FIPS Product: YES
FIPS Kernel: NO
FIPS Mode: NO
NSS DB directory: sql:/etc/ipsec.d
Initializing NSS
Opening NSS database "sql:/etc/ipsec.d" read-only
NSS initialized
NSS crypto library initialized
FIPS HMAC integrity support [enabled]
FIPS mode disabled for pluto daemon
FIPS HMAC integrity verification self-test FAILED
libcap-ng support [enabled]
Linux audit support [enabled]
Linux audit activated
Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:23750
core dump dir: /tmp
secrets file: /etc/ipsec.secrets
leak-detective enabled
NSS crypto [enabled]
XAUTH PAM support [enabled]
| libevent is using pluto's memory allocator
Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
| libevent_malloc: new ptr-libevent@0x563e9cbb9cf8 size 40
| libevent_malloc: new ptr-libevent@0x563e9cbb9c78 size 40
| libevent_malloc: new ptr-libevent@0x563e9cbb9bf8 size 40
| creating event base
| libevent_malloc: new ptr-libevent@0x563e9cbab828 size 56
| libevent_malloc: new ptr-libevent@0x563e9cb352f8 size 664
| libevent_malloc: new ptr-libevent@0x563e9cbf42b8 size 24
| libevent_malloc: new ptr-libevent@0x563e9cbf4308 size 384
| libevent_malloc: new ptr-libevent@0x563e9cbf4278 size 16
| libevent_malloc: new ptr-libevent@0x563e9cbb9b78 size 40
| libevent_malloc: new ptr-libevent@0x563e9cbb9af8 size 48
| libevent_realloc: new ptr-libevent@0x563e9cb41818 size 256
| libevent_malloc: new ptr-libevent@0x563e9cbf44b8 size 16
| libevent_free: release ptr-libevent@0x563e9cbab828
| libevent initialized
| libevent_realloc: new ptr-libevent@0x563e9cbab828 size 64
| global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds
| init_nat_traversal() initialized with keep_alive=0s
NAT-Traversal support [enabled]
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized
| global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds
| global one-shot timer EVENT_REVIVE_CONNS initialized
| global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds
| global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds
Encryption algorithms:
AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c
AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b
AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a
3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des
CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia
AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c
AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b
AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a
AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr
AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes
SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent
TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish
TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh
NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac
NULL IKEv1: ESP IKEv2: ESP []
CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305
Hash algorithms:
MD5 IKEv1: IKE IKEv2:
SHA1 IKEv1: IKE IKEv2: FIPS sha
SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256
SHA2_384 IKEv1: IKE IKEv2: FIPS sha384
SHA2_512 IKEv1: IKE IKEv2: FIPS sha512
PRF algorithms:
HMAC_MD5 IKEv1: IKE IKEv2: IKE md5
HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1
HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256
HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384
HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512
AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc
Integrity algorithms:
HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5
HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1
HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512
HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384
HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96
AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
DH algorithms:
NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0
MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5
MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14
MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15
MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16
MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17
MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18
DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256
DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384
DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521
DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519
testing CAMELLIA_CBC:
Camellia: 16 bytes with 128-bit key
Camellia: 16 bytes with 128-bit key
Camellia: 16 bytes with 256-bit key
Camellia: 16 bytes with 256-bit key
testing AES_GCM_16:
empty string
one block
two blocks
two blocks with associated data
testing AES_CTR:
Encrypting 16 octets using AES-CTR with 128-bit key
Encrypting 32 octets using AES-CTR with 128-bit key
Encrypting 36 octets using AES-CTR with 128-bit key
Encrypting 16 octets using AES-CTR with 192-bit key
Encrypting 32 octets using AES-CTR with 192-bit key
Encrypting 36 octets using AES-CTR with 192-bit key
Encrypting 16 octets using AES-CTR with 256-bit key
Encrypting 32 octets using AES-CTR with 256-bit key
Encrypting 36 octets using AES-CTR with 256-bit key
testing AES_CBC:
Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
testing AES_XCBC:
RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input
RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input
RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
testing HMAC_MD5:
RFC 2104: MD5_HMAC test 1
RFC 2104: MD5_HMAC test 2
RFC 2104: MD5_HMAC test 3
8 CPU cores online
starting up 7 crypto helpers
started thread for crypto helper 0
| starting up helper thread 0
started thread for crypto helper 1
| status value returned by setting the priority of this thread (crypto helper 0) 22
| crypto helper 0 waiting (nothing to do)
| starting up helper thread 1
started thread for crypto helper 2
| status value returned by setting the priority of this thread (crypto helper 1) 22
| crypto helper 1 waiting (nothing to do)
| starting up helper thread 2
| status value returned by setting the priority of this thread (crypto helper 2) 22
| crypto helper 2 waiting (nothing to do)
started thread for crypto helper 3
| starting up helper thread 3
| status value returned by setting the priority of this thread (crypto helper 3) 22
started thread for crypto helper 4
| crypto helper 3 waiting (nothing to do)
| starting up helper thread 4
| status value returned by setting the priority of this thread (crypto helper 4) 22
| crypto helper 4 waiting (nothing to do)
started thread for crypto helper 5
| starting up helper thread 5
| status value returned by setting the priority of this thread (crypto helper 5) 22
| crypto helper 5 waiting (nothing to do)
started thread for crypto helper 6
| checking IKEv1 state table
| MAIN_R0: category: half-open IKE SA flags: 0:
| -> MAIN_R1 EVENT_SO_DISCARD
| MAIN_I1: category: half-open IKE SA flags: 0:
| -> MAIN_I2 EVENT_RETRANSMIT
| MAIN_R1: category: open IKE SA flags: 200:
| -> MAIN_R2 EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| MAIN_I2: category: open IKE SA flags: 0:
| -> MAIN_I3 EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| -> UNDEFINED EVENT_RETRANSMIT
| MAIN_R2: category: open IKE SA flags: 0:
| -> MAIN_R3 EVENT_SA_REPLACE
| -> MAIN_R3 EVENT_SA_REPLACE
| -> UNDEFINED EVENT_SA_REPLACE
| MAIN_I3: category: open IKE SA flags: 0:
| -> MAIN_I4 EVENT_SA_REPLACE
| -> MAIN_I4 EVENT_SA_REPLACE
| -> UNDEFINED EVENT_SA_REPLACE
| MAIN_R3: category: established IKE SA flags: 200:
| -> UNDEFINED EVENT_NULL
| MAIN_I4: category: established IKE SA flags: 0:
| -> UNDEFINED EVENT_NULL
| AGGR_R0: category: half-open IKE SA flags: 0:
| -> AGGR_R1 EVENT_SO_DISCARD
| AGGR_I1: category: half-open IKE SA flags: 0:
| -> AGGR_I2 EVENT_SA_REPLACE
| -> AGGR_I2 EVENT_SA_REPLACE
| AGGR_R1: category: open IKE SA flags: 200:
| -> AGGR_R2 EVENT_SA_REPLACE
| -> AGGR_R2 EVENT_SA_REPLACE
| AGGR_I2: category: established IKE SA flags: 200:
| -> UNDEFINED EVENT_NULL
| AGGR_R2: category: established IKE SA flags: 0:
| -> UNDEFINED EVENT_NULL
| QUICK_R0: category: established CHILD SA flags: 0:
| -> QUICK_R1 EVENT_RETRANSMIT
| QUICK_I1: category: established CHILD SA flags: 0:
| -> QUICK_I2 EVENT_SA_REPLACE
| QUICK_R1: category: established CHILD SA flags: 0:
| -> QUICK_R2 EVENT_SA_REPLACE
| QUICK_I2: category: established CHILD SA flags: 200:
| -> UNDEFINED EVENT_NULL
| QUICK_R2: category: established CHILD SA flags: 0:
| -> UNDEFINED EVENT_NULL
| INFO: category: informational flags: 0:
| -> UNDEFINED EVENT_NULL
| INFO_PROTECTED: category: informational flags: 0:
| -> UNDEFINED EVENT_NULL
| XAUTH_R0: category: established IKE SA flags: 0:
| -> XAUTH_R1 EVENT_NULL
| XAUTH_R1: category: established IKE SA flags: 0:
| -> MAIN_R3 EVENT_SA_REPLACE
| MODE_CFG_R0: category: informational flags: 0:
| -> MODE_CFG_R1 EVENT_SA_REPLACE
| MODE_CFG_R1: category: established IKE SA flags: 0:
| -> MODE_CFG_R2 EVENT_SA_REPLACE
| MODE_CFG_R2: category: established IKE SA flags: 0:
| -> UNDEFINED EVENT_NULL
| MODE_CFG_I1: category: established IKE SA flags: 0:
| -> MAIN_I4 EVENT_SA_REPLACE
| XAUTH_I0: category: established IKE SA flags: 0:
| -> XAUTH_I1 EVENT_RETRANSMIT
| XAUTH_I1: category: established IKE SA flags: 0:
| -> MAIN_I4 EVENT_RETRANSMIT
| checking IKEv2 state table
| PARENT_I0: category: ignore flags: 0:
| -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT)
| PARENT_I1: category: half-open IKE SA flags: 0:
| -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification)
| -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH)
| PARENT_I2: category: open IKE SA flags: 0:
| -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification)
| -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification)
| -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)
| -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response)
| -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification)
| PARENT_I3: category: established IKE SA flags: 0:
| -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)
| -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)
| -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)
| -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)
| PARENT_R0: category: half-open IKE SA flags: 0:
| -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT)
| PARENT_R1: category: half-open IKE SA flags: 0:
| -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED))
| -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request)
| PARENT_R2: category: established IKE SA flags: 0:
| -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request)
| -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response)
| -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request)
| -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response)
| V2_CREATE_I0: category: established IKE SA flags: 0:
| -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA)
| V2_CREATE_I: category: established IKE SA flags: 0:
| -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response)
| V2_REKEY_IKE_I0: category: established IKE SA flags: 0:
| -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey)
| V2_REKEY_IKE_I: category: established IKE SA flags: 0:
| -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response)
| V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:
| -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA)
| V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none>
| V2_CREATE_R: category: established IKE SA flags: 0:
| -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request)
| V2_REKEY_IKE_R: category: established IKE SA flags: 0:
| -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey)
| V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none>
| V2_IPSEC_I: category: established CHILD SA flags: 0: <none>
| V2_IPSEC_R: category: established CHILD SA flags: 0: <none>
| IKESA_DEL: category: established IKE SA flags: 0:
| -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL)
| CHILDSA_DEL: category: informational flags: 0: <none>
Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64
| Hard-wiring algorithms
| adding AES_CCM_16 to kernel algorithm db
| adding AES_CCM_12 to kernel algorithm db
| adding AES_CCM_8 to kernel algorithm db
| adding 3DES_CBC to kernel algorithm db
| adding CAMELLIA_CBC to kernel algorithm db
| adding AES_GCM_16 to kernel algorithm db
| adding AES_GCM_12 to kernel algorithm db
| adding AES_GCM_8 to kernel algorithm db
| adding AES_CTR to kernel algorithm db
| adding AES_CBC to kernel algorithm db
| adding SERPENT_CBC to kernel algorithm db
| adding TWOFISH_CBC to kernel algorithm db
| adding NULL_AUTH_AES_GMAC to kernel algorithm db
| adding NULL to kernel algorithm db
| adding CHACHA20_POLY1305 to kernel algorithm db
| adding HMAC_MD5_96 to kernel algorithm db
| adding HMAC_SHA1_96 to kernel algorithm db
| adding HMAC_SHA2_512_256 to kernel algorithm db
| adding HMAC_SHA2_384_192 to kernel algorithm db
| adding HMAC_SHA2_256_128 to kernel algorithm db
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db
| adding AES_XCBC_96 to kernel algorithm db
| adding AES_CMAC_96 to kernel algorithm db
| adding NONE to kernel algorithm db
| net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes
| global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds
| setup kernel fd callback
| add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x563e9cbb3a18
| libevent_malloc: new ptr-libevent@0x563e9cbf2938 size 128
| libevent_malloc: new ptr-libevent@0x563e9cbf9ab8 size 16
| add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x563e9cbf9a48
| libevent_malloc: new ptr-libevent@0x563e9cbf29e8 size 128
| libevent_malloc: new ptr-libevent@0x563e9cbf9718 size 16
| global one-shot timer EVENT_CHECK_CRLS initialized
selinux support is enabled.
