  SERPENT_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  serpent
  TWOFISH_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  twofish
  TWOFISH_SSH             IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  twofish_cbc_ssh
  NULL_AUTH_AES_GMAC      IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_gmac
  NULL                    IKEv1:     ESP     IKEv2:     ESP           []
  CHACHA20_POLY1305       IKEv1:             IKEv2: IKE ESP           [*256]  chacha20poly1305
Hash algorithms:
  MD5                     IKEv1: IKE         IKEv2:                 
  SHA1                    IKEv1: IKE         IKEv2:             FIPS  sha
  SHA2_256                IKEv1: IKE         IKEv2:             FIPS  sha2, sha256
  SHA2_384                IKEv1: IKE         IKEv2:             FIPS  sha384
  SHA2_512                IKEv1: IKE         IKEv2:             FIPS  sha512
PRF algorithms:
  HMAC_MD5                IKEv1: IKE         IKEv2: IKE               md5
  HMAC_SHA1               IKEv1: IKE         IKEv2: IKE         FIPS  sha, sha1
  HMAC_SHA2_256           IKEv1: IKE         IKEv2: IKE         FIPS  sha2, sha256, sha2_256
  HMAC_SHA2_384           IKEv1: IKE         IKEv2: IKE         FIPS  sha384, sha2_384
  HMAC_SHA2_512           IKEv1: IKE         IKEv2: IKE         FIPS  sha512, sha2_512
  AES_XCBC                IKEv1:             IKEv2: IKE               aes128_xcbc
Integrity algorithms:
  HMAC_MD5_96             IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        md5, hmac_md5
  HMAC_SHA1_96            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha, sha1, sha1_96, hmac_sha1
  HMAC_SHA2_512_256       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha512, sha2_512, sha2_512_256, hmac_sha2_512
  HMAC_SHA2_384_192       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha384, sha2_384, sha2_384_192, hmac_sha2_384
  HMAC_SHA2_256_128       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
  HMAC_SHA2_256_TRUNCBUG  IKEv1:     ESP AH  IKEv2:         AH      
  AES_XCBC_96             IKEv1:     ESP AH  IKEv2: IKE ESP AH        aes_xcbc, aes128_xcbc, aes128_xcbc_96
  AES_CMAC_96             IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  aes_cmac
  NONE                    IKEv1:     ESP     IKEv2: IKE ESP     FIPS  null
DH algorithms:
  NONE                    IKEv1:             IKEv2: IKE ESP AH  FIPS  null, dh0
  MODP1536                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh5
  MODP2048                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh14
  MODP3072                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh15
  MODP4096                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh16
  MODP6144                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh17
  MODP8192                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh18
  DH19                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_256, ecp256
  DH20                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_384, ecp384
  DH21                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_521, ecp521
  DH31                    IKEv1: IKE         IKEv2: IKE ESP AH        curve25519
testing CAMELLIA_CBC:
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 256-bit key
  Camellia: 16 bytes with 256-bit key
testing AES_GCM_16:
  empty string
  one block
  two blocks
  two blocks with associated data
testing AES_CTR:
  Encrypting 16 octets using AES-CTR with 128-bit key
  Encrypting 32 octets using AES-CTR with 128-bit key
  Encrypting 36 octets using AES-CTR with 128-bit key
  Encrypting 16 octets using AES-CTR with 192-bit key
  Encrypting 32 octets using AES-CTR with 192-bit key
  Encrypting 36 octets using AES-CTR with 192-bit key
  Encrypting 16 octets using AES-CTR with 256-bit key
  Encrypting 32 octets using AES-CTR with 256-bit key
  Encrypting 36 octets using AES-CTR with 256-bit key
testing AES_CBC:
  Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
  Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
  Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
  Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
testing AES_XCBC:
  RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
  RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
  RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
  RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
  RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
  RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input
  RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
testing HMAC_MD5:
  RFC 2104: MD5_HMAC test 1
  RFC 2104: MD5_HMAC test 2
  RFC 2104: MD5_HMAC test 3
8 CPU cores online
starting up 7 crypto helpers
