FIPS Product: YES
FIPS Kernel: NO
FIPS Mode: NO
NSS DB directory: sql:/etc/ipsec.d
Initializing NSS
Opening NSS database "sql:/etc/ipsec.d" read-only
NSS initialized
NSS crypto library initialized
FIPS HMAC integrity support [enabled]
FIPS mode disabled for pluto daemon
FIPS HMAC integrity verification self-test FAILED
libcap-ng support [enabled]
Linux audit support [enabled]
Linux audit activated
Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:23750
core dump dir: /tmp
secrets file: /etc/ipsec.secrets
leak-detective enabled
NSS crypto [enabled]
XAUTH PAM support [enabled]
| libevent is using pluto's memory allocator
Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
| libevent_malloc: new ptr-libevent@0x563e9cbb9cf8 size 40
| libevent_malloc: new ptr-libevent@0x563e9cbb9c78 size 40
| libevent_malloc: new ptr-libevent@0x563e9cbb9bf8 size 40
| creating event base
| libevent_malloc: new ptr-libevent@0x563e9cbab828 size 56
| libevent_malloc: new ptr-libevent@0x563e9cb352f8 size 664
| libevent_malloc: new ptr-libevent@0x563e9cbf42b8 size 24
| libevent_malloc: new ptr-libevent@0x563e9cbf4308 size 384
| libevent_malloc: new ptr-libevent@0x563e9cbf4278 size 16
| libevent_malloc: new ptr-libevent@0x563e9cbb9b78 size 40
| libevent_malloc: new ptr-libevent@0x563e9cbb9af8 size 48
| libevent_realloc: new ptr-libevent@0x563e9cb41818 size 256
| libevent_malloc: new ptr-libevent@0x563e9cbf44b8 size 16
| libevent_free: release ptr-libevent@0x563e9cbab828
| libevent initialized
| libevent_realloc: new ptr-libevent@0x563e9cbab828 size 64
| global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds
| init_nat_traversal() initialized with keep_alive=0s
NAT-Traversal support  [enabled]
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized
| global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds
| global one-shot timer EVENT_REVIVE_CONNS initialized
| global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds
| global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds
Encryption algorithms:
  AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
  AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_b
  AES_CCM_8               IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_a
  3DES_CBC                IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  3des
  CAMELLIA_CTR            IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
  CAMELLIA_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  camellia
  AES_GCM_16              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm, aes_gcm_c
  AES_GCM_12              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_b
  AES_GCM_8               IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_a
  AES_CTR                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aesctr
  AES_CBC                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes
  SERPENT_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  serpent
  TWOFISH_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  twofish
  TWOFISH_SSH             IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  twofish_cbc_ssh
  NULL_AUTH_AES_GMAC      IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_gmac
  NULL                    IKEv1:     ESP     IKEv2:     ESP           []
  CHACHA20_POLY1305       IKEv1:             IKEv2: IKE ESP           [*256]  chacha20poly1305
Hash algorithms:
  MD5                     IKEv1: IKE         IKEv2:                 
  SHA1                    IKEv1: IKE         IKEv2:             FIPS  sha
  SHA2_256                IKEv1: IKE         IKEv2:             FIPS  sha2, sha256
  SHA2_384                IKEv1: IKE         IKEv2:             FIPS  sha384
  SHA2_512                IKEv1: IKE         IKEv2:             FIPS  sha512
PRF algorithms:
  HMAC_MD5                IKEv1: IKE         IKEv2: IKE               md5
  HMAC_SHA1               IKEv1: IKE         IKEv2: IKE         FIPS  sha, sha1
  HMAC_SHA2_256           IKEv1: IKE         IKEv2: IKE         FIPS  sha2, sha256, sha2_256
  HMAC_SHA2_384           IKEv1: IKE         IKEv2: IKE         FIPS  sha384, sha2_384
  HMAC_SHA2_512           IKEv1: IKE         IKEv2: IKE         FIPS  sha512, sha2_512
  AES_XCBC                IKEv1:             IKEv2: IKE               aes128_xcbc
Integrity algorithms:
  HMAC_MD5_96             IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        md5, hmac_md5
  HMAC_SHA1_96            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha, sha1, sha1_96, hmac_sha1
  HMAC_SHA2_512_256       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha512, sha2_512, sha2_512_256, hmac_sha2_512
  HMAC_SHA2_384_192       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha384, sha2_384, sha2_384_192, hmac_sha2_384
  HMAC_SHA2_256_128       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