| unbound context created - setting debug level to 5
| /etc/hosts lookups activated
| /etc/resolv.conf usage activated
| outgoing-port-avoid set 0-65535
| outgoing-port-permit set 32768-60999
| Loading dnssec root key from:/var/lib/unbound/root.key
| No additional dnssec trust anchors defined via dnssec-trusted= option
| Setting up events, loop start
| add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x563e9cbf9ee8
| libevent_malloc: new ptr-libevent@0x563e9cc05d48 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc11038 size 16
| libevent_realloc: new ptr-libevent@0x563e9cc11078 size 256
| libevent_malloc: new ptr-libevent@0x563e9cc111a8 size 8
| libevent_realloc: new ptr-libevent@0x563e9cc111e8 size 144
| libevent_malloc: new ptr-libevent@0x563e9cbb7fe8 size 152
| libevent_malloc: new ptr-libevent@0x563e9cc112a8 size 16
| signal event handler PLUTO_SIGCHLD installed
| libevent_malloc: new ptr-libevent@0x563e9cc112e8 size 8
| libevent_malloc: new ptr-libevent@0x563e9cb256b8 size 152
| signal event handler PLUTO_SIGTERM installed
| libevent_malloc: new ptr-libevent@0x563e9cc11328 size 8
| libevent_malloc: new ptr-libevent@0x563e9cb3aa88 size 152
| signal event handler PLUTO_SIGHUP installed
| libevent_malloc: new ptr-libevent@0x563e9cc11368 size 8
| libevent_realloc: release ptr-libevent@0x563e9cc111e8
| libevent_realloc: new ptr-libevent@0x563e9cc113a8 size 256
| libevent_malloc: new ptr-libevent@0x563e9cc114d8 size 152
| signal event handler PLUTO_SIGSYS installed
| starting up helper thread 6
| created addconn helper (pid:23794) using fork+execve
| forked child 23794
| status value returned by setting the priority of this thread (crypto helper 6) 22
| crypto helper 6 waiting (nothing to do)
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo
| found lo with address 127.0.0.1
| Inspecting interface eth0
| found eth0 with address 192.1.3.209
Kernel supports NIC esp-hw-offload
adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.1.3.209:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth0/eth0 192.1.3.209:4500
adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| no interfaces to sort
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| add_fd_read_event_handler: new ethX-pe@0x563e9cc118d8
| libevent_malloc: new ptr-libevent@0x563e9cc05c98 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc11948 size 16
| setup callback for interface lo 127.0.0.1:4500 fd 20
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11988
| libevent_malloc: new ptr-libevent@0x563e9cbac568 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc119f8 size 16
| setup callback for interface lo 127.0.0.1:500 fd 19
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11a38
| libevent_malloc: new ptr-libevent@0x563e9cbac618 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc11aa8 size 16
| setup callback for interface eth0 192.1.3.209:4500 fd 18
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11ae8
| libevent_malloc: new ptr-libevent@0x563e9cbab548 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc11b58 size 16
| setup callback for interface eth0 192.1.3.209:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| computed rsa CKAID 1a 15 cc e8 92 73 43 9c 2b f4 20 2a c1 06 6e f2
| computed rsa CKAID 59 b0 ef 45
loaded private key for keyid: PKK_RSA:AQPHFfpyJ
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.27 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear with policy AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@(nil): none
| new hp@0x563e9cc12ac8
added connection description "clear"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| 192.1.3.209---192.1.3.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.102 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear-or-private with policy ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc15878
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc15828
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc156e8
| unreference key: 0x563e9cc18738 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: clear
added connection description "clear-or-private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.23 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear with policy ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| unreference key: 0x563e9cc19f08 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1bdf8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1bda8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1c638
| unreference key: 0x563e9cc18da8 @road.testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc199b8 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc1c0a8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| secrets entry for road already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: clear-or-private
added connection description "private-or-clear"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.523 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private with policy ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| unreference key: 0x563e9cc199b8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1df98
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1df48
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1e8c8
| unreference key: 0x563e9cc18738 @road.testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc18da8 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc1dfe8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| secrets entry for road already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: private-or-clear
added connection description "private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.497 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection block with policy AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: private
added connection description "block"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| 192.1.3.209---192.1.3.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0583 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear-all with policy ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| unreference key: 0x563e9cc18da8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc205a8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc20558
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc20ed8
| unreference key: 0x563e9cc1c0a8 @road.testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc18738 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc205f8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| secrets entry for road already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: block
added connection description "private-or-clear-all"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.491 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189)
| Deleting states for connection - not including other IPsec SA's
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private-or-clear-all' wasn't on the list
| stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear-all with policy ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| unreference key: 0x563e9cc18738 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1e698
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1f1a8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1e7f8
| unreference key: 0x563e9cc1dfe8 @road.testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc1c0a8 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc18da8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| secrets entry for road already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: block
added connection description "private-or-clear-all"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.56 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo
| found lo with address 127.0.0.1
| Inspecting interface eth0
| found eth0 with address 192.1.3.209
| no interfaces to sort
| libevent_free: release ptr-libevent@0x563e9cc05c98
| free_event_entry: release EVENT_NULL-pe@0x563e9cc118d8
| add_fd_read_event_handler: new ethX-pe@0x563e9cc118d8
| libevent_malloc: new ptr-libevent@0x563e9cc152a8 size 128
| setup callback for interface lo 127.0.0.1:4500 fd 20
| libevent_free: release ptr-libevent@0x563e9cbac568
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11988
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11988
| libevent_malloc: new ptr-libevent@0x563e9cbac568 size 128
| setup callback for interface lo 127.0.0.1:500 fd 19
| libevent_free: release ptr-libevent@0x563e9cbac618
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11a38
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11a38
| libevent_malloc: new ptr-libevent@0x563e9cbac618 size 128
| setup callback for interface eth0 192.1.3.209:4500 fd 18
| libevent_free: release ptr-libevent@0x563e9cbab548
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11ae8
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11ae8
| libevent_malloc: new ptr-libevent@0x563e9cbab548 size 128
| setup callback for interface eth0 192.1.3.209:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| computed rsa CKAID 1a 15 cc e8 92 73 43 9c 2b f4 20 2a c1 06 6e f2
| computed rsa CKAID 59 b0 ef 45
loaded private key for keyid: PKK_RSA:AQPHFfpyJ
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| no group file "/etc/ipsec.d/policies/private-or-clear-all" (pwd:/tmp)
loading group "/etc/ipsec.d/policies/block"
loading group "/etc/ipsec.d/policies/private"
loading group "/etc/ipsec.d/policies/private-or-clear"
loading group "/etc/ipsec.d/policies/clear-or-private"
loading group "/etc/ipsec.d/policies/clear"
| 192.1.3.209/32->192.1.2.254/32 0 sport 0 dport 0 clear
| 192.1.3.209/32->192.1.3.254/32 0 sport 0 dport 0 clear
| 192.1.3.209/32->192.1.3.253/32 0 sport 0 dport 0 clear
| 192.1.3.209/32->192.1.2.253/32 0 sport 0 dport 0 clear
| 192.1.3.209/32->192.1.2.0/24 0 sport 0 dport 0 private-or-clear
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.406 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.254/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF
| popen cmd is 1138 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd( 80):4/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Tes:
| cmd( 640):t Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_ST:
| cmd( 720):ACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+:
| cmd( 800):NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUT:
| cmd( 880):H_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO:
| cmd( 960):='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONF:
| cmd(1040):IGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 :
| cmd(1120):ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1136 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/:
| cmd( 80):32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' P:
| cmd( 160):LUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='1:
| cmd( 240):92.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PR:
| cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUT:
| cmd( 400):O_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192:
| cmd( 480):.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEE:
| cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test :
| cmd( 640):Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STAC:
| cmd( 720):K='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NE:
| cmd( 800):VER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_:
| cmd( 880):FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=':
| cmd( 960):' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIG:
| cmd(1040):URED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ip:
| cmd(1120):sec _updown 2>&1:
| suspend processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.3.254/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.3.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF
| popen cmd is 1138 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd( 80):4/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Tes:
| cmd( 640):t Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_ST:
| cmd( 720):ACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+:
| cmd( 800):NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUT:
| cmd( 880):H_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO:
| cmd( 960):='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONF:
| cmd(1040):IGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 :
| cmd(1120):ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1136 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/:
| cmd( 80):32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' P:
| cmd( 160):LUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='1:
| cmd( 240):92.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PR:
| cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUT:
| cmd( 400):O_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192:
| cmd( 480):.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEE:
| cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test :
| cmd( 640):Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STAC:
| cmd( 720):K='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NE:
| cmd( 800):VER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_:
| cmd( 880):FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=':
| cmd( 960):' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIG:
| cmd(1040):URED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ip:
| cmd(1120):sec _updown 2>&1:
| suspend processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.3.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.3.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF
| popen cmd is 1138 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd( 80):3/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Tes:
| cmd( 640):t Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_ST:
| cmd( 720):ACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+:
| cmd( 800):NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUT:
| cmd( 880):H_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO:
| cmd( 960):='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONF:
| cmd(1040):IGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 :
| cmd(1120):ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1136 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/:
| cmd( 80):32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' P:
| cmd( 160):LUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='1:
| cmd( 240):92.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PR:
| cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUT:
| cmd( 400):O_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192:
| cmd( 480):.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEE:
| cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test :
| cmd( 640):Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STAC:
| cmd( 720):K='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NE:
| cmd( 800):VER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_:
| cmd( 880):FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=':
| cmd( 960):' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIG:
| cmd(1040):URED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ip:
| cmd(1120):sec _updown 2>&1:
| suspend processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF
| popen cmd is 1138 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd( 80):3/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Tes:
| cmd( 640):t Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_ST:
| cmd( 720):ACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+:
| cmd( 800):NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUT:
| cmd( 880):H_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO:
| cmd( 960):='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONF:
| cmd(1040):IGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 :
| cmd(1120):ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1136 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/:
| cmd( 80):32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' P:
| cmd( 160):LUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='1:
| cmd( 240):92.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PR:
| cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUT:
| cmd( 400):O_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192:
| cmd( 480):.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEE:
| cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test :
| cmd( 640):Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STAC:
| cmd( 720):K='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NE:
| cmd( 800):VER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_:
| cmd( 880):FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=':
| cmd( 960):' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIG:
| cmd(1040):URED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ip:
| cmd(1120):sec _updown 2>&1:
| suspend processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 3.94 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| old debugging base+cpu-usage + none
| base debugging = base+cpu-usage
| old impairing none + suppress-retransmits
| base impairing = suppress-retransmits
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0262 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.0031 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00203 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00201 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00199 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.002 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00199 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00213 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00201 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "private-or-clear" (in route_group() at foodgroups.c:435)
| start processing: connection "private-or-clear#192.1.2.0/24" (in route_group() at foodgroups.c:435)
| could_route called for private-or-clear#192.1.2.0/24 (kind=CK_TEMPLATE)
| FOR_EACH_CONNECTION_... in route_owner
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.2.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear-all mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn block mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.2.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: private-or-clear#192.1.2.0/24 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'private-or-clear#192.1.2.0/24' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| IPsec Sa SPD priority set to 1564647
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare
| command executing prepare-host
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLIENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P
| popen cmd is 1215 chars long
| cmd( 0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear:
| cmd( 80):#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192:
| cmd( 160):.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm:
| cmd( 240):ent, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_:
| cmd( 320):CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK=':
| cmd( 400):255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' :
| cmd( 480):PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLI:
| cmd( 560):ENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255:
| cmd( 640):.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_S:
| cmd( 720):TACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEG:
| cmd( 800):O_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO:
| cmd( 880):+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_F:
| cmd( 960):AILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='':
| cmd(1040): PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGU:
| cmd(1120):RED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ips:
| cmd(1200):ec _updown 2>&1:
| running updown command "ipsec _updown" for verb route
| command executing route-host
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLIENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO
| popen cmd is 1213 chars long
| cmd( 0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#1:
| cmd( 80):92.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1:
| cmd( 160):.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen:
| cmd( 240):t, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CL:
| cmd( 320):IENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='25:
| cmd( 400):5.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PL:
| cmd( 480):UTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLIEN:
| cmd( 560):T='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.2:
| cmd( 640):55.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STA:
| cmd( 720):CK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_:
| cmd( 800):PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+f:
| cmd( 880):ailurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAI:
| cmd( 960):LED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' P:
| cmd(1040):LUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURE:
| cmd(1120):D='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec:
| cmd(1200): _updown 2>&1:
| suspend processing: connection "private-or-clear#192.1.2.0/24" (in route_group() at foodgroups.c:439)
| start processing: connection "private-or-clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.11 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00374 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00525 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0264 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "block" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "block" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0304 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0222 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0283 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned pid 23794 (exited with status 0)
| reaped addconn helper child (status 0)
| waitpid returned ECHILD (no child processes left)
| spent 0.0189 milliseconds in signal handler PLUTO_SIGCHLD
| kernel_process_msg_cb process netlink message
| netlink_get: XFRM_MSG_ACQUIRE message
| xfrm netlink msg len 376
| xfrm acquire rtattribute type 5
| xfrm acquire rtattribute type 16
| add bare shunt 0x563e9cc11e08 192.1.3.209/32:8 --1--> 192.1.2.23/32:0 => %hold 0 %acquire-netlink
initiate on demand from 192.1.3.209:8 to 192.1.2.23:0 proto=1 because: acquire
| find_connection: looking for policy for connection: 192.1.3.209:1/8 -> 192.1.2.23:1/0
| FOR_EACH_CONNECTION_... in find_connection_for_clients
| find_connection: conn "private-or-clear#192.1.2.0/24" has compatible peers: 192.1.3.209/32 -> 192.1.2.0/24 [pri: 33554442]
| find_connection: first OK "private-or-clear#192.1.2.0/24" [pri:33554442]{0x563e9cc22178} (child none)
| find_connection: concluding with "private-or-clear#192.1.2.0/24" [pri:33554442]{0x563e9cc22178} kind=CK_TEMPLATE
| creating new instance from "private-or-clear#192.1.2.0/24"
| shunt widened for protoports since conn does not limit protocols
| going to initiate opportunistic, first installing pass negotiationshunt
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| oe-negotiating eroute 192.1.3.209/32:0 --0-> 192.1.2.23/32:0 => %pass (raw_eroute)
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564647
| raw_eroute result=success
| added bare (possibly wided) passthrough negotiationshunt succeeded (violating API)
| add bare shunt 0x563e9cc22978 192.1.3.209/32:0 --0--> 192.1.2.23/32:0 => %hold 0 oe-negotiating
| fiddle_bare_shunt called
| fiddle_bare_shunt with transport_proto 1
| removing specific host-to-host bare shunt
| delete bare kernel shunt - was replaced with negotiationshunt eroute 192.1.3.209/32:8 --1-> 192.1.2.23/32:0 => %hold (raw_eroute)
| netlink_raw_eroute: SPI_PASS
| raw_eroute result=success
| raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded
| delete bare shunt 0x563e9cc11e08 192.1.3.209/32:8 --1--> 192.1.2.23/32:0 => %hold 0 %acquire-netlink
| success taking down narrow bare shunt
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| checking private-or-clear-all
| checking block
| checking private
| checking private-or-clear
| checking private-or-clear#192.1.2.0/24
| checking clear-or-private
| checking clear
| checking clear#192.1.2.253/32
| checking clear#192.1.3.253/32
| checking clear#192.1.3.254/32
| checking clear#192.1.2.254/32
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| checking private-or-clear-all
| checking block
| checking private
| checking private-or-clear
| checking private-or-clear#192.1.2.0/24
| checking clear-or-private
| checking clear
| checking clear#192.1.2.253/32
| checking clear#192.1.3.253/32
| checking clear#192.1.3.254/32
| checking clear#192.1.2.254/32
| connect_to_host_pair: 192.1.3.209:500 192.1.2.23:500 -> hp@(nil): none
| new hp@0x563e9cc23238
| oppo instantiate d="private-or-clear#192.1.2.0/24" from c="private-or-clear#192.1.2.0/24" with c->routing prospective erouted, d->routing unrouted
| new oppo instance: 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...192.1.2.23[ID_NULL]===192.1.2.0/24
| oppo_instantiate() instantiated "[1] ...192.1.2.23"private-or-clear#192.1.2.0/24: 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...192.1.2.23[ID_NULL]
| assigning negotiation_shunt to connection
| assign hold, routing was unrouted, needs to be unrouted HOLD
| assign_holdpass() removing bare shunt
| delete bare shunt 0x563e9cc22978 192.1.3.209/32:0 --0--> 192.1.2.23/32:0 => %hold 0 oe-negotiating
| assign_holdpass() done - returning success
| assign_holdpass succeeded
| initiate on demand from 192.1.3.209:0 to 192.1.2.23:0 proto=1 because: acquire
| FOR_EACH_STATE_... in find_phase1_state
| creating state object #1 at 0x563e9cc23318
| State DB: adding IKEv2 state #1 in UNDEFINED
| pstats #1 ikev2.ike started
| Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0
| parent state #1: UNDEFINED(ignore) => PARENT_I0(ignore)
| Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:535)
| dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551)
| Queuing pending IPsec SA negotiating with 192.1.2.23 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 IKE SA #1 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23
| constructing local IKE proposals for private-or-clear#192.1.2.0/24 (IKE SA initiator selecting KE)
| converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23: constructed local IKE proposals for private-or-clear#192.1.2.0/24 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| adding ikev2_outI1 KE work-order 1 for state #1
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563e9cc25a88
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x563e9cc05c98 size 128
| #1 spent 0.359 milliseconds in ikev2_parent_outI1()
| RESET processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:610)
| initiate on demand using RSASIG from 192.1.3.209 to 192.1.2.23
| spent 0.696 milliseconds in kernel message
| crypto helper 0 resuming
| crypto helper 0 starting work-order 1 for state #1
| crypto helper 0 doing build KE and nonce (ikev2_outI1 KE); request ID 1
| crypto helper 0 finished build KE and nonce (ikev2_outI1 KE); request ID 1 time elapsed 0.000812 seconds
| (#1) spent 0.812 milliseconds in crypto helper computing work-order 1: ikev2_outI1 KE (pcr)
| crypto helper 0 sending results from work-order 1 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f3eec002888 size 128
| crypto helper 0 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in resume_handler() at server.c:797)
| crypto helper 0 replies to request ID 1
| calling continuation function 0x563e9b9bdb50
| ikev2_parent_outI1_continue for #1
| **emit ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| using existing local IKE proposals for connection private-or-clear#192.1.2.0/24 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Emitting ikev2_proposals ...
| ***emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| discarding INTEG=NONE
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 11 (0xb)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding INTEG=NONE
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 100
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding INTEG=NONE
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 2 (0x2)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 11 (0xb)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding INTEG=NONE
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 100
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 3 (0x3)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 13 (0xd)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 116
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| ****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| prop #: 4 (0x4)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 13 (0xd)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 116
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 436
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ***emit IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| DH group: OAKLEY_GROUP_MODP2048 (0xe)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE)
| next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x 29 5b 2d 4f ed 72 22 98 e7 eb fe d6 36 81 0b db
| ikev2 g^x 7c 38 dc 97 9e 64 ce bc c6 06 ff 62 fc 37 17 53
| ikev2 g^x 52 dc cc fc fb 30 90 b9 1f 9e 45 94 ed a0 ca 0f
| ikev2 g^x 4c 41 88 d8 e2 98 a5 c7 d1 63 ed d6 dd 75 17 0e
| ikev2 g^x 4e 2b 3f 99 c5 19 4e bb 12 f0 bb 73 66 ae dc e3
| ikev2 g^x 99 bf 83 1e 42 38 1a 1f 05 d3 41 0a bb 1d 1e 72
| ikev2 g^x a6 be 4d 5a 3b 38 bf 42 8f 77 f6 21 03 10 c9 e2
| ikev2 g^x 5f 5c e9 ba 39 a0 4c c4 ad 98 50 09 36 ef 39 8d
| ikev2 g^x b2 a8 a9 7f 62 d1 1e 63 c0 f2 20 a3 25 94 18 83
| ikev2 g^x 30 77 46 64 d2 35 23 55 73 92 94 6a 6f c2 70 05
| ikev2 g^x 88 97 1e c6 58 51 75 10 c0 5d 20 73 af 5b 14 4a
| ikev2 g^x ec 46 ae 92 ae aa 32 8e 88 87 ad 1f 22 b5 f9 9e
| ikev2 g^x a4 83 bc 16 76 30 7a 8c 5c 5d a7 c2 4e 9c 32 5e
| ikev2 g^x 3a 5e 56 08 7a 85 27 e1 ec da a1 82 18 43 98 17
| ikev2 g^x 9f 6b cf c2 30 0a b3 2e 01 9d 27 df 31 28 aa 1e
| ikev2 g^x 75 01 1f 82 59 8f f8 eb 15 a4 d5 14 bb f3 b1 5b
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N
| next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni)
| next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce 0f 6e 67 f8 7d 88 c6 a9 cb b2 6d 76 4b f9 4e 8d
| IKEv2 nonce 88 b4 77 27 fa 34 19 1c 58 16 a9 1d 43 16 42 7a
| emitting length of IKEv2 Nonce Payload: 36
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Notify Payload: 8
| NAT-Traversal support [enabled] add v2N payloads.