started thread for crypto helper 0
| starting up helper thread 0
started thread for crypto helper 1
| status value returned by setting the priority of this thread (crypto helper 0) 22
| crypto helper 0 waiting (nothing to do)
started thread for crypto helper 2
| starting up helper thread 1
| status value returned by setting the priority of this thread (crypto helper 1) 22
| crypto helper 1 waiting (nothing to do)
started thread for crypto helper 3
started thread for crypto helper 4
| starting up helper thread 2
| starting up helper thread 3
| status value returned by setting the priority of this thread (crypto helper 2) 22
| crypto helper 2 waiting (nothing to do)
| starting up helper thread 5
| status value returned by setting the priority of this thread (crypto helper 5) 22
| crypto helper 5 waiting (nothing to do)
started thread for crypto helper 5
| status value returned by setting the priority of this thread (crypto helper 3) 22
| crypto helper 3 waiting (nothing to do)
started thread for crypto helper 6
| starting up helper thread 4
| status value returned by setting the priority of this thread (crypto helper 4) 22
| checking IKEv1 state table
| crypto helper 4 waiting (nothing to do)
|   MAIN_R0: category: half-open IKE SA flags: 0:
|     -> MAIN_R1 EVENT_SO_DISCARD
|   MAIN_I1: category: half-open IKE SA flags: 0:
|     -> MAIN_I2 EVENT_RETRANSMIT
|   MAIN_R1: category: open IKE SA flags: 200:
|     -> MAIN_R2 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_I2: category: open IKE SA flags: 0:
|     -> MAIN_I3 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_R2: category: open IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_I3: category: open IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_R3: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   MAIN_I4: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R0: category: half-open IKE SA flags: 0:
|     -> AGGR_R1 EVENT_SO_DISCARD
|   AGGR_I1: category: half-open IKE SA flags: 0:
|     -> AGGR_I2 EVENT_SA_REPLACE
|     -> AGGR_I2 EVENT_SA_REPLACE
| starting up helper thread 6
| status value returned by setting the priority of this thread (crypto helper 6) 22
| crypto helper 6 waiting (nothing to do)
|   AGGR_R1: category: open IKE SA flags: 200:
|     -> AGGR_R2 EVENT_SA_REPLACE
|     -> AGGR_R2 EVENT_SA_REPLACE
|   AGGR_I2: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R0: category: established CHILD SA flags: 0:
|     -> QUICK_R1 EVENT_RETRANSMIT
|   QUICK_I1: category: established CHILD SA flags: 0:
|     -> QUICK_I2 EVENT_SA_REPLACE
|   QUICK_R1: category: established CHILD SA flags: 0:
|     -> QUICK_R2 EVENT_SA_REPLACE
|   QUICK_I2: category: established CHILD SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R2: category: established CHILD SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO_PROTECTED: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   XAUTH_R0: category: established IKE SA flags: 0:
|     -> XAUTH_R1 EVENT_NULL
|   XAUTH_R1: category: established IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|   MODE_CFG_R0: category: informational flags: 0:
|     -> MODE_CFG_R1 EVENT_SA_REPLACE
|   MODE_CFG_R1: category: established IKE SA flags: 0:
|     -> MODE_CFG_R2 EVENT_SA_REPLACE
|   MODE_CFG_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   MODE_CFG_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|   XAUTH_I0: category: established IKE SA flags: 0:
|     -> XAUTH_I1 EVENT_RETRANSMIT
|   XAUTH_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_RETRANSMIT
| checking IKEv2 state table
|   PARENT_I0: category: ignore flags: 0:
|     -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT)
|   PARENT_I1: category: half-open IKE SA flags: 0:
|     -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification)
|     -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH)
|   PARENT_I2: category: open IKE SA flags: 0:
|     -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response)
|     -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification)
|   PARENT_I3: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)
|   PARENT_R0: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT)
|   PARENT_R1: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED))
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request)
|   PARENT_R2: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response)
|   V2_CREATE_I0: category: established IKE SA flags: 0:
|     -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA)
|   V2_CREATE_I: category: established IKE SA flags: 0:
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response)
|   V2_REKEY_IKE_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_IKE_I: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response)