  HMAC_SHA2_256_TRUNCBUG  IKEv1:     ESP AH  IKEv2:         AH      
  AES_XCBC_96             IKEv1:     ESP AH  IKEv2: IKE ESP AH        aes_xcbc, aes128_xcbc, aes128_xcbc_96
  AES_CMAC_96             IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  aes_cmac
  NONE                    IKEv1:     ESP     IKEv2: IKE ESP     FIPS  null
DH algorithms:
  NONE                    IKEv1:             IKEv2: IKE ESP AH  FIPS  null, dh0
  MODP1536                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh5
  MODP2048                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh14
  MODP3072                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh15
  MODP4096                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh16
  MODP6144                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh17
  MODP8192                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh18
  DH19                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_256, ecp256
  DH20                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_384, ecp384
  DH21                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_521, ecp521
  DH31                    IKEv1: IKE         IKEv2: IKE ESP AH        curve25519
testing CAMELLIA_CBC:
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 256-bit key
  Camellia: 16 bytes with 256-bit key
testing AES_GCM_16:
  empty string
  one block
  two blocks
  two blocks with associated data
testing AES_CTR:
  Encrypting 16 octets using AES-CTR with 128-bit key
  Encrypting 32 octets using AES-CTR with 128-bit key
  Encrypting 36 octets using AES-CTR with 128-bit key
  Encrypting 16 octets using AES-CTR with 192-bit key
  Encrypting 32 octets using AES-CTR with 192-bit key
  Encrypting 36 octets using AES-CTR with 192-bit key
  Encrypting 16 octets using AES-CTR with 256-bit key
  Encrypting 32 octets using AES-CTR with 256-bit key
  Encrypting 36 octets using AES-CTR with 256-bit key
testing AES_CBC:
  Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
  Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
  Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
  Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
testing AES_XCBC:
  RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
  RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
  RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
  RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
  RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
  RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input
  RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
testing HMAC_MD5:
  RFC 2104: MD5_HMAC test 1
  RFC 2104: MD5_HMAC test 2
  RFC 2104: MD5_HMAC test 3
8 CPU cores online
starting up 7 crypto helpers
started thread for crypto helper 0
| starting up helper thread 0
started thread for crypto helper 1
| status value returned by setting the priority of this thread (crypto helper 0) 22
| crypto helper 0 waiting (nothing to do)
| starting up helper thread 1
started thread for crypto helper 2
| status value returned by setting the priority of this thread (crypto helper 1) 22
| crypto helper 1 waiting (nothing to do)
| starting up helper thread 2
| status value returned by setting the priority of this thread (crypto helper 2) 22
| crypto helper 2 waiting (nothing to do)
started thread for crypto helper 3
| starting up helper thread 3
| status value returned by setting the priority of this thread (crypto helper 3) 22
started thread for crypto helper 4
| crypto helper 3 waiting (nothing to do)
| starting up helper thread 4
| status value returned by setting the priority of this thread (crypto helper 4) 22
| crypto helper 4 waiting (nothing to do)
started thread for crypto helper 5
| starting up helper thread 5
| status value returned by setting the priority of this thread (crypto helper 5) 22
| crypto helper 5 waiting (nothing to do)
started thread for crypto helper 6
| checking IKEv1 state table
|   MAIN_R0: category: half-open IKE SA flags: 0:
|     -> MAIN_R1 EVENT_SO_DISCARD
|   MAIN_I1: category: half-open IKE SA flags: 0:
|     -> MAIN_I2 EVENT_RETRANSMIT
|   MAIN_R1: category: open IKE SA flags: 200:
|     -> MAIN_R2 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_I2: category: open IKE SA flags: 0:
|     -> MAIN_I3 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_R2: category: open IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_I3: category: open IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_R3: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   MAIN_I4: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R0: category: half-open IKE SA flags: 0:
|     -> AGGR_R1 EVENT_SO_DISCARD
|   AGGR_I1: category: half-open IKE SA flags: 0:
|     -> AGGR_I2 EVENT_SA_REPLACE
|     -> AGGR_I2 EVENT_SA_REPLACE
|   AGGR_R1: category: open IKE SA flags: 200:
|     -> AGGR_R2 EVENT_SA_REPLACE
|     -> AGGR_R2 EVENT_SA_REPLACE
|   AGGR_I2: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R0: category: established CHILD SA flags: 0:
|     -> QUICK_R1 EVENT_RETRANSMIT
|   QUICK_I1: category: established CHILD SA flags: 0:
|     -> QUICK_I2 EVENT_SA_REPLACE
|   QUICK_R1: category: established CHILD SA flags: 0:
|     -> QUICK_R2 EVENT_SA_REPLACE
|   QUICK_I2: category: established CHILD SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R2: category: established CHILD SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO_PROTECTED: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   XAUTH_R0: category: established IKE SA flags: 0:
|     -> XAUTH_R1 EVENT_NULL
|   XAUTH_R1: category: established IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|   MODE_CFG_R0: category: informational flags: 0:
|     -> MODE_CFG_R1 EVENT_SA_REPLACE
|   MODE_CFG_R1: category: established IKE SA flags: 0:
|     -> MODE_CFG_R2 EVENT_SA_REPLACE
|   MODE_CFG_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   MODE_CFG_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|   XAUTH_I0: category: established IKE SA flags: 0:
|     -> XAUTH_I1 EVENT_RETRANSMIT
|   XAUTH_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_RETRANSMIT
| checking IKEv2 state table
|   PARENT_I0: category: ignore flags: 0:
|     -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT)
|   PARENT_I1: category: half-open IKE SA flags: 0:
|     -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification)
|     -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH)
|   PARENT_I2: category: open IKE SA flags: 0:
|     -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response)
|     -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification)
|   PARENT_I3: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)
|   PARENT_R0: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT)
|   PARENT_R1: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED))
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request)
|   PARENT_R2: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response)
|   V2_CREATE_I0: category: established IKE SA flags: 0:
|     -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA)
|   V2_CREATE_I: category: established IKE SA flags: 0:
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response)
|   V2_REKEY_IKE_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_IKE_I: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response)
|   V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA)
|   V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none>
|   V2_CREATE_R: category: established IKE SA flags: 0:
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request)
|   V2_REKEY_IKE_R: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none>
|   V2_IPSEC_I: category: established CHILD SA flags: 0: <none>
|   V2_IPSEC_R: category: established CHILD SA flags: 0: <none>
|   IKESA_DEL: category: established IKE SA flags: 0:
|     -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL)
|   CHILDSA_DEL: category: informational flags: 0: <none>
Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64
| Hard-wiring algorithms
| adding AES_CCM_16 to kernel algorithm db
| adding AES_CCM_12 to kernel algorithm db
| adding AES_CCM_8 to kernel algorithm db
| adding 3DES_CBC to kernel algorithm db
| adding CAMELLIA_CBC to kernel algorithm db
| adding AES_GCM_16 to kernel algorithm db
| adding AES_GCM_12 to kernel algorithm db
| adding AES_GCM_8 to kernel algorithm db
| adding AES_CTR to kernel algorithm db
| adding AES_CBC to kernel algorithm db
| adding SERPENT_CBC to kernel algorithm db
| adding TWOFISH_CBC to kernel algorithm db
| adding NULL_AUTH_AES_GMAC to kernel algorithm db
| adding NULL to kernel algorithm db
| adding CHACHA20_POLY1305 to kernel algorithm db
| adding HMAC_MD5_96 to kernel algorithm db
| adding HMAC_SHA1_96 to kernel algorithm db
| adding HMAC_SHA2_512_256 to kernel algorithm db
| adding HMAC_SHA2_384_192 to kernel algorithm db
| adding HMAC_SHA2_256_128 to kernel algorithm db
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db
| adding AES_XCBC_96 to kernel algorithm db
| adding AES_CMAC_96 to kernel algorithm db
| adding NONE to kernel algorithm db
| net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes
| global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds
| setup kernel fd callback
| add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x563e9cbb3a18
| libevent_malloc: new ptr-libevent@0x563e9cbf2938 size 128
| libevent_malloc: new ptr-libevent@0x563e9cbf9ab8 size 16
| add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x563e9cbf9a48
| libevent_malloc: new ptr-libevent@0x563e9cbf29e8 size 128
| libevent_malloc: new ptr-libevent@0x563e9cbf9718 size 16
| global one-shot timer EVENT_CHECK_CRLS initialized
selinux support is enabled.