| natd_hash: rcookie is zero
| natd_hash: hasher=0x563e9ba92800(20)
| natd_hash: icookie= 45 de 21 c6 8e 76 c2 02
| natd_hash: rcookie= 00 00 00 00 00 00 00 00
| natd_hash: ip= c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash= c1 52 1d d8 5f 68 4b c3 c8 58 bf 1b 6a 45 a0 ea
| natd_hash: hash= 22 b5 50 b9
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data c1 52 1d d8 5f 68 4b c3 c8 58 bf 1b 6a 45 a0 ea
| Notify data 22 b5 50 b9
| emitting length of IKEv2 Notify Payload: 28
| natd_hash: rcookie is zero
| natd_hash: hasher=0x563e9ba92800(20)
| natd_hash: icookie= 45 de 21 c6 8e 76 c2 02
| natd_hash: rcookie= 00 00 00 00 00 00 00 00
| natd_hash: ip= c0 01 02 17
| natd_hash: port=500
| natd_hash: hash= 29 5e 5c e3 81 9f 35 1d 68 14 bb a8 10 a3 ab a2
| natd_hash: hash= 45 7b 36 72
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data 29 5e 5c e3 81 9f 35 1d 68 14 bb a8 10 a3 ab a2
| Notify data 45 7b 36 72
| emitting length of IKEv2 Notify Payload: 28
| emitting length of ISAKMP Message: 828
| stop processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_parent_outI1_common() at ikev2_parent.c:817)
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK
| IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1
| parent state #1: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA)
| Message ID: updating counters for #1 to 4294967295 after switching state
| Message ID: IKE #1 skipping update_recv as MD is fake
| Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1
| STATE_PARENT_I1: sent v2I1, expected v2R1
| sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.209:500)
| sending 828 bytes for STATE_PARENT_I0 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
| 45 de 21 c6 8e 76 c2 02 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4
| 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14
| 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08
| 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08
| 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08
| 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08
| 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08
| 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c
| 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07
| 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e
| 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10
| 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13
| 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15
| 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d
| 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08
| 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08
| 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08
| 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08
| 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08
| 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08
| 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74
| 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80
| 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05
| 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c
| 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f
| 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12
| 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14
| 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f
| 28 00 01 08 00 0e 00 00 29 5b 2d 4f ed 72 22 98
| e7 eb fe d6 36 81 0b db 7c 38 dc 97 9e 64 ce bc
| c6 06 ff 62 fc 37 17 53 52 dc cc fc fb 30 90 b9
| 1f 9e 45 94 ed a0 ca 0f 4c 41 88 d8 e2 98 a5 c7
| d1 63 ed d6 dd 75 17 0e 4e 2b 3f 99 c5 19 4e bb
| 12 f0 bb 73 66 ae dc e3 99 bf 83 1e 42 38 1a 1f
| 05 d3 41 0a bb 1d 1e 72 a6 be 4d 5a 3b 38 bf 42
| 8f 77 f6 21 03 10 c9 e2 5f 5c e9 ba 39 a0 4c c4
| ad 98 50 09 36 ef 39 8d b2 a8 a9 7f 62 d1 1e 63
| c0 f2 20 a3 25 94 18 83 30 77 46 64 d2 35 23 55
| 73 92 94 6a 6f c2 70 05 88 97 1e c6 58 51 75 10
| c0 5d 20 73 af 5b 14 4a ec 46 ae 92 ae aa 32 8e
| 88 87 ad 1f 22 b5 f9 9e a4 83 bc 16 76 30 7a 8c
| 5c 5d a7 c2 4e 9c 32 5e 3a 5e 56 08 7a 85 27 e1
| ec da a1 82 18 43 98 17 9f 6b cf c2 30 0a b3 2e
| 01 9d 27 df 31 28 aa 1e 75 01 1f 82 59 8f f8 eb
| 15 a4 d5 14 bb f3 b1 5b 29 00 00 24 0f 6e 67 f8
| 7d 88 c6 a9 cb b2 6d 76 4b f9 4e 8d 88 b4 77 27
| fa 34 19 1c 58 16 a9 1d 43 16 42 7a 29 00 00 08
| 00 00 40 2e 29 00 00 1c 00 00 40 04 c1 52 1d d8
| 5f 68 4b c3 c8 58 bf 1b 6a 45 a0 ea 22 b5 50 b9
| 00 00 00 1c 00 00 40 05 29 5e 5c e3 81 9f 35 1d
| 68 14 bb a8 10 a3 ab a2 45 7b 36 72
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x563e9cc05c98
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563e9cc25a88
| success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds
| event_schedule: new EVENT_RETRANSMIT-pe@0x563e9cc25a88
| inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x563e9cc25bb8 size 128
| #1 STATE_PARENT_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29578.332677
| resume sending helper answer for #1 suppresed complete_v2_state_transition() and stole MD
| #1 spent 1.14 milliseconds in resume sending helper answer
| stop processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f3eec002888
| spent 0.00287 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 437 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500)
| 45 de 21 c6 8e 76 c2 02 56 b8 4c 3f 69 6a 43 06
| 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28
| 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14
| 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08
| 04 00 00 0e 28 00 01 08 00 0e 00 00 d6 93 df 10
| a4 87 4d a9 7d 34 5b 0e 23 aa db 53 29 45 b6 46
| 30 25 5c c6 80 68 31 93 cc c9 a2 21 55 38 07 e0
| 90 5f 98 7c f3 ca 2b 9a 3f b5 1e 4c d6 b4 5c 64
| 56 21 87 3c f4 ec 76 0b 7c 33 e6 0a e2 75 bd cc
| a4 de f3 1e 8b fe ab d9 d9 d4 f3 b7 52 ca 71 dc
| ae bb 55 cb bf 48 6e ca 35 5c f1 12 9b 89 1e e4
| 98 a2 0e b8 c8 22 73 65 c3 de cb cb d4 0b 38 73
| b6 c3 56 4d f3 d0 7e 48 cf 9c ed 1f 31 36 81 7c
| 0b c4 15 82 99 b2 2f a0 21 94 aa 5f 8f 4d 18 4b
| 68 e9 e6 20 52 33 50 f9 f6 90 97 93 09 63 29 bf
| 3d 93 3c 0c 4b 82 48 3d 1d 3e 59 2a be a9 06 e1
| af 19 b5 67 22 ba a1 2d fe 59 58 80 8d 27 85 20
| fd de bd f0 5f 03 7a 35 59 af f2 6c d4 b6 90 01
| bd 65 0b 56 d7 07 3c e6 04 71 66 4d 84 2e 44 03
| e8 f9 d9 ba 8c 80 9a 0d 7a f8 ad 43 02 6c 17 e4
| 70 3b da c5 a5 f2 98 7a fa ea 68 14 29 00 00 24
| e7 a5 ae 84 cd 8b 82 83 97 f0 94 e3 f4 83 ea eb
| 4b 81 7b 09 ed 0b a9 e1 0c 87 4a 4a 89 8f f9 1f
| 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04
| 48 93 a6 9b e4 b8 8d af f1 55 7b eb 83 91 f0 0d
| 49 b2 a0 65 26 00 00 1c 00 00 40 05 d9 43 fa 73
| 71 9e 42 58 a4 d2 73 33 79 d0 07 b5 83 e3 37 4e
| 00 00 00 05 04
| start processing: from 192.1.2.23:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 56 b8 4c 3f 69 6a 43 06
| next payload type: ISAKMP_NEXT_v2SA (0x21)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
| flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
| Message ID: 0 (0x0)
| length: 437 (0x1b5)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34)
| I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response
| State DB: found IKEv2 state #1 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi)
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062)
| #1 is idle
| #1 idle
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| ***parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE (0x22)
| flags: none (0x0)
| length: 40 (0x28)
| processing payload: ISAKMP_NEXT_v2SA (len=36)
| Now let's proceed with payload (ISAKMP_NEXT_v2KE)
| ***parse IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni (0x28)
| flags: none (0x0)
| length: 264 (0x108)
| DH group: OAKLEY_GROUP_MODP2048 (0xe)
| processing payload: ISAKMP_NEXT_v2KE (len=256)
| Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
| ***parse IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 36 (0x24)
| processing payload: ISAKMP_NEXT_v2Ni (len=32)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 8 (0x8)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 28 (0x1c)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2CERTREQ (0x26)
| flags: none (0x0)
| length: 28 (0x1c)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ)
| ***parse IKEv2 Certificate Request Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 5 (0x5)
| ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| processing payload: ISAKMP_NEXT_v2CERTREQ (len=0)
| State DB: re-hashing IKEv2 state #1 IKE SPIi and SPI[ir]
| #1 in state PARENT_I1: sent v2I1, expected v2R1
| selected state microcode Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH
| Now let's proceed with state specific processing
| calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH
| ikev2 parent inR1: calculating g^{xy} in order to send I2
| using existing local IKE proposals for connection private-or-clear#192.1.2.0/24 (IKE SA initiator accepting remote proposal): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Comparing remote proposals against IKE initiator (accepting) 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 2 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 8 transforms
| local proposal 1 type ESN has 0 transforms
| local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 2 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 8 transforms
| local proposal 2 type ESN has 0 transforms
| local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 2 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 8 transforms
| local proposal 3 type ESN has 0 transforms
| local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 2 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 8 transforms
| local proposal 4 type ESN has 0 transforms
| local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| ****parse IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| length: 36 (0x24)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_IKE (0x1)
| spi size: 0 (0x0)
| # transforms: 3 (0x3)
| Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 12 (0xc)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_PRF (0x2)
| IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0
| *****parse IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| length: 8 (0x8)
| IKEv2 transform type: TRANS_TYPE_DH (0x4)
| IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| remote proposal 1 transform 2 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0
| remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none
| comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH
| remote proposal 1 matches local proposal 1
| remote accepted the proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048[first-match]
| converting proposal to internal trans attrs
| natd_hash: hasher=0x563e9ba92800(20)
| natd_hash: icookie= 45 de 21 c6 8e 76 c2 02
| natd_hash: rcookie= 56 b8 4c 3f 69 6a 43 06
| natd_hash: ip= c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash= d9 43 fa 73 71 9e 42 58 a4 d2 73 33 79 d0 07 b5
| natd_hash: hash= 83 e3 37 4e
| natd_hash: hasher=0x563e9ba92800(20)
| natd_hash: icookie= 45 de 21 c6 8e 76 c2 02
| natd_hash: rcookie= 56 b8 4c 3f 69 6a 43 06
| natd_hash: ip= c0 01 02 17
| natd_hash: port=500
| natd_hash: hash= 48 93 a6 9b e4 b8 8d af f1 55 7b eb 83 91 f0 0d
| natd_hash: hash= 49 b2 a0 65
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23
| offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16
| adding ikev2_inR1outI2 KE work-order 2 for state #1
| state #1 requesting EVENT_RETRANSMIT to be deleted
| #1 STATE_PARENT_I1: retransmits: cleared
| libevent_free: release ptr-libevent@0x563e9cc25bb8
| free_event_entry: release EVENT_RETRANSMIT-pe@0x563e9cc25a88
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563e9cc25a88
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x7f3eec002888 size 128
| #1 spent 0.205 milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in log_stf_suspend() at ikev2.c:3269)
| "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1 complete v2 state STATE_PARENT_I1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.438 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.448 milliseconds in comm_handle_cb() reading and processing packet
| crypto helper 1 resuming
| crypto helper 1 starting work-order 2 for state #1
| crypto helper 1 doing compute dh (V2) (ikev2_inR1outI2 KE); request ID 2
| calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4
| crypto helper 1 finished compute dh (V2) (ikev2_inR1outI2 KE); request ID 2 time elapsed 0.001103 seconds
| (#1) spent 1.11 milliseconds in crypto helper computing work-order 2: ikev2_inR1outI2 KE (pcr)
| crypto helper 1 sending results from work-order 2 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f3ee4000f48 size 128
| crypto helper 1 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in resume_handler() at server.c:797)
| crypto helper 1 replies to request ID 2
| calling continuation function 0x563e9b9bdb50
| ikev2_parent_inR1outI2_continue for #1: calculating g^{xy}, sending I2
| creating state object #2 at 0x563e9cc28428
| State DB: adding IKEv2 state #2 in UNDEFINED
| pstats #2 ikev2.child started
| duplicating state object #1 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 as #2 for IPSEC SA
| #2 setting local endpoint to 192.1.3.209:500 from #1.st_localport (in duplicate_state() at state.c:1484)
| Message ID: init_child #1.#2; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1
| Message ID: switch-from #1 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=0->-1 wip.responder=-1
| Message ID: switch-to #1.#2 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->0 wip.responder=-1
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x7f3eec002888
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563e9cc25a88
| event_schedule: new EVENT_SA_REPLACE-pe@0x563e9cc25a88
| inserting event EVENT_SA_REPLACE, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x7f3eec002888 size 128
| parent state #1: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA)
| **emit ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 56 b8 4c 3f 69 6a 43 06
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| IKEv2 CERT: send a certificate?