|   V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA)
|   V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none>
|   V2_CREATE_R: category: established IKE SA flags: 0:
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request)
|   V2_REKEY_IKE_R: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none>
|   V2_IPSEC_I: category: established CHILD SA flags: 0: <none>
|   V2_IPSEC_R: category: established CHILD SA flags: 0: <none>
|   IKESA_DEL: category: established IKE SA flags: 0:
|     -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL)
|   CHILDSA_DEL: category: informational flags: 0: <none>
Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64
| Hard-wiring algorithms
| adding AES_CCM_16 to kernel algorithm db
| adding AES_CCM_12 to kernel algorithm db
| adding AES_CCM_8 to kernel algorithm db
| adding 3DES_CBC to kernel algorithm db
| adding CAMELLIA_CBC to kernel algorithm db
| adding AES_GCM_16 to kernel algorithm db
| adding AES_GCM_12 to kernel algorithm db
| adding AES_GCM_8 to kernel algorithm db
| adding AES_CTR to kernel algorithm db
| adding AES_CBC to kernel algorithm db
| adding SERPENT_CBC to kernel algorithm db
| adding TWOFISH_CBC to kernel algorithm db
| adding NULL_AUTH_AES_GMAC to kernel algorithm db
| adding NULL to kernel algorithm db
| adding CHACHA20_POLY1305 to kernel algorithm db
| adding HMAC_MD5_96 to kernel algorithm db
| adding HMAC_SHA1_96 to kernel algorithm db
| adding HMAC_SHA2_512_256 to kernel algorithm db
| adding HMAC_SHA2_384_192 to kernel algorithm db
| adding HMAC_SHA2_256_128 to kernel algorithm db
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db
| adding AES_XCBC_96 to kernel algorithm db
| adding AES_CMAC_96 to kernel algorithm db
| adding NONE to kernel algorithm db
| net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes
| global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds
| setup kernel fd callback
| add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55ca5b778748
| libevent_malloc: new ptr-libevent@0x55ca5b7b77b8 size 128
| libevent_malloc: new ptr-libevent@0x55ca5b7be848 size 16
| add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55ca5b7be7d8
| libevent_malloc: new ptr-libevent@0x55ca5b771208 size 128
| libevent_malloc: new ptr-libevent@0x55ca5b7be4a8 size 16
| global one-shot timer EVENT_CHECK_CRLS initialized
selinux support is enabled.
| unbound context created - setting debug level to 5
| /etc/hosts lookups activated
| /etc/resolv.conf usage activated
| outgoing-port-avoid set 0-65535
| outgoing-port-permit set 32768-60999
| Loading dnssec root key from:/var/lib/unbound/root.key
| No additional dnssec trust anchors defined via dnssec-trusted= option
| Setting up events, loop start
| add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55ca5b7bec78
| libevent_malloc: new ptr-libevent@0x55ca5b7cab58 size 128
| libevent_malloc: new ptr-libevent@0x55ca5b7d5e48 size 16
| libevent_realloc: new ptr-libevent@0x55ca5b7d5e88 size 256
| libevent_malloc: new ptr-libevent@0x55ca5b7d5fb8 size 8
| libevent_realloc: new ptr-libevent@0x55ca5b7d5ff8 size 144
| libevent_malloc: new ptr-libevent@0x55ca5b77cd18 size 152
| libevent_malloc: new ptr-libevent@0x55ca5b7d60b8 size 16
| signal event handler PLUTO_SIGCHLD installed
| libevent_malloc: new ptr-libevent@0x55ca5b7d60f8 size 8
| libevent_malloc: new ptr-libevent@0x55ca5b6fa698 size 152
| signal event handler PLUTO_SIGTERM installed
| libevent_malloc: new ptr-libevent@0x55ca5b7d6138 size 8
| libevent_malloc: new ptr-libevent@0x55ca5b7d6178 size 152
| signal event handler PLUTO_SIGHUP installed
| libevent_malloc: new ptr-libevent@0x55ca5b7d6248 size 8
| libevent_realloc: release ptr-libevent@0x55ca5b7d5ff8
| libevent_realloc: new ptr-libevent@0x55ca5b7d6288 size 256
| libevent_malloc: new ptr-libevent@0x55ca5b7d63b8 size 152
| signal event handler PLUTO_SIGSYS installed
| created addconn helper (pid:1966) using fork+execve
| forked child 1966
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.1.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.45
Kernel supports NIC esp-hw-offload
adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.45:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth1/eth1 192.1.2.45:4500
adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.1.254:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth0/eth0 192.0.1.254:4500
adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| no interfaces to sort
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6998
| libevent_malloc: new ptr-libevent@0x55ca5b7caaa8 size 128
| libevent_malloc: new ptr-libevent@0x55ca5b7d6a08 size 16
| setup callback for interface lo 127.0.0.1:4500 fd 22
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6a48