| unbound context created - setting debug level to 5
| /etc/hosts lookups activated
| /etc/resolv.conf usage activated
| outgoing-port-avoid set 0-65535
| outgoing-port-permit set 32768-60999
| Loading dnssec root key from:/var/lib/unbound/root.key
| No additional dnssec trust anchors defined via dnssec-trusted= option
| Setting up events, loop start
| add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x563e9cbf9ee8
| libevent_malloc: new ptr-libevent@0x563e9cc05d48 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc11038 size 16
| libevent_realloc: new ptr-libevent@0x563e9cc11078 size 256
| libevent_malloc: new ptr-libevent@0x563e9cc111a8 size 8
| libevent_realloc: new ptr-libevent@0x563e9cc111e8 size 144
| libevent_malloc: new ptr-libevent@0x563e9cbb7fe8 size 152
| libevent_malloc: new ptr-libevent@0x563e9cc112a8 size 16
| signal event handler PLUTO_SIGCHLD installed
| libevent_malloc: new ptr-libevent@0x563e9cc112e8 size 8
| libevent_malloc: new ptr-libevent@0x563e9cb256b8 size 152
| signal event handler PLUTO_SIGTERM installed
| libevent_malloc: new ptr-libevent@0x563e9cc11328 size 8
| libevent_malloc: new ptr-libevent@0x563e9cb3aa88 size 152
| signal event handler PLUTO_SIGHUP installed
| libevent_malloc: new ptr-libevent@0x563e9cc11368 size 8
| libevent_realloc: release ptr-libevent@0x563e9cc111e8
| libevent_realloc: new ptr-libevent@0x563e9cc113a8 size 256
| libevent_malloc: new ptr-libevent@0x563e9cc114d8 size 152
| signal event handler PLUTO_SIGSYS installed
| starting up helper thread 6
| created addconn helper (pid:23794) using fork+execve
| forked child 23794
| status value returned by setting the priority of this thread (crypto helper 6) 22
| crypto helper 6 waiting (nothing to do)
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.1.3.209
Kernel supports NIC esp-hw-offload
adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.1.3.209:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth0/eth0 192.1.3.209:4500
adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| no interfaces to sort
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| add_fd_read_event_handler: new ethX-pe@0x563e9cc118d8
| libevent_malloc: new ptr-libevent@0x563e9cc05c98 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc11948 size 16
| setup callback for interface lo 127.0.0.1:4500 fd 20
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11988
| libevent_malloc: new ptr-libevent@0x563e9cbac568 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc119f8 size 16
| setup callback for interface lo 127.0.0.1:500 fd 19
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11a38
| libevent_malloc: new ptr-libevent@0x563e9cbac618 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc11aa8 size 16
| setup callback for interface eth0 192.1.3.209:4500 fd 18
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11ae8
| libevent_malloc: new ptr-libevent@0x563e9cbab548 size 128
| libevent_malloc: new ptr-libevent@0x563e9cc11b58 size 16
| setup callback for interface eth0 192.1.3.209:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| computed rsa CKAID  1a 15 cc e8  92 73 43 9c  2b f4 20 2a  c1 06 6e f2
| computed rsa CKAID  59 b0 ef 45
loaded private key for keyid: PKK_RSA:AQPHFfpyJ
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.27 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear with policy AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@(nil): none
| new hp@0x563e9cc12ac8
added connection description "clear"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+PASS+NEVER_NEGOTIATE
| 192.1.3.209---192.1.3.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.102 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection clear-or-private with policy ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc15878
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc15828
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc156e8
| unreference key: 0x563e9cc18738 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: clear
added connection description "clear-or-private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.23 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear with policy ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| unreference key: 0x563e9cc19f08 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1bdf8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1bda8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1c638
| unreference key: 0x563e9cc18da8 @road.testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc199b8 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc1c0a8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| secrets entry for road already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: clear-or-private
added connection description "private-or-clear"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.523 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private with policy ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| unreference key: 0x563e9cc199b8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1df98
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1df48
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1e8c8
| unreference key: 0x563e9cc18738 @road.testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc18da8 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc1dfe8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| secrets entry for road already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: private-or-clear
added connection description "private"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.497 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection block with policy AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| counting wild cards for (none) is 15
| counting wild cards for (none) is 15
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: private
added connection description "block"
| ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; replay_window: 0; policy: AUTH_NEVER+GROUP+REJECT+NEVER_NEGOTIATE
| 192.1.3.209---192.1.3.254...%group