| IKEv2 CERT: OK to send a certificate (always)
| IDr payload will be sent
| ****emit IKEv2 Identification - Initiator - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| ID type: ID_DER_ASN1_DN (0x9)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi)
| next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet'
| emitting 183 raw bytes of my identity into IKEv2 Identification - Initiator - Payload
| my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41
| my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72
| my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72
| my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c
| my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04
| my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65
| my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 72 6f 61
| my identity 64 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73
| my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48
| my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 72 6f 61
| my identity 64 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73
| my identity 77 61 6e 2e 6f 72 67
| emitting length of IKEv2 Identification - Initiator - Payload: 191
| Sending [CERT] of certificate: E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
| ****emit IKEv2 Certificate Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT)
| next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet'
| emitting 1224 raw bytes of CERT into IKEv2 Certificate Payload
| CERT 30 82 04 c4 30 82 04 2d a0 03 02 01 02 02 01 05
| CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
| CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31
| CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69
| CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f
| CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69
| CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b
| CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e
| CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72
| CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f
| CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86
| CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67
| CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22
| CERT 18 0f 32 30 31 39 30 38 32 34 30 39 30 37 35 33
| CERT 5a 18 0f 32 30 32 32 30 38 32 33 30 39 30 37 35
| CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02
| CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74
| CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54
| CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c
| CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03
| CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74
| CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 72
| CERT 6f 61 64 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72
| CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a
| CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 72
| CERT 6f 61 64 40 74 65 73 74 69 6e 67 2e 6c 69 62 72
| CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06
| CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f
| CERT 00 30 82 01 8a 02 82 01 81 00 de eb 73 26 86 d7
| CERT 2c 84 21 13 0e a4 23 30 11 c6 d4 b1 e8 99 58 5b
| CERT 54 fa 8c cb 90 bf aa 54 64 e2 ef 00 f9 df b2 5a
| CERT 20 d0 1f fd fb 02 a8 d4 60 ac 44 ab c0 91 e1 eb
| CERT 81 59 f7 6d 08 30 04 c9 63 5f 07 58 6a d7 e6 ff
| CERT 96 d3 79 c2 a1 6b d3 24 00 31 74 f3 8f b4 e9 17
| CERT af d1 3c 33 ee 8b a9 19 b2 03 f1 98 8a 60 f2 f6
| CERT 14 4b 31 a3 8b cb cb ae 31 d9 70 5a 88 2d cc c8
| CERT 77 e8 27 1f 75 07 9a 9b cc 5a 53 bd 69 be 82 0e
| CERT 9c b9 3b c8 4f fa 84 87 bb b6 0d 2d ff 11 a1 2d
| CERT 51 d4 3f c2 93 09 22 b4 2e 48 0e 77 81 b6 79 ee
| CERT 31 37 3d 55 2f 3d 4f 0e 26 7e 73 34 4f 0d d1 90
| CERT 84 c9 06 53 b6 31 7f 6e 62 51 c6 35 3b a1 03 8a
| CERT 8b 62 bb 4d 37 a5 44 42 54 a2 10 80 5f 75 0e 17
| CERT a0 4e d8 46 e8 02 bf a1 f5 e5 2a 2e 5c dc b2 d7
| CERT 93 d9 04 45 51 1d 5e 7d d8 fd 03 96 0c d5 02 5b
| CERT 72 03 26 b7 d6 cd a0 18 86 a7 07 d0 74 c6 07 e8
| CERT 5c 1f 7a af be d0 ae b8 e7 7a 3b cf 5c fa ca ea
| CERT ae c3 6f 85 22 9b 46 81 be 7c 89 15 4f 06 47 30
| CERT 9f bb ee 24 55 e2 21 cd 8e 93 f5 0e 33 49 5d 50
| CERT 48 39 ac ab 37 59 f8 a2 61 be a0 81 d5 25 97 2f
| CERT 8b 2f bd d9 47 a4 5c a5 3b c0 99 19 c5 fb 43 da
| CERT 6f 6c 33 54 60 af 00 d5 41 12 60 e5 bb 07 b8 76
| CERT 8a 55 c4 c3 47 8b bd 12 bc e8 5e 94 62 7a 20 91
| CERT 11 fb 23 b7 2d f5 6f 73 b6 a9 02 03 01 00 01 a3
| CERT 81 e3 30 81 e0 30 09 06 03 55 1d 13 04 02 30 00
| CERT 30 25 06 03 55 1d 11 04 1e 30 1c 82 1a 72 6f 61
| CERT 64 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73
| CERT 77 61 6e 2e 6f 72 67 30 0b 06 03 55 1d 0f 04 04
| CERT 03 02 07 80 30 1d 06 03 55 1d 25 04 16 30 14 06
| CERT 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 05
| CERT 07 03 02 30 41 06 08 2b 06 01 05 05 07 01 01 04
| CERT 35 30 33 30 31 06 08 2b 06 01 05 05 07 30 01 86
| CERT 25 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 65 73 74
| CERT 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72
| CERT 67 3a 32 35 36 30 30 3d 06 03 55 1d 1f 04 36 30
| CERT 34 30 32 a0 30 a0 2e 86 2c 68 74 74 70 3a 2f 2f
| CERT 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72
| CERT 65 73 77 61 6e 2e 6f 72 67 2f 72 65 76 6f 6b 65
| CERT 64 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01
| CERT 01 0b 05 00 03 81 81 00 79 c0 dc 4f ca 3c 5f 4e
| CERT 21 3c 76 b0 44 66 c8 74 40 7b 34 5d 63 96 6e ee
| CERT c5 df ef 0f fe c2 e4 25 18 39 25 d8 f8 6a b8 87
| CERT f9 17 94 73 7f 8d fb 7d 9d 24 5e c5 95 19 96 3e
| CERT 04 dd 8a d0 ad 11 f4 97 32 43 d2 f3 1a d3 1c b1
| CERT e9 01 90 f2 72 36 cf d4 bd 14 e6 ad 8d d2 84 3b
| CERT 92 94 99 40 21 16 68 aa e7 5e ac 95 88 11 40 55
| CERT 28 90 af 7f 98 b1 80 36 c5 18 f7 6e 43 40 bc 93
| CERT 86 b3 f1 aa b3 89 b4 15
| emitting length of IKEv2 Certificate Payload: 1229
| IKEv2 CERTREQ: send a cert request?
| IKEv2 CERTREQ: no CA DN known to send
| ****emit IKEv2 Identification - Responder - Payload:
| next payload type: ISAKMP_NEXT_v2AUTH (0x27)
| flags: none (0x0)
| ID type: ID_NULL (0xd)
| next payload chain: ignoring supplied 'IKEv2 Identification - Responder - Payload'.'next payload type' value 39:ISAKMP_NEXT_v2AUTH
| next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr)
| next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet'
| emitting 0 raw bytes of IDr into IKEv2 Identification - Responder - Payload
| IDr
| emitting length of IKEv2 Identification - Responder - Payload: 8
| not sending INITIAL_CONTACT
| ****emit IKEv2 Authentication Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| auth method: IKEv2_AUTH_RSA (0x1)
| next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH)
| next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet'
| started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org->ID_NULL of kind PKK_RSA
| searching for certificate PKK_RSA:AQPHFfpyJ vs PKK_RSA:AwEAAd7rc
| private key for cert road not found in local cache; loading from NSS DB
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| searching for certificate PKK_RSA:AwEAAd7rc vs PKK_RSA:AwEAAd7rc
| #1 spent 7.45 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA()
| emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload
| rsa signature 1e cc 08 d0 5f ac e4 5f 10 e2 42 a5 2c f8 97 83
| rsa signature 51 a2 7f a0 52 0b 5e 1d db 0e 3c 2e c7 05 24 2f
| rsa signature 96 34 0f fd 97 14 05 11 25 bd c1 1b 5a 1f 63 4b
| rsa signature a2 32 02 b3 5b 9a 33 e8 22 42 ed 2e 0e 31 40 33
| rsa signature f5 a6 4e a1 17 5e fd 7a 0c 1d 48 34 4b b6 77 3c
| rsa signature 2d 7c 00 92 21 68 0f 89 85 33 13 f8 fd d6 db 33
| rsa signature 4a 53 27 d7 e1 49 e4 0c 26 6d 8c 6b 13 48 60 be
| rsa signature 55 06 0c e5 cd 31 26 32 5f 98 45 0d 8e bf f9 b9
| rsa signature 72 c9 c1 87 3e 67 37 5c 19 01 a4 05 6d e8 23 d6
| rsa signature 80 99 8f 0e d7 4d 51 39 d7 00 12 24 ac 35 38 40
| rsa signature c3 2d 33 07 3f e4 5c 16 22 f4 90 25 f1 04 68 c2
| rsa signature 8d ad ad 42 9c 52 6e e4 33 75 bd b3 6d 37 3d e6
| rsa signature 50 6d 85 28 e2 20 47 a3 94 78 78 48 ae 0e 37 26
| rsa signature 10 4f 30 f9 63 bf 6a 5c fa 0c 13 a1 e3 2e 4e a8
| rsa signature db a1 28 c1 c8 49 e0 17 86 5c 66 55 b2 41 86 a7
| rsa signature 0a fc 09 cd ea 2b f6 5d b2 93 89 17 13 93 8a a5
| rsa signature d6 b1 47 2e f9 d6 7c 3a cb fa 22 78 6a 85 b5 de
| rsa signature 55 aa d2 ca 04 71 42 a5 7d 5a 4c 16 df 94 9c e8
| rsa signature aa e4 9a cb 36 50 7e a7 72 2d 6e ad 3e 52 1a 9f
| rsa signature 83 da 82 f5 fd b0 9f 5d e6 9d 2b b6 58 c1 73 b6
| rsa signature de 43 b8 60 99 48 63 0f 1e 71 ca 0f 98 39 f1 5a
| rsa signature a3 64 61 6a 6c 0a fd 01 8e 75 ad e4 7c 05 74 7f
| rsa signature 51 47 80 24 29 37 21 95 94 42 b9 4b a3 6f 77 4c
| rsa signature 11 af 57 4f fb 6c f9 f4 34 86 32 4f da f1 52 2a
| #1 spent 7.86 milliseconds in ikev2_calculate_rsa_hash()
| emitting length of IKEv2 Authentication Payload: 392
| getting first pending from state #1
| netlink_get_spi: allocated 0xac2a2f4b for esp.0@192.1.3.209
| constructing ESP/AH proposals with all DH removed for private-or-clear#192.1.2.0/24 (IKE SA initiator emitting ESP/AH proposals)
| converting proposal AES_GCM_16_256-NONE to ikev2 ...
| ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_GCM_16_128-NONE to ikev2 ...
| ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23: constructed local ESP/AH proposals for private-or-clear#192.1.2.0/24 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| Emitting ikev2_proposals ...
| ****emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| discarding INTEG=NONE
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 1 (0x1)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 2 (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi ac 2a 2f 4b
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| discarding INTEG=NONE
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding INTEG=NONE
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 2 (0x2)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 2 (0x2)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi ac 2a 2f 4b
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| discarding INTEG=NONE
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_NON_LAST (0x2)
| prop #: 3 (0x3)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 4 (0x4)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi ac 2a 2f 4b
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 48
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
| last proposal: v2_PROPOSAL_LAST (0x0)
| prop #: 4 (0x4)
| proto ID: IKEv2_SEC_PROTO_ESP (0x3)
| spi size: 4 (0x4)
| # transforms: 4 (0x4)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi ac 2a 2f 4b
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
| IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
| af+type: AF+IKEv2_KEY_LENGTH (0x800e)
| length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_NON_LAST (0x3)
| IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
| IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
| last transform: v2_TRANSFORM_LAST (0x0)
| IKEv2 transform type: TRANS_TYPE_ESN (0x5)
| IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 48
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 164
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ****emit IKEv2 Traffic Selector - Initiator - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi)
| next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
| TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
| IP Protocol ID: 0 (0x0)
| start port: 0 (0x0)
| end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start c0 01 03 d1
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end c0 01 03 d1