| libevent_malloc: new ptr-libevent@0x55ca5b7712b8 size 128
| libevent_malloc: new ptr-libevent@0x55ca5b7d6ab8 size 16
| setup callback for interface lo 127.0.0.1:500 fd 21
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6af8
| libevent_malloc: new ptr-libevent@0x55ca5b770bd8 size 128
| libevent_malloc: new ptr-libevent@0x55ca5b7d6b68 size 16
| setup callback for interface eth0 192.0.1.254:4500 fd 20
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6ba8
| libevent_malloc: new ptr-libevent@0x55ca5b778498 size 128
| libevent_malloc: new ptr-libevent@0x55ca5b7d6c18 size 16
| setup callback for interface eth0 192.0.1.254:500 fd 19
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6c58
| libevent_malloc: new ptr-libevent@0x55ca5b778598 size 128
| libevent_malloc: new ptr-libevent@0x55ca5b7d6cc8 size 16
| setup callback for interface eth1 192.1.2.45:4500 fd 18
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6d08
| libevent_malloc: new ptr-libevent@0x55ca5b778698 size 128
| libevent_malloc: new ptr-libevent@0x55ca5b7d6d78 size 16
| setup callback for interface eth1 192.1.2.45:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| Modulus  a6 f5 d6 3f  e3 8f 6c 01  6a fc 7b 7c  6d 57 8b 49
| Modulus  39 0d 77 f7  ac e2 85 f1  98 1e 4b 6d  a5 3e b3 96
| Modulus  9a d1 99 5a  bc 10 f2 97  de f2 28 f9  5f 92 09 f0
| Modulus  c8 d4 12 e4  60 6e 9c 60  98 10 01 7d  26 b7 8f 95
| Modulus  62 2d 87 dd  cd de f6 d3  8f 35 b0 50  d0 18 f5 99
| Modulus  f8 04 f1 ff  61 5b bc 7f  1f c0 04 d8  e4 8c ac 34
| Modulus  ad 7a c1 da  3c 2d 8c 30  ae d6 3c 59  b1 3a 94 d3
| Modulus  d5 2a 73 91  bd 59 5f 3e  72 bf 4a 1b  9d c5 b2 2b
| Modulus  4d e7 0d 24  3e 77 f9 7f  2d d6 9d 29  ef 70 7d 7a
| Modulus  6d a2 b8 61  0c 4b 09 4a  06 71 84 70  85 9a 8f 52
| Modulus  a1 80 06 fd  c6 fc 3e 27  fa 16 fa 32  83 a9 ca 80
| Modulus  db 0f 4a bf  f7 e9 55 8e  bd 29 4d 23  a6 dc 2a b3
| Modulus  5d 62 a9 21  1e be 83 d8  69 3c 03 0a  48 8e d3 3a
| Modulus  11 f2 86 5a  d1 30 65 bd  c8 f4 83 87  ff 04 87 33
| Modulus  05 4f e0 d8  8c fe b3 19  4c dd 85 40  f3 4d 6e e8
| Modulus  49 14 06 2c  1f 59 59 05  8f 20 b0 ca  46 3f c9 20
| Modulus  7e 04 30 7d  9a 80 6c 3f  0a 89 f7 d3  af d8 15 04
| Modulus  37 f9
| Modulus  a6 f5 d6 3f  e3 8f 6c 01  6a fc 7b 7c  6d 57 8b 49
| Modulus  39 0d 77 f7  ac e2 85 f1  98 1e 4b 6d  a5 3e b3 96
| Modulus  9a d1 99 5a  bc 10 f2 97  de f2 28 f9  5f 92 09 f0
| Modulus  c8 d4 12 e4  60 6e 9c 60  98 10 01 7d  26 b7 8f 95
| Modulus  62 2d 87 dd  cd de f6 d3  8f 35 b0 50  d0 18 f5 99
| Modulus  f8 04 f1 ff  61 5b bc 7f  1f c0 04 d8  e4 8c ac 34
| Modulus  ad 7a c1 da  3c 2d 8c 30  ae d6 3c 59  b1 3a 94 d3
| Modulus  d5 2a 73 91  bd 59 5f 3e  72 bf 4a 1b  9d c5 b2 2b
| Modulus  4d e7 0d 24  3e 77 f9 7f  2d d6 9d 29  ef 70 7d 7a
| Modulus  6d a2 b8 61  0c 4b 09 4a  06 71 84 70  85 9a 8f 52
| Modulus  a1 80 06 fd  c6 fc 3e 27  fa 16 fa 32  83 a9 ca 80
| Modulus  db 0f 4a bf  f7 e9 55 8e  bd 29 4d 23  a6 dc 2a b3
| Modulus  5d 62 a9 21  1e be 83 d8  69 3c 03 0a  48 8e d3 3a
| Modulus  11 f2 86 5a  d1 30 65 bd  c8 f4 83 87  ff 04 87 33
| Modulus  05 4f e0 d8  8c fe b3 19  4c dd 85 40  f3 4d 6e e8
| Modulus  49 14 06 2c  1f 59 59 05  8f 20 b0 ca  46 3f c9 20
| Modulus  7e 04 30 7d  9a 80 6c 3f  0a 89 f7 d3  af d8 15 04
| Modulus  37 f9
| saving PublicExponent
| PublicExponent  03
| PublicExponent  03
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID  b4 9f 1a ac  9e 45 6e 79  29 c8 81 97  3a 0c 6a d3
| computed rsa CKAID  7f 0f 03 50
loaded private key for keyid: PKK_RSA:AQOm9dY/4
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.738 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear with policy AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| connect_to_host_pair: 192.1.2.45:500 0.0.0.0:500 -> hp@(nil): none
| new hp@0x55ca5b7d7938
added connection description "clear"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| 192.1.2.45---192.1.2.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.111 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear-or-private with policy RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'west' pubkey
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7dab28
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7daad8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7da798
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7da698
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7dabd8
| unreference key: 0x55ca5b7ddaa8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1--
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org is 0
| counting wild cards for %fromcert is 0
| find_host_pair: comparing 192.1.2.45:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.45:500 0.0.0.0:500 -> hp@0x55ca5b7d7938: clear