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0583 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear-all with policy ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| unreference key: 0x563e9cc18da8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc205a8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc20558
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc20ed8
| unreference key: 0x563e9cc1c0a8 @road.testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc18738 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc205f8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| secrets entry for road already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: block
added connection description "private-or-clear-all"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.491 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189)
| Deleting states for connection - not including other IPsec SA's
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private-or-clear-all' wasn't on the list
| stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection private-or-clear-all with policy ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA'
| loading left certificate 'road' pubkey
| unreference key: 0x563e9cc18738 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1e698
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1f1a8
| get_pluto_gn_from_nss_cert: allocated pluto_gn 0x563e9cc1e7f8
| unreference key: 0x563e9cc1dfe8 @road.testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc1c0a8 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc18da8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| secrets entry for road already exists
| counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0
| counting wild cards for ID_NULL is 0
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| connect_to_host_pair: 192.1.3.209:500 0.0.0.0:500 -> hp@0x563e9cc12ac8: block
added connection description "private-or-clear-all"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
| 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...%opportunisticgroup[ID_NULL]
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.56 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.1.3.209
| no interfaces to sort
| libevent_free: release ptr-libevent@0x563e9cc05c98
| free_event_entry: release EVENT_NULL-pe@0x563e9cc118d8
| add_fd_read_event_handler: new ethX-pe@0x563e9cc118d8
| libevent_malloc: new ptr-libevent@0x563e9cc152a8 size 128
| setup callback for interface lo 127.0.0.1:4500 fd 20
| libevent_free: release ptr-libevent@0x563e9cbac568
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11988
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11988
| libevent_malloc: new ptr-libevent@0x563e9cbac568 size 128
| setup callback for interface lo 127.0.0.1:500 fd 19
| libevent_free: release ptr-libevent@0x563e9cbac618
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11a38
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11a38
| libevent_malloc: new ptr-libevent@0x563e9cbac618 size 128
| setup callback for interface eth0 192.1.3.209:4500 fd 18
| libevent_free: release ptr-libevent@0x563e9cbab548
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11ae8
| add_fd_read_event_handler: new ethX-pe@0x563e9cc11ae8
| libevent_malloc: new ptr-libevent@0x563e9cbab548 size 128
| setup callback for interface eth0 192.1.3.209:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| computed rsa CKAID  1a 15 cc e8  92 73 43 9c  2b f4 20 2a  c1 06 6e f2
| computed rsa CKAID  59 b0 ef 45
loaded private key for keyid: PKK_RSA:AQPHFfpyJ
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| no group file "/etc/ipsec.d/policies/private-or-clear-all" (pwd:/tmp)
loading group "/etc/ipsec.d/policies/block"
loading group "/etc/ipsec.d/policies/private"
loading group "/etc/ipsec.d/policies/private-or-clear"
loading group "/etc/ipsec.d/policies/clear-or-private"
loading group "/etc/ipsec.d/policies/clear"
| 192.1.3.209/32->192.1.2.254/32 0 sport 0 dport 0 clear
| 192.1.3.209/32->192.1.3.254/32 0 sport 0 dport 0 clear
| 192.1.3.209/32->192.1.3.253/32 0 sport 0 dport 0 clear
| 192.1.3.209/32->192.1.2.253/32 0 sport 0 dport 0 clear
| 192.1.3.209/32->192.1.2.0/24 0 sport 0 dport 0 private-or-clear
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in conn_by_name
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.406 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.254/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF
| popen cmd is 1138 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):4/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Tes:
| cmd( 640):t Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_ST:
| cmd( 720):ACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+:
| cmd( 800):NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUT:
| cmd( 880):H_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO:
| cmd( 960):='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONF:
| cmd(1040):IGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 :
| cmd(1120):ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1136 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/:
| cmd(  80):32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' P:
| cmd( 160):LUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='1:
| cmd( 240):92.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PR:
| cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUT:
| cmd( 400):O_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192:
| cmd( 480):.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEE:
| cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test :
| cmd( 640):Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STAC:
| cmd( 720):K='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NE:
| cmd( 800):VER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_:
| cmd( 880):FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=':
| cmd( 960):' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIG:
| cmd(1040):URED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ip:
| cmd(1120):sec _updown 2>&1:
| suspend processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.3.254/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.3.254/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF
| popen cmd is 1138 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd(  80):4/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Tes:
| cmd( 640):t Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_ST:
| cmd( 720):ACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+:
| cmd( 800):NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUT:
| cmd( 880):H_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO:
| cmd( 960):='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONF:
| cmd(1040):IGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 :
| cmd(1120):ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1136 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/:
| cmd(  80):32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' P:
| cmd( 160):LUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='1:
| cmd( 240):92.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PR:
| cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUT:
| cmd( 400):O_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192:
| cmd( 480):.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEE:
| cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test :
| cmd( 640):Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STAC:
| cmd( 720):K='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NE:
| cmd( 800):VER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_:
| cmd( 880):FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=':
| cmd( 960):' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIG:
| cmd(1040):URED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ip:
| cmd(1120):sec _updown 2>&1:
| suspend processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.3.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.3.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF
| popen cmd is 1138 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Tes:
| cmd( 640):t Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_ST:
| cmd( 720):ACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+:
| cmd( 800):NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUT:
| cmd( 880):H_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO:
| cmd( 960):='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONF:
| cmd(1040):IGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 :
| cmd(1120):ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1136 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/:
| cmd(  80):32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' P:
| cmd( 160):LUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='1:
| cmd( 240):92.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PR:
| cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUT:
| cmd( 400):O_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192:
| cmd( 480):.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEE:
| cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test :
| cmd( 640):Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STAC:
| cmd( 720):K='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NE:
| cmd( 800):VER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_:
| cmd( 880):FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=':
| cmd( 960):' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIG:
| cmd(1040):URED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ip:
| cmd(1120):sec _updown 2>&1:
| suspend processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "clear" (in route_group() at foodgroups.c:435)
| start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:435)
| could_route called for clear#192.1.2.253/32 (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" 0.0.0.0 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: clear#192.1.2.253/32 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564639
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF
| popen cmd is 1138 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Tes:
| cmd( 640):t Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_ST:
| cmd( 720):ACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+:
| cmd( 800):NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUT:
| cmd( 880):H_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO:
| cmd( 960):='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONF:
| cmd(1040):IGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 :
| cmd(1120):ipsec _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| id type with ID_NONE means wildcard match
| trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SE
| popen cmd is 1136 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/:
| cmd(  80):32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' P:
| cmd( 160):LUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='1:
| cmd( 240):92.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PR:
| cmd( 320):OTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUT:
| cmd( 400):O_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192:
| cmd( 480):.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEE:
| cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test :
| cmd( 640):Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STAC:
| cmd( 720):K='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NE:
| cmd( 800):VER_NEGOTIATE' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_:
| cmd( 880):FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO=':
| cmd( 960):' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIG:
| cmd(1040):URED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ip:
| cmd(1120):sec _updown 2>&1:
| suspend processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in route_group() at foodgroups.c:439)
| start processing: connection "clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 3.94 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| old debugging base+cpu-usage + none
| base debugging = base+cpu-usage
| old impairing none + suppress-retransmits
| base impairing = suppress-retransmits