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24
| ****emit IKEv2 Traffic Selector - Responder - Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr)
| next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
| TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
| IP Protocol ID: 0 (0x0)
| start port: 0 (0x0)
| end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start c0 01 02 17
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end c0 01 02 17
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Responder - Payload: 24
| Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE
| Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 2061
| emitting length of ISAKMP Message: 2089
| **parse ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 56 b8 4c 3f 69 6a 43 06
| next payload type: ISAKMP_NEXT_v2SK (0x2e)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| length: 2089 (0x829)
| **parse IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2IDi (0x23)
| flags: none (0x0)
| length: 2061 (0x80d)
| **emit ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 56 b8 4c 3f 69 6a 43 06
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2IDi (0x23)
| flags: none (0x0)
| fragment number: 1 (0x1)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 35:ISAKMP_NEXT_v2IDi
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment 25 00 00 bf 09 00 00 00 30 81 b4 31 0b 30 09 06
| cleartext fragment 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 04
| cleartext fragment 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03
| cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10
| cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e
| cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20
| cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03
| cleartext fragment 55 04 03 0c 1a 72 6f 61 64 2e 74 65 73 74 69 6e
| cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31
| cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f
| cleartext fragment 75 73 65 72 2d 72 6f 61 64 40 74 65 73 74 69 6e
| cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 24
| cleartext fragment 00 04 cd 04 30 82 04 c4 30 82 04 2d a0 03 02 01
| cleartext fragment 02 02 01 05 30 0d 06 09 2a 86 48 86 f7 0d 01 01
| cleartext fragment 0b 05 00 30 81 ac 31 0b 30 09 06 03 55 04 06 13
| cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e
| cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07
| cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a
| cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06
| cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72
| cleartext fragment 74 6d 65 6e 74 31 25 30 23 06 03 55 04 03 0c 1c
| cleartext fragment 4c 69 62 72 65 73 77 61 6e 20 74 65 73 74 20 43
| cleartext fragment 41 20 66 6f 72 20 6d 61 69 6e 63 61 31 24 30 22
| cleartext fragment 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 74 65 73
| cleartext fragment 74 69 6e 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f
| cleartext fragment 72 67 30 22 18 0f 32 30 31 39 30 38 32 34 30 39
| cleartext fragment 30 37 35 33 5a 18 0f 32 30 32 32 30 38 32 33 30
| cleartext fragment 39 30 37 35 33 5a 30 81 b4 31 0b 30 09 06 03 55
| cleartext fragment 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 08 0c
| cleartext fragment 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 56 b8 4c 3f 69 6a 43 06
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| fragment number: 2 (0x2)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10
| cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e
| cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20
| cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03
| cleartext fragment 55 04 03 0c 1a 72 6f 61 64 2e 74 65 73 74 69 6e
| cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31
| cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f
| cleartext fragment 75 73 65 72 2d 72 6f 61 64 40 74 65 73 74 69 6e
| cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30
| cleartext fragment 82 01 a2 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01
| cleartext fragment 05 00 03 82 01 8f 00 30 82 01 8a 02 82 01 81 00
| cleartext fragment de eb 73 26 86 d7 2c 84 21 13 0e a4 23 30 11 c6
| cleartext fragment d4 b1 e8 99 58 5b 54 fa 8c cb 90 bf aa 54 64 e2
| cleartext fragment ef 00 f9 df b2 5a 20 d0 1f fd fb 02 a8 d4 60 ac
| cleartext fragment 44 ab c0 91 e1 eb 81 59 f7 6d 08 30 04 c9 63 5f
| cleartext fragment 07 58 6a d7 e6 ff 96 d3 79 c2 a1 6b d3 24 00 31
| cleartext fragment 74 f3 8f b4 e9 17 af d1 3c 33 ee 8b a9 19 b2 03
| cleartext fragment f1 98 8a 60 f2 f6 14 4b 31 a3 8b cb cb ae 31 d9
| cleartext fragment 70 5a 88 2d cc c8 77 e8 27 1f 75 07 9a 9b cc 5a
| cleartext fragment 53 bd 69 be 82 0e 9c b9 3b c8 4f fa 84 87 bb b6
| cleartext fragment 0d 2d ff 11 a1 2d 51 d4 3f c2 93 09 22 b4 2e 48
| cleartext fragment 0e 77 81 b6 79 ee 31 37 3d 55 2f 3d 4f 0e 26 7e
| cleartext fragment 73 34 4f 0d d1 90 84 c9 06 53 b6 31 7f 6e 62 51
| cleartext fragment c6 35 3b a1 03 8a 8b 62 bb 4d 37 a5 44 42 54 a2
| cleartext fragment 10 80 5f 75 0e 17 a0 4e d8 46 e8 02 bf a1 f5 e5
| cleartext fragment 2a 2e 5c dc b2 d7 93 d9 04 45 51 1d 5e 7d d8 fd
| cleartext fragment 03 96 0c d5 02 5b 72 03 26 b7 d6 cd a0 18 86 a7
| cleartext fragment 07 d0 74 c6 07 e8 5c 1f 7a af be d0 ae b8 e7 7a
| cleartext fragment 3b cf 5c fa ca ea ae c3 6f 85 22 9b 46 81 be 7c
| cleartext fragment 89 15 4f 06 47 30 9f bb ee 24 55 e2 21 cd
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 56 b8 4c 3f 69 6a 43 06
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| fragment number: 3 (0x3)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment 8e 93 f5 0e 33 49 5d 50 48 39 ac ab 37 59 f8 a2
| cleartext fragment 61 be a0 81 d5 25 97 2f 8b 2f bd d9 47 a4 5c a5
| cleartext fragment 3b c0 99 19 c5 fb 43 da 6f 6c 33 54 60 af 00 d5
| cleartext fragment 41 12 60 e5 bb 07 b8 76 8a 55 c4 c3 47 8b bd 12
| cleartext fragment bc e8 5e 94 62 7a 20 91 11 fb 23 b7 2d f5 6f 73
| cleartext fragment b6 a9 02 03 01 00 01 a3 81 e3 30 81 e0 30 09 06
| cleartext fragment 03 55 1d 13 04 02 30 00 30 25 06 03 55 1d 11 04
| cleartext fragment 1e 30 1c 82 1a 72 6f 61 64 2e 74 65 73 74 69 6e
| cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30
| cleartext fragment 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 1d 06 03
| cleartext fragment 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03
| cleartext fragment 01 06 08 2b 06 01 05 05 07 03 02 30 41 06 08 2b
| cleartext fragment 06 01 05 05 07 01 01 04 35 30 33 30 31 06 08 2b
| cleartext fragment 06 01 05 05 07 30 01 86 25 68 74 74 70 3a 2f 2f
| cleartext fragment 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72
| cleartext fragment 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 30 30 3d
| cleartext fragment 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 a0 2e 86
| cleartext fragment 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 65 73 74
| cleartext fragment 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72
| cleartext fragment 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c 30 0d 06
| cleartext fragment 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00
| cleartext fragment 79 c0 dc 4f ca 3c 5f 4e 21 3c 76 b0 44 66 c8 74
| cleartext fragment 40 7b 34 5d 63 96 6e ee c5 df ef 0f fe c2 e4 25
| cleartext fragment 18 39 25 d8 f8 6a b8 87 f9 17 94 73 7f 8d fb 7d
| cleartext fragment 9d 24 5e c5 95 19 96 3e 04 dd 8a d0 ad 11 f4 97
| cleartext fragment 32 43 d2 f3 1a d3 1c b1 e9 01 90 f2 72 36 cf d4
| cleartext fragment bd 14 e6 ad 8d d2 84 3b 92 94 99 40 21 16 68 aa
| cleartext fragment e7 5e ac 95 88 11 40 55 28 90 af 7f 98 b1 80 36
| cleartext fragment c5 18 f7 6e 43 40 bc 93 86 b3 f1 aa b3 89 b4 15
| cleartext fragment 27 00 00 08 0d 00 00 00 21 00 01 88 01 00
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 56 b8 4c 3f 69 6a 43 06
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| fragment number: 4 (0x4)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment 00 00 1e cc 08 d0 5f ac e4 5f 10 e2 42 a5 2c f8
| cleartext fragment 97 83 51 a2 7f a0 52 0b 5e 1d db 0e 3c 2e c7 05
| cleartext fragment 24 2f 96 34 0f fd 97 14 05 11 25 bd c1 1b 5a 1f
| cleartext fragment 63 4b a2 32 02 b3 5b 9a 33 e8 22 42 ed 2e 0e 31
| cleartext fragment 40 33 f5 a6 4e a1 17 5e fd 7a 0c 1d 48 34 4b b6
| cleartext fragment 77 3c 2d 7c 00 92 21 68 0f 89 85 33 13 f8 fd d6
| cleartext fragment db 33 4a 53 27 d7 e1 49 e4 0c 26 6d 8c 6b 13 48
| cleartext fragment 60 be 55 06 0c e5 cd 31 26 32 5f 98 45 0d 8e bf
| cleartext fragment f9 b9 72 c9 c1 87 3e 67 37 5c 19 01 a4 05 6d e8
| cleartext fragment 23 d6 80 99 8f 0e d7 4d 51 39 d7 00 12 24 ac 35
| cleartext fragment 38 40 c3 2d 33 07 3f e4 5c 16 22 f4 90 25 f1 04
| cleartext fragment 68 c2 8d ad ad 42 9c 52 6e e4 33 75 bd b3 6d 37
| cleartext fragment 3d e6 50 6d 85 28 e2 20 47 a3 94 78 78 48 ae 0e
| cleartext fragment 37 26 10 4f 30 f9 63 bf 6a 5c fa 0c 13 a1 e3 2e
| cleartext fragment 4e a8 db a1 28 c1 c8 49 e0 17 86 5c 66 55 b2 41
| cleartext fragment 86 a7 0a fc 09 cd ea 2b f6 5d b2 93 89 17 13 93
| cleartext fragment 8a a5 d6 b1 47 2e f9 d6 7c 3a cb fa 22 78 6a 85
| cleartext fragment b5 de 55 aa d2 ca 04 71 42 a5 7d 5a 4c 16 df 94
| cleartext fragment 9c e8 aa e4 9a cb 36 50 7e a7 72 2d 6e ad 3e 52
| cleartext fragment 1a 9f 83 da 82 f5 fd b0 9f 5d e6 9d 2b b6 58 c1
| cleartext fragment 73 b6 de 43 b8 60 99 48 63 0f 1e 71 ca 0f 98 39
| cleartext fragment f1 5a a3 64 61 6a 6c 0a fd 01 8e 75 ad e4 7c 05
| cleartext fragment 74 7f 51 47 80 24 29 37 21 95 94 42 b9 4b a3 6f
| cleartext fragment 77 4c 11 af 57 4f fb 6c f9 f4 34 86 32 4f da f1
| cleartext fragment 52 2a 2c 00 00 a4 02 00 00 20 01 03 04 02 ac 2a
| cleartext fragment 2f 4b 03 00 00 0c 01 00 00 14 80 0e 01 00 00 00
| cleartext fragment 00 08 05 00 00 00 02 00 00 20 02 03 04 02 ac 2a
| cleartext fragment 2f 4b 03 00 00 0c 01 00 00 14 80 0e 00 80 00 00
| cleartext fragment 00 08 05 00 00 00 02 00 00 30 03 03 04 04 ac 2a
| cleartext fragment 2f 4b 03 00 00 0c 01 00 00 0c 80 0e 01 00
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 56 b8 4c 3f 69 6a 43 06
| next payload type: ISAKMP_NEXT_NONE (0x0)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
| Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| fragment number: 5 (0x5)
| total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 120 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c
| cleartext fragment 00 00 00 08 05 00 00 00 00 00 00 30 04 03 04 04
| cleartext fragment ac 2a 2f 4b 03 00 00 0c 01 00 00 0c 80 0e 00 80
| cleartext fragment 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c
| cleartext fragment 00 00 00 08 05 00 00 00 2d 00 00 18 01 00 00 00
| cleartext fragment 07 00 00 10 00 00 ff ff c0 01 03 d1 c0 01 03 d1
| cleartext fragment 00 00 00 18 01 00 00 00 07 00 00 10 00 00 ff ff
| cleartext fragment c0 01 02 17 c0 01 02 17
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 153
| emitting length of ISAKMP Message: 181
| suspend processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| start processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_OK
| IKEv2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2
| child state #2: UNDEFINED(ignore) => PARENT_I2(open IKE SA)
| Message ID: updating counters for #2 to 0 after switching state
| Message ID: recv #1.#2 response 0; ike: initiator.sent=0 initiator.recv=-1->0 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=-1
| Message ID: sent #1.#2 request 1; ike: initiator.sent=0->1 initiator.recv=0 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->1 wip.responder=-1
| STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
| sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.209:500)
| sending fragments ...