added connection description "clear-or-private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.45[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]---192.1.2.254...%opportunisticgroup[%fromcert]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.916 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear with policy RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'west' pubkey
| unreference key: 0x55ca5b7e04a8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e1ad8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e1a88
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e2318
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e1888
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e18d8
| unreference key: 0x55ca5b7de168 192.1.2.45 cnt 1--
| unreference key: 0x55ca5b7df538 west@testing.libreswan.org cnt 1--
| unreference key: 0x55ca5b7dfac8 @west.testing.libreswan.org cnt 1--
| unreference key: 0x55ca5b7dffe8 user-west@testing.libreswan.org cnt 1--
| unreference key: 0x55ca5b7e1d88 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1--
| secrets entry for west already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org is 0
| counting wild cards for %fromcert is 0
| find_host_pair: comparing 192.1.2.45:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.45:500 0.0.0.0:500 -> hp@0x55ca5b7d7938: clear-or-private
added connection description "private-or-clear"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.2.45[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]---192.1.2.254...%opportunisticgroup[%fromcert]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.435 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private with policy RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'west' pubkey
| unreference key: 0x55ca5b7dffe8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e3c58
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e3c08
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e4588
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e3af8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55ca5b7e3b48
| unreference key: 0x55ca5b7ddaa8 192.1.2.45 cnt 1--
| unreference key: 0x55ca5b7de168 west@testing.libreswan.org cnt 1--
| unreference key: 0x55ca5b7df538 @west.testing.libreswan.org cnt 1--
| unreference key: 0x55ca5b7dfac8 user-west@testing.libreswan.org cnt 1--
| unreference key: 0x55ca5b7e3ca8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1--
| secrets entry for west already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org is 0
| counting wild cards for %fromcert is 0
| find_host_pair: comparing 192.1.2.45:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.45:500 0.0.0.0:500 -> hp@0x55ca5b7d7938: private-or-clear
added connection description "private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| 192.1.2.45[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]---192.1.2.254...%opportunisticgroup[%fromcert]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.476 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection block with policy AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.2.45:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.2.45:500 0.0.0.0:500 -> hp@0x55ca5b7d7938: private
added connection description "block"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| 192.1.2.45---192.1.2.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0493 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.1.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.45
| no interfaces to sort
| libevent_free: release ptr-libevent@0x55ca5b7caaa8
| free_event_entry: release EVENT_NULL-pe@0x55ca5b7d6998
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6998
| libevent_malloc: new ptr-libevent@0x55ca5b7da6e8 size 128
| setup callback for interface lo 127.0.0.1:4500 fd 22
| libevent_free: release ptr-libevent@0x55ca5b7712b8
| free_event_entry: release EVENT_NULL-pe@0x55ca5b7d6a48
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6a48
| libevent_malloc: new ptr-libevent@0x55ca5b7712b8 size 128
| setup callback for interface lo 127.0.0.1:500 fd 21
| libevent_free: release ptr-libevent@0x55ca5b770bd8
| free_event_entry: release EVENT_NULL-pe@0x55ca5b7d6af8
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6af8
| libevent_malloc: new ptr-libevent@0x55ca5b770bd8 size 128
| setup callback for interface eth0 192.0.1.254:4500 fd 20
| libevent_free: release ptr-libevent@0x55ca5b778498
| free_event_entry: release EVENT_NULL-pe@0x55ca5b7d6ba8
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6ba8
| libevent_malloc: new ptr-libevent@0x55ca5b778498 size 128
| setup callback for interface eth0 192.0.1.254:500 fd 19
| libevent_free: release ptr-libevent@0x55ca5b778598
| free_event_entry: release EVENT_NULL-pe@0x55ca5b7d6c58