| sending 539 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
| 45 de 21 c6 8e 76 c2 02 56 b8 4c 3f 69 6a 43 06
| 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff
| 00 01 00 05 f2 f8 b5 b9 fc f4 c9 87 0a c0 dd da
| 02 a7 26 57 75 e8 03 a3 66 34 0b 74 8f fa e9 b1
| 2d 32 e1 7e 41 0a 8b c9 9f 79 57 01 91 15 c8 5f
| fc 44 93 cf b8 33 0a 25 7a 8d 82 0d ac ea 16 63
| 04 7b e2 72 20 ef ec 5e 06 5a 29 c4 41 3a 6b c6
| a0 00 36 b2 f9 de be 67 84 0c 67 0c 33 b7 94 d2
| 2f a1 22 12 07 d3 d8 a2 40 6c 51 38 51 03 8a 0b
| 22 da 63 bf ac d5 28 64 6b 9c fb 4e 88 70 23 95
| 82 94 db 85 b6 8d 8f 3c 10 9c f6 5e fe 75 7f 03
| 67 62 ca 9a ff 8f 60 ee fa 88 50 95 18 69 ec 17
| 0b 9d 1f 03 5e d9 9a e3 5f 66 ba cc 07 f7 8f d0
| 13 d1 9b de 88 1b 3f d7 0d f6 94 59 e1 fc 05 49
| 5e 74 07 0e 3d f0 70 73 a1 9a 72 95 1a e3 ea 1d
| 16 5e 15 42 d7 56 79 3a c8 21 63 ea cd 55 9c 99
| c4 a5 79 a7 70 43 b4 78 ef b2 b7 16 ee 1d d2 90
| e8 99 92 d1 24 dc c1 79 22 f6 af 91 38 14 f3 10
| ce ee 1d 1a 2b 9c 5e 00 94 bf 07 7b 1b c4 05 90
| 13 42 5c e9 a5 ad 63 aa e0 db f0 38 75 51 ca 3b
| b3 41 08 31 30 b9 5f 99 ed 6b 88 87 9f b7 ba 63
| 03 9a 53 59 34 9c 93 15 83 72 9f 7a 76 dc 97 a2
| f0 d2 88 c2 5c 89 b4 26 17 b7 83 49 7f d5 9e 42
| dd 23 be b2 83 00 f5 1a aa a1 e0 2d 70 48 18 07
| 37 0b 12 f6 b4 65 45 1a c1 61 88 7f 78 37 73 52
| 82 bc 21 90 37 e9 2b 6a a7 3a ed 8d 0d da e3 be
| a9 db 31 fd 6a 0f 83 e3 1e e4 43 89 74 66 c5 ea
| 51 3a 1e 3c b7 c3 00 9d 2b 87 88 65 32 0a 2e 2d
| 9e 1f 3e d7 a4 26 40 63 f5 67 21 87 8a 0f 53 f7
| 04 8f 79 24 58 22 73 2f 25 06 0d af 83 b7 1c 7b
| 35 9f 96 3c 96 fd 57 97 e3 e8 77 21 0a e0 36 1a
| b5 3e bf 7f 82 02 3c d6 80 07 02 af 1a 23 b9 50
| bd 89 62 d6 76 cc 2d 69 f8 c4 c9 73 3c 70 71 53
| df 72 99 7e a7 b1 fb 68 db 3f 15
| sending 539 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
| 45 de 21 c6 8e 76 c2 02 56 b8 4c 3f 69 6a 43 06
| 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff
| 00 02 00 05 5b 09 6a a3 a7 95 11 07 96 32 a5 06
| 5e a4 90 b5 1a d9 11 93 40 e3 c8 92 d1 c1 47 c5
| 72 b7 5c 11 d2 04 a9 72 6f f3 4d d8 75 27 fe 5e
| 35 91 69 21 fe cd ec d8 5e bd bc 1f e2 b0 2b 62
| 90 5b ad a3 48 42 98 77 e9 6a 89 37 fc 95 ea 5a
| 85 74 02 97 bd c2 1b 7b c1 a7 b9 49 ed 86 ca c6
| 04 07 0e 48 a4 cd e4 f0 f7 5a 97 33 6e 83 8a 8e
| 33 8b e2 32 28 cf 0d 66 c3 09 cf ff 9a 23 07 88
| d3 22 5b 6e e4 b2 a5 52 52 c6 b0 45 72 28 bb 2c
| 30 2e 18 3e 53 37 bd 3c bd 95 a9 4b 6e 29 b1 0d
| bf 1c 01 65 42 d2 19 48 6d c4 8f b7 14 e7 09 cb
| 77 c3 fa a8 ad 1b 61 c7 e5 dd 98 ab 7b 49 20 9a
| 4e 14 2e a7 b2 34 99 1a 41 7d 44 8e ac 1e 55 45
| 08 de 47 eb f0 7f 02 cc 27 49 7c d9 b5 4b 3b cb
| e4 34 29 47 d5 3f 7e 35 3a cc ff 7e ac 7c c3 e0
| f9 0a c9 9b b3 e7 cb 09 f3 a5 c8 0f bb 24 32 e0
| bd 0d 01 01 fb 4d 14 8c ba 87 d2 66 ae 3f c9 04
| da de 01 8f 4a 3c 33 88 48 bb a5 f1 5f 28 cc e9
| 7d 70 5d 1d 55 eb c6 40 d6 45 4e 1e 73 92 75 95
| 3a b2 ae 9a 87 9f 60 e2 47 d1 32 6a 50 34 d9 96
| 95 a4 64 3d e5 cb 6b 6f 6f a8 2c 6c ec 4b 4d 9f
| 65 70 90 f0 97 74 eb 76 dc a4 df 4b b3 a5 00 14
| 9c 10 0f 43 66 4d fd 84 d9 c8 c3 8e 87 66 f2 76
| 1e 89 f8 f0 cd 5f dc 2c a8 2a 9a 73 a3 fc d5 45
| 7e 66 41 23 97 a4 09 5e c8 c8 a7 e8 b5 df c0 e4
| 0c 85 85 1b 25 b4 f5 57 f4 ab c6 1c e9 65 84 cf
| b0 53 92 3c f4 05 67 f0 f1 79 48 28 02 99 8e 2e
| 40 a0 68 e2 d1 82 49 b9 d9 da 89 31 97 8d 7d 77
| ed 2e 50 0e cd 26 39 a4 12 f7 94 94 8f 4d 24 3a
| 86 06 1a 0b 06 06 b2 74 af 71 7d aa 0e fd c8 c2
| d2 0e a9 ab 15 4f ca ce d1 23 e1 ac 0c 96 31 62
| 9e bb 98 f7 68 ec a5 f6 79 c2 a8
| sending 539 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
| 45 de 21 c6 8e 76 c2 02 56 b8 4c 3f 69 6a 43 06
| 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff
| 00 03 00 05 1e d2 6c 3f fd f9 d7 d9 13 72 fc 14
| 60 a3 e4 3c 2f 97 ad e4 2d e7 ef b0 c5 d7 13 03
| 42 57 4c 30 94 fd 5f 11 35 fc b2 6a 57 a8 01 fb
| a1 b4 9e bd a8 8a 5b c6 cf 1c d2 0a b6 9d 10 fc
| 60 8f c1 41 f2 72 0e b1 33 57 3d c0 c1 92 80 4f
| ee 90 3e cc b4 b5 1b b6 7f 6f 7b ca 8f 7c 59 68
| 8f 5f 5c 82 82 93 f5 94 38 9c c3 28 d0 da c0 62
| 1e 7c 83 23 5f 10 4b 0f 88 48 c5 38 52 1d 20 27
| 86 94 f1 bb b8 93 5b 0e a8 4d f7 ff e8 65 18 26
| 4c c0 e8 9b 5b 6f 25 3d c2 87 33 4b d2 e8 b3 07
| 24 a5 fd be 94 20 f4 2f cc 18 1f d5 92 c3 cd 0e
| e9 0c b4 f3 83 ae 54 7c 73 79 a3 ef 8d 02 4a 73
| 54 60 00 6f ac b7 7b 1b fd 30 06 a8 3c 37 b0 25
| 14 26 c3 73 72 79 c5 64 1c 20 48 00 d8 d5 bb 96
| 3f 00 56 1c 94 2f 35 b1 4a 74 0a 03 94 be b0 44
| 21 2d a8 d6 ff 98 e8 da de 9b 09 38 2f d8 ad 4e
| 8a 66 e9 5c 74 a7 6f 14 b7 8c e8 d5 a1 fc 02 89
| d6 36 30 ff 22 cf a6 8f f1 51 b7 d0 b2 6f 1c bc
| 77 92 07 3e 43 34 cf c4 67 74 a7 71 e5 17 c9 ea
| 1a d0 31 e1 03 53 f7 82 50 55 28 49 54 38 75 c6
| 34 5b 60 1c 99 de 44 31 c9 99 92 7e a7 4b 49 4f
| 81 37 97 c4 be d4 5a 23 e4 5e 22 83 d7 c9 95 ba
| 16 3d af dd 48 61 bd 7e 46 ec 62 1e 2d 5a 2a 66
| 4d 8b 81 dd 4c 4f 95 82 fe a9 86 36 33 8b 9e b0
| 2a 99 1e d1 e7 16 7b 5c c1 f0 dd df fa 41 c8 12
| ee b1 00 7c 99 99 0c 33 e6 0f 77 65 2d 47 df f3
| f7 9b 60 58 bf 20 b1 df 2e 3f 03 1b 99 e2 c5 2a
| 1e 18 42 72 86 a9 1d 88 ce 3c db 93 b6 40 62 10
| fb d0 58 b4 7d f6 bc 6e 2b 94 f6 49 bb 9a eb 52
| da 19 8c 08 ca f5 66 fe 6e 3f c2 48 72 17 fa 6f
| 66 63 f4 9d dd 80 51 ec 19 a5 45 74 52 7d c9 72
| 6e f8 81 6f f1 42 e6 c8 13 0c 2f
| sending 539 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
| 45 de 21 c6 8e 76 c2 02 56 b8 4c 3f 69 6a 43 06
| 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff
| 00 04 00 05 ed 9f dc d3 ec 94 5e 36 03 7f 2b bf
| 04 08 cf 45 b9 d9 51 2e 5c 47 b4 19 34 5b e8 0e
| 01 0d 77 bb c0 dd 03 0a 12 22 8a e9 c1 a8 cb 47
| 68 99 ba d8 bc f5 cf fa 72 ff 64 cf 33 cd e6 3d
| 7c c8 ee b6 a5 61 77 ae 58 e9 89 df 67 ec f3 50
| 6a cf 00 f0 90 38 38 5b ff 3a d9 b0 93 9b bc 37
| 2d 0d 62 39 27 c1 da 0c 9c 11 fa 13 73 ee 70 b1
| 12 39 6f 02 28 92 06 8a a2 fc cd de 6d 80 07 ff
| 34 41 30 7c f9 b0 f1 4e 62 0f 87 8e 9c c7 ec 6f
| ee b0 ba 02 e9 41 17 e1 03 76 29 5f 4c 53 d7 bb
| 3d 74 34 e4 16 30 45 e9 79 6e f8 e2 42 b2 07 d6
| 6c da 9e 1c 17 d6 0d f3 86 c0 eb 36 fb 14 4f cd
| 27 40 e4 da 6b 17 a5 e0 37 6b 89 42 7b 91 02 67
| 2f 65 c4 79 37 c2 c4 92 7b 08 5e 98 22 ab 5d 14
| b4 0f 64 20 f9 a0 3f 25 c5 96 d1 d2 16 9e 41 80
| 20 66 da b3 4f 35 02 6b 92 26 b4 56 8d 44 29 e1
| 07 a1 e0 26 56 4c a1 3a ab 42 8c e2 09 b9 71 07
| 7b a8 e7 02 d5 08 f6 a4 17 b5 f4 51 ea f6 5d b6
| 37 8e 00 f2 bd 92 4a 12 a7 28 cc 37 ff 21 fa 11
| 16 60 94 2c 97 c2 02 39 54 a3 86 c1 21 38 ee 46
| f7 9e 23 f0 df c6 1d 9a 37 a5 fe b2 49 ea ce 9e
| 5f 41 46 22 11 03 ad 7f c2 61 2b 89 a6 6f 2f 3e
| 90 bb 59 35 fd 9e 75 63 c1 d7 72 9d 01 0a d8 08
| 6b 22 b7 42 a1 ac ae fa ae e6 0f 74 b0 e5 13 67
| 44 40 b2 93 90 8d dd 20 ef f8 e3 c1 74 a1 c5 dc
| 8e 4c 2c 7f 74 e2 69 4d ae 1d 47 cc d0 53 2b e0
| 5f 5f 7c 52 c4 4a 94 c9 57 4b 91 01 a8 a6 9a b7
| 28 02 46 3d 02 52 32 3b f0 3a a3 7e ff 4f 68 02
| 47 05 74 f8 0b 53 eb ee 7b 80 cc 7c 02 d7 36 04
| 8b 76 94 6e f8 3c f1 69 e6 12 8c 31 ee fe 26 04
| e2 75 35 af 3d b9 7f c3 18 a8 22 f2 1a bb e3 5b
| cd 13 4e fe 45 18 fd 50 23 2c e2
| sending 181 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
| 45 de 21 c6 8e 76 c2 02 56 b8 4c 3f 69 6a 43 06
| 35 20 23 08 00 00 00 01 00 00 00 b5 00 00 00 99
| 00 05 00 05 1a 1f a3 1a 16 e2 9e 9b 63 6e de 57
| 7e dd a7 75 7c 94 86 da c0 1b e8 46 bf 33 84 0f
| 01 59 49 1e eb 3a 34 4e 1f 51 be 51 b6 68 77 da
| b3 99 60 fe 0e 31 f1 f7 82 38 17 a4 b8 a5 cc 1a
| 59 f5 18 7d 76 98 0f 16 7a b3 e5 9d 59 b1 b4 cf
| ae 75 94 b3 6c de e3 37 98 90 cf a5 08 f0 60 ec
| b3 75 19 9f 70 ef 21 13 83 74 4b 87 fb 4a a2 a4
| 32 8e 8e 3d 6a cd 73 7e f1 a2 a3 38 6b b9 f4 f9
| 61 cf e7 78 84 86 c5 53 f3 d4 b7 a8 93 ae c6 7e
| 96 76 1b 8d 62
| sent 5 fragments
| success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds
| event_schedule: new EVENT_RETRANSMIT-pe@0x563e9cc29598
| inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x563e9cc25c08 size 128
| #2 STATE_PARENT_I2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29578.346536
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| #1 spent 1.25 milliseconds
| #1 spent 9.45 milliseconds in resume sending helper answer
| stop processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f3ee4000f48
| spent 0.00288 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 65 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500)
| 45 de 21 c6 8e 76 c2 02 56 b8 4c 3f 69 6a 43 06
| 2e 20 23 20 00 00 00 01 00 00 00 41 29 00 00 25
| cd c8 c3 32 96 b4 29 d6 08 28 35 68 aa 88 19 7f
| b5 3a fa a2 fc 1f 20 38 34 6e 51 2a 7c d9 9c ba
| a4
| start processing: from 192.1.2.23:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
| initiator cookie:
| 45 de 21 c6 8e 76 c2 02
| responder cookie:
| 56 b8 4c 3f 69 6a 43 06
| next payload type: ISAKMP_NEXT_v2SK (0x2e)
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
| exchange type: ISAKMP_v2_IKE_AUTH (0x23)
| flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
| Message ID: 1 (0x1)
| length: 65 (0x41)
| processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response
| State DB: found IKEv2 state #1 in PARENT_I2 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: found IKEv2 state #2 in PARENT_I2 (find_v2_sa_by_initiator_wip)
| suspend processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062)
| start processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062)
| #2 is idle
| #2 idle
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SK)
| ***parse IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2N (0x29)
| flags: none (0x0)
| length: 37 (0x25)
| processing payload: ISAKMP_NEXT_v2SK (len=33)
| #2 in state PARENT_I2: sent v2I2, expected v2R2
| #2 ikev2 ISAKMP_v2_IKE_AUTH decrypt success
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| **parse IKEv2 Notify Payload:
| next payload type: ISAKMP_NEXT_v2NONE (0x0)
| flags: none (0x0)
| length: 8 (0x8)
| Protocol ID: PROTO_v2_RESERVED (0x0)
| SPI size: 0 (0x0)
| Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| selected state microcode Initiator: process AUTHENTICATION_FAILED AUTH notification
| Now let's proceed with state specific processing
| calling processor Initiator: process AUTHENTICATION_FAILED AUTH notification
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
| pstats #1 ikev2.ike failed auth-failed
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: scheduling retry attempt 1 of an unlimited number
| release_pending_whacks: state #2 has no whack fd
| release_pending_whacks: IKE SA #1 fd@-1 has pending CHILD SA with socket fd@-1
| libevent_free: release ptr-libevent@0x563e9cc25c08
| free_event_entry: release EVENT_RETRANSMIT-pe@0x563e9cc29598
| event_schedule: new EVENT_RETRANSMIT-pe@0x563e9cc29598
| inserting event EVENT_RETRANSMIT, timeout in 59.993546 seconds for #2
| libevent_malloc: new ptr-libevent@0x7f3ee4000f48 size 128
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: STATE_PARENT_I2: suppressing retransmits; will wait 59.993546 seconds for retry
| #2 spent 0.0321 milliseconds in processing: Initiator: process AUTHENTICATION_FAILED AUTH notification in ikev2_process_state_packet()
| [RE]START processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() PARENT_I2->PARENT_I2 with status STF_IGNORE
| stop processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.168 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.179 milliseconds in comm_handle_cb() reading and processing packet
| processing global timer EVENT_SHUNT_SCAN
| expiring aged bare shunts from shunt table
| spent 0.00464 milliseconds in global timer EVENT_SHUNT_SCAN
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_STATE_... in show_traffic_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.105 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0361 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_STATE_... in show_traffic_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0596 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.914 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
shutting down
| processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825)
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
| unreference key: 0x563e9cc1c0a8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc1dfe8 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc205f8 @road.testing.libreswan.org cnt 1--
| start processing: connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 (in delete_connection() at connections.c:189)
| removing pending policy for no connection {0x563e9cafd898}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #2
| suspend processing: connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310)
| start processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #2 ikev2.child deleted other
| #2 spent 0.0321 milliseconds in total
| [RE]START processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in delete_state() at state.c:879)
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: deleting state (STATE_PARENT_I2) aged 29.418s and NOT sending notification
| child state #2: PARENT_I2(open IKE SA) => delete
| child state #2: PARENT_I2(open IKE SA) => CHILDSA_DEL(informational)
| state #2 requesting EVENT_RETRANSMIT to be deleted
| #2 STATE_CHILDSA_DEL: retransmits: cleared
| libevent_free: release ptr-libevent@0x7f3ee4000f48
| free_event_entry: release EVENT_RETRANSMIT-pe@0x563e9cc29598
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfdf
| delete inbound eroute 192.1.2.23/32:0 --0-> 192.1.3.209/32:0 => unk255.10000@192.1.3.209 (raw_eroute)
| raw_eroute result=success
| stop processing: connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 (BACKGROUND) (in update_state_connection() at connections.c:4076)
| start processing: connection NULL (in update_state_connection() at connections.c:4077)
| in connection_discard for connection private-or-clear#192.1.2.0/24
| State DB: deleting IKEv2 state #2 in CHILDSA_DEL
| child state #2: CHILDSA_DEL(informational) => UNDEFINED(ignore)
| stop processing: state #2 from 192.1.2.23 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| state #1
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #1 ikev2.ike deleted auth-failed
| #1 spent 13.5 milliseconds in total
| [RE]START processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in delete_state() at state.c:879)
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting state (STATE_PARENT_I2) aged 29.425s and NOT sending notification
| parent state #1: PARENT_I2(open IKE SA) => delete
| state #1 requesting EVENT_SA_REPLACE to be deleted
| libevent_free: release ptr-libevent@0x7f3eec002888
| free_event_entry: release EVENT_SA_REPLACE-pe@0x563e9cc25a88
| State DB: IKEv2 state not found (flush_incomplete_children)
| in connection_discard for connection private-or-clear#192.1.2.0/24
| State DB: deleting IKEv2 state #1 in PARENT_I2
| parent state #1: PARENT_I2(open IKE SA) => UNDEFINED(ignore)
| stop processing: state #1 from 192.1.2.23 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'private-or-clear#192.1.2.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| free hp@0x563e9cc23238
| flush revival: connection 'private-or-clear#192.1.2.0/24' wasn't on the list
| processing: STOP connection NULL (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private-or-clear-all' wasn't on the list
| stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249)
| start processing: connection "block" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'block' wasn't on the list
| stop processing: connection "block" (in discard_connection() at connections.c:249)
| start processing: connection "private" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private' wasn't on the list
| stop processing: connection "private" (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear#192.1.2.0/24" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'private-or-clear#192.1.2.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| netlink_raw_eroute: SPI_PASS
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| netlink_raw_eroute: SPI_PASS
| FOR_EACH_CONNECTION_... in route_owner
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn private-or-clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.2.0/24" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLIENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P
| popen cmd is 1215 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear:
| cmd( 80):#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192:
| cmd( 160):.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm:
| cmd( 240):ent, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_:
| cmd( 320):CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK=':
| cmd( 400):255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' :
| cmd( 480):PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLI:
| cmd( 560):ENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255:
| cmd( 640):.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_S:
| cmd( 720):TACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEG:
| cmd( 800):O_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO:
| cmd( 880):+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_F:
| cmd( 960):AILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='':
| cmd(1040): PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGU:
| cmd(1120):RED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ips:
| cmd(1200):ec _updown 2>&1:
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'private-or-clear#192.1.2.0/24' wasn't on the list
| stop processing: connection "private-or-clear#192.1.2.0/24" (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| flush revival: connection 'private-or-clear' wasn't on the list
| stop processing: connection "private-or-clear" (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.2.253/32" 0.0.0.0: deleting connection "clear#192.1.2.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 S
| popen cmd is 1022 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd( 80):3/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_C:
| cmd( 640):ONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_G:
| cmd( 720):OING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P:
| cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S:
| cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=:
| cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.2.253/32' wasn't on the list
| stop processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.3.253/32" 0.0.0.0: deleting connection "clear#192.1.3.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 S
| popen cmd is 1022 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd( 80):3/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_C:
| cmd( 640):ONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_G:
| cmd( 720):OING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P:
| cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S:
| cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=:
| cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.3.253/32' wasn't on the list
| stop processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.3.254/32" 0.0.0.0: deleting connection "clear#192.1.3.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 S
| popen cmd is 1022 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd( 80):4/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_C:
| cmd( 640):ONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_G:
| cmd( 720):OING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P:
| cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S:
| cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=:
| cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.3.254/32' wasn't on the list
| stop processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.2.254/32" 0.0.0.0: deleting connection "clear#192.1.2.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear mark 0/00000000, 0/00000000
| conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
| conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 S
| popen cmd is 1022 chars long
| cmd( 0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd( 80):4/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_C:
| cmd( 640):ONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_G:
| cmd( 720):OING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P:
| cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S:
| cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=:
| cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.2.254/32' wasn't on the list
| stop processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| flush revival: connection 'clear' wasn't on the list
| stop processing: connection "clear" (in discard_connection() at connections.c:249)
| start processing: connection "clear-or-private" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| free hp@0x563e9cc12ac8
| flush revival: connection 'clear-or-private' wasn't on the list
| stop processing: connection "clear-or-private" (in discard_connection() at connections.c:249)
| crl fetch request list locked by 'free_crl_fetch'
| crl fetch request list unlocked by 'free_crl_fetch'
shutting down interface lo/lo 127.0.0.1:4500
shutting down interface lo/lo 127.0.0.1:500
shutting down interface eth0/eth0 192.1.3.209:4500
shutting down interface eth0/eth0 192.1.3.209:500
| FOR_EACH_STATE_... in delete_states_dead_interfaces
| libevent_free: release ptr-libevent@0x563e9cc152a8
| free_event_entry: release EVENT_NULL-pe@0x563e9cc118d8
| libevent_free: release ptr-libevent@0x563e9cbac568
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11988
| libevent_free: release ptr-libevent@0x563e9cbac618
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11a38
| libevent_free: release ptr-libevent@0x563e9cbab548
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11ae8
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| libevent_free: release ptr-libevent@0x563e9cc05d48
| free_event_entry: release EVENT_NULL-pe@0x563e9cbf9ee8
| libevent_free: release ptr-libevent@0x563e9cbf29e8
| free_event_entry: release EVENT_NULL-pe@0x563e9cbf9a48
| libevent_free: release ptr-libevent@0x563e9cbf2938
| free_event_entry: release EVENT_NULL-pe@0x563e9cbb3a18
| global timer EVENT_REINIT_SECRET uninitialized
| global timer EVENT_SHUNT_SCAN uninitialized
| global timer EVENT_PENDING_DDNS uninitialized
| global timer EVENT_PENDING_PHASE2 uninitialized
| global timer EVENT_CHECK_CRLS uninitialized
| global timer EVENT_REVIVE_CONNS uninitialized
| global timer EVENT_FREE_ROOT_CERTS uninitialized
| global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized
| global timer EVENT_NAT_T_KEEPALIVE uninitialized
| libevent_free: release ptr-libevent@0x563e9cbb7fe8
| signal event handler PLUTO_SIGCHLD uninstalled
| libevent_free: release ptr-libevent@0x563e9cb256b8
| signal event handler PLUTO_SIGTERM uninstalled
| libevent_free: release ptr-libevent@0x563e9cb3aa88
| signal event handler PLUTO_SIGHUP uninstalled
| libevent_free: release ptr-libevent@0x563e9cc114d8
| signal event handler PLUTO_SIGSYS uninstalled
| releasing event base
| libevent_free: release ptr-libevent@0x563e9cc113a8
| libevent_free: release ptr-libevent@0x563e9cbf4308
| libevent_free: release ptr-libevent@0x563e9cbf42b8
| libevent_free: release ptr-libevent@0x563e9cbab828
| libevent_free: release ptr-libevent@0x563e9cbf4278
| libevent_free: release ptr-libevent@0x563e9cc11038
| libevent_free: release ptr-libevent@0x563e9cc112a8
| libevent_free: release ptr-libevent@0x563e9cbf44b8
| libevent_free: release ptr-libevent@0x563e9cbf9ab8
| libevent_free: release ptr-libevent@0x563e9cbf9718
| libevent_free: release ptr-libevent@0x563e9cc11b58
| libevent_free: release ptr-libevent@0x563e9cc11aa8
| libevent_free: release ptr-libevent@0x563e9cc119f8
| libevent_free: release ptr-libevent@0x563e9cc11948
| libevent_free: release ptr-libevent@0x563e9cb41818
| libevent_free: release ptr-libevent@0x563e9cc11328
| libevent_free: release ptr-libevent@0x563e9cc112e8
| libevent_free: release ptr-libevent@0x563e9cc111a8
| libevent_free: release ptr-libevent@0x563e9cc11368
| libevent_free: release ptr-libevent@0x563e9cc11078
| libevent_free: release ptr-libevent@0x563e9cbb9b78
| libevent_free: release ptr-libevent@0x563e9cbb9af8
| libevent_free: release ptr-libevent@0x563e9cb352f8
| releasing global libevent data
| libevent_free: release ptr-libevent@0x563e9cbb9cf8
| libevent_free: release ptr-libevent@0x563e9cbb9c78
| libevent_free: release ptr-libevent@0x563e9cbb9bf8
leak: group instance name, item size: 30
leak: cloned from groupname, item size: 17
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: policy group path, item size: 54
leak detective found 11 leaks, total size 209