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6c58
| libevent_malloc: new ptr-libevent@0x55ca5b778598 size 128
| setup callback for interface eth1 192.1.2.45:4500 fd 18
| libevent_free: release ptr-libevent@0x55ca5b778698
| free_event_entry: release EVENT_NULL-pe@0x55ca5b7d6d08
| add_fd_read_event_handler: new ethX-pe@0x55ca5b7d6d08
| libevent_malloc: new ptr-libevent@0x55ca5b778698 size 128
| setup callback for interface eth1 192.1.2.45:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| Modulus  a6 f5 d6 3f  e3 8f 6c 01  6a fc 7b 7c  6d 57 8b 49
| Modulus  39 0d 77 f7  ac e2 85 f1  98 1e 4b 6d  a5 3e b3 96
| Modulus  9a d1 99 5a  bc 10 f2 97  de f2 28 f9  5f 92 09 f0
| Modulus  c8 d4 12 e4  60 6e 9c 60  98 10 01 7d  26 b7 8f 95
| Modulus  62 2d 87 dd  cd de f6 d3  8f 35 b0 50  d0 18 f5 99
| Modulus  f8 04 f1 ff  61 5b bc 7f  1f c0 04 d8  e4 8c ac 34
| Modulus  ad 7a c1 da  3c 2d 8c 30  ae d6 3c 59  b1 3a 94 d3
| Modulus  d5 2a 73 91  bd 59 5f 3e  72 bf 4a 1b  9d c5 b2 2b
| Modulus  4d e7 0d 24  3e 77 f9 7f  2d d6 9d 29  ef 70 7d 7a
| Modulus  6d a2 b8 61  0c 4b 09 4a  06 71 84 70  85 9a 8f 52
| Modulus  a1 80 06 fd  c6 fc 3e 27  fa 16 fa 32  83 a9 ca 80
| Modulus  db 0f 4a bf  f7 e9 55 8e  bd 29 4d 23  a6 dc 2a b3
| Modulus  5d 62 a9 21  1e be 83 d8  69 3c 03 0a  48 8e d3 3a
| Modulus  11 f2 86 5a  d1 30 65 bd  c8 f4 83 87  ff 04 87 33
| Modulus  05 4f e0 d8  8c fe b3 19  4c dd 85 40  f3 4d 6e e8
| Modulus  49 14 06 2c  1f 59 59 05  8f 20 b0 ca  46 3f c9 20
| Modulus  7e 04 30 7d  9a 80 6c 3f  0a 89 f7 d3  af d8 15 04
| Modulus  37 f9
| Modulus  a6 f5 d6 3f  e3 8f 6c 01  6a fc 7b 7c  6d 57 8b 49
| Modulus  39 0d 77 f7  ac e2 85 f1  98 1e 4b 6d  a5 3e b3 96
| Modulus  9a d1 99 5a  bc 10 f2 97  de f2 28 f9  5f 92 09 f0
| Modulus  c8 d4 12 e4  60 6e 9c 60  98 10 01 7d  26 b7 8f 95
| Modulus  62 2d 87 dd  cd de f6 d3  8f 35 b0 50  d0 18 f5 99
| Modulus  f8 04 f1 ff  61 5b bc 7f  1f c0 04 d8  e4 8c ac 34
| Modulus  ad 7a c1 da  3c 2d 8c 30  ae d6 3c 59  b1 3a 94 d3
| Modulus  d5 2a 73 91  bd 59 5f 3e  72 bf 4a 1b  9d c5 b2 2b
| Modulus  4d e7 0d 24  3e 77 f9 7f  2d d6 9d 29  ef 70 7d 7a
| Modulus  6d a2 b8 61  0c 4b 09 4a  06 71 84 70  85 9a 8f 52
| Modulus  a1 80 06 fd  c6 fc 3e 27  fa 16 fa 32  83 a9 ca 80
| Modulus  db 0f 4a bf  f7 e9 55 8e  bd 29 4d 23  a6 dc 2a b3
| Modulus  5d 62 a9 21  1e be 83 d8  69 3c 03 0a  48 8e d3 3a
| Modulus  11 f2 86 5a  d1 30 65 bd  c8 f4 83 87  ff 04 87 33
| Modulus  05 4f e0 d8  8c fe b3 19  4c dd 85 40  f3 4d 6e e8
| Modulus  49 14 06 2c  1f 59 59 05  8f 20 b0 ca  46 3f c9 20
| Modulus  7e 04 30 7d  9a 80 6c 3f  0a 89 f7 d3  af d8 15 04
| Modulus  37 f9
| saving PublicExponent
| PublicExponent  03
| PublicExponent  03
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID  b4 9f 1a ac  9e 45 6e 79  29 c8 81 97  3a 0c 6a d3
| computed rsa CKAID  7f 0f 03 50
loaded private key for keyid: PKK_RSA:AQOm9dY/4
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
loading group "/etc/ipsec.d/policies/block"
loading group "/etc/ipsec.d/policies/private"
loading group "/etc/ipsec.d/policies/private-or-clear"
loading group "/etc/ipsec.d/policies/clear-or-private"
loading group "/etc/ipsec.d/policies/clear"
| 192.1.2.45/32->192.1.2.254/32 0 sport 0 dport 0 clear
| 192.1.2.45/32->192.1.3.253/32 0 sport 0 dport 0 clear
| 192.1.2.45/32->192.1.2.253/32 0 sport 0 dport 0 clear
| 192.1.2.45/32->127.0.0.1/32 0 sport 0 dport 0 clear
| 192.1.2.45/32->192.1.2.0/24 0 sport 0 dport 0 private-or-clear
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.329 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.254/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16408' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):4/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' :
| cmd( 160):PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16408' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16408' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/:
| cmd(  80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PL:
| cmd( 160):UTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16408' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2:
| cmd( 480):.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.3.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.3.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16412' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' :
| cmd( 160):PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16412' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16412' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/:
| cmd(  80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PL:
| cmd( 160):UTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16412' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3:
| cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1134 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' :
| cmd( 160):PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='19:
| cmd( 240):2.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_:
| cmd( 400):PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1:
| cmd( 480):.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_:
| cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test De:
| cmd( 640):partment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK=:
| cmd( 720):'netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVE:
| cmd( 800):R_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 880):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd( 960):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1040):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1120):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER
| popen cmd is 1132 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/:
| cmd(  80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PL:
| cmd( 160):UTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2:
| cmd( 480):.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PR:
| cmd( 560):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa:
| cmd( 640):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n:
| cmd( 720):etkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_:
| cmd( 800):NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 880):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd( 960):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1040):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1120):_updown 2>&1:
| suspend processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#127.0.0.1/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#127.0.0.1/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#127.0.0.1/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#127.0.0.1/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#127.0.0.1/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#127.0.0.1/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#127.0.0.1/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#127.0.0.1/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#127.0.0.1/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='127.0.0.1/32' PLUTO_PEER_CLIENT_NET='127.0.0.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='
| popen cmd is 1128 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#127.0.0.1/:
| cmd(  80):32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PL:
| cmd( 160):UTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.:
| cmd( 240):1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PE:
| cmd( 400):ER_ID='(none)' PLUTO_PEER_CLIENT='127.0.0.1/32' PLUTO_PEER_CLIENT_NET='127.0.0.1:
| cmd( 480):' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC:
| cmd( 560):OL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departme:
| cmd( 640):nt, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netke:
| cmd( 720):y' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGO:
| cmd( 800):TIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0:
| cmd( 880): PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_:
| cmd( 960):PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0':
| cmd(1040): VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _upd:
| cmd(1120):own 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#127.0.0.1/32' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='127.0.0.1/32' PLUTO_PEER_CLIENT_NET='127.0.0.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' P
| popen cmd is 1126 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#127.0.0.1/32:
| cmd(  80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUT:
| cmd( 160):O_MY_ID='192.1.2.45' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.:
| cmd( 240):2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL:
| cmd( 320):='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER:
| cmd( 400):_ID='(none)' PLUTO_PEER_CLIENT='127.0.0.1/32' PLUTO_PEER_CLIENT_NET='127.0.0.1' :
| cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL:
| cmd( 560):='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department:
| cmd( 640):, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey':
| cmd( 720): PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTI:
| cmd( 800):ATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 P:
| cmd( 880):LUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PE:
| cmd( 960):ER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' V:
| cmd(1040):TI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updow:
| cmd(1120):n 2>&1:
| suspend processing: connection "clear#127.0.0.1/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 3.28 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.0032 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00198 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00196 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00194 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00194 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00193 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00194 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00194 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "private-or-clear" (in route_group() at foodgroups.c:435)
| start processing: connection "private-or-clear#192.1.2.0/24" (in route_group() at foodgroups.c:435)
| could_route called for private-or-clear#192.1.2.0/24 (kind=CK_TEMPLATE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.2.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#127.0.0.1/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.2.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: private-or-clear#192.1.2.0/24 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'private-or-clear#192.1.2.0/24' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| IPsec Sa SPD priority set to 1564647
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.2.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='%fromcert' PLUTO_PEER_CLIENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PL
| popen cmd is 1214 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear:
| cmd(  80):#192.1.2.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192:
| cmd( 160):.1.2.45' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departme:
| cmd( 240):nt, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_MY_C:
| cmd( 320):LIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255:
| cmd( 400):.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLU:
| cmd( 480):TO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='%fromcert' PLUTO_PEER_CLIE:
| cmd( 560):NT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.:
| cmd( 640):255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_ST:
| cmd( 720):ACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO:
| cmd( 800):_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+:
| cmd( 880):failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FA:
| cmd( 960):ILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' :
| cmd(1040):PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR:
| cmd(1120):ED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipse:
| cmd(1200):c _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.2.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_MY_CLIENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='%fromcert' PLUTO_PEER_CLIENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_
| popen cmd is 1212 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#1:
| cmd(  80):92.1.2.0/24' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1:
| cmd( 160):.2.45' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department:
| cmd( 240):, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_MY_CLI:
| cmd( 320):ENT='192.1.2.45/32' PLUTO_MY_CLIENT_NET='192.1.2.45' PLUTO_MY_CLIENT_MASK='255.2:
| cmd( 400):55.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO:
| cmd( 480):_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='%fromcert' PLUTO_PEER_CLIENT:
| cmd( 560):='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.25:
| cmd( 640):5.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STAC:
| cmd( 720):K='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_P:
| cmd( 800):ASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+fa:
| cmd( 880):ilurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAIL:
| cmd( 960):ED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PL:
| cmd(1040):UTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED:
| cmd(1120):='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec :
| cmd(1200):_updown 2>&1:
| suspend processing: connection "private-or-clear#192.1.2.0/24" (in route_group() at foodgroups.c:439)
| start processing: connection "private-or-clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.784 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.0031 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00204 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.025 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "block" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "block" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0201 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned pid 1966 (exited with status 0)
| reaped addconn helper child (status 0)
| waitpid returned ECHILD (no child processes left)
| spent 0.0175 milliseconds in signal handler PLUTO_SIGCHLD