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0262 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.0031 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00203 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00201 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00199 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.002 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00199 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00213 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00201 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:106)
| FOR_EACH_CONNECTION_... in conn_by_name
| suspend processing: connection "private-or-clear" (in route_group() at foodgroups.c:435)
| start processing: connection "private-or-clear#192.1.2.0/24" (in route_group() at foodgroups.c:435)
| could_route called for private-or-clear#192.1.2.0/24 (kind=CK_TEMPLATE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.2.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear-all mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn block mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.2.0/24" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: private-or-clear#192.1.2.0/24 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0
| shunt_eroute() called for connection 'private-or-clear#192.1.2.0/24' to 'add' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| IPsec Sa SPD priority set to 1564647
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-host
| executing prepare-host: PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLIENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P
| popen cmd is 1215 chars long
| cmd(   0):PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear:
| cmd(  80):#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192:
| cmd( 160):.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm:
| cmd( 240):ent, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_:
| cmd( 320):CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK=':
| cmd( 400):255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' :
| cmd( 480):PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLI:
| cmd( 560):ENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255:
| cmd( 640):.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_S:
| cmd( 720):TACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEG:
| cmd( 800):O_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO:
| cmd( 880):+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_F:
| cmd( 960):AILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='':
| cmd(1040): PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGU:
| cmd(1120):RED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ips:
| cmd(1200):ec _updown 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-host
| executing route-host: PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLIENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO
| popen cmd is 1213 chars long
| cmd(   0):PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#1:
| cmd(  80):92.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1:
| cmd( 160):.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen:
| cmd( 240):t, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CL:
| cmd( 320):IENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='25:
| cmd( 400):5.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PL:
| cmd( 480):UTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLIEN:
| cmd( 560):T='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.2:
| cmd( 640):55.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STA:
| cmd( 720):CK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_:
| cmd( 800):PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+f:
| cmd( 880):ailurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAI:
| cmd( 960):LED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' P:
| cmd(1040):LUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURE:
| cmd(1120):D='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec:
| cmd(1200): _updown 2>&1:
| suspend processing: connection "private-or-clear#192.1.2.0/24" (in route_group() at foodgroups.c:439)
| start processing: connection "private-or-clear" (in route_group() at foodgroups.c:439)
| stop processing: connection "private-or-clear" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 1.11 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00374 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned nothing left to do (all child processes are busy)
| spent 0.00525 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0264 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "block" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "block" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0304 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0222 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| start processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:106)
| stop processing: connection "private-or-clear-all" (in whack_route_connection() at rcv_whack.c:116)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0283 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned pid 23794 (exited with status 0)
| reaped addconn helper child (status 0)
| waitpid returned ECHILD (no child processes left)
| spent 0.0189 milliseconds in signal handler PLUTO_SIGCHLD
|  kernel_process_msg_cb process netlink message
| netlink_get: XFRM_MSG_ACQUIRE message
| xfrm netlink msg len 376
| xfrm acquire rtattribute type 5
| xfrm acquire rtattribute type 16
| add bare shunt 0x563e9cc11e08 192.1.3.209/32:8 --1--> 192.1.2.23/32:0 => %hold 0    %acquire-netlink
initiate on demand from 192.1.3.209:8 to 192.1.2.23:0 proto=1 because: acquire
| find_connection: looking for policy for connection: 192.1.3.209:1/8 -> 192.1.2.23:1/0
| FOR_EACH_CONNECTION_... in find_connection_for_clients
| find_connection: conn "private-or-clear#192.1.2.0/24" has compatible peers: 192.1.3.209/32 -> 192.1.2.0/24 [pri: 33554442]
| find_connection: first OK "private-or-clear#192.1.2.0/24" [pri:33554442]{0x563e9cc22178} (child none)
| find_connection: concluding with "private-or-clear#192.1.2.0/24" [pri:33554442]{0x563e9cc22178} kind=CK_TEMPLATE
| creating new instance from "private-or-clear#192.1.2.0/24"
| shunt widened for protoports since conn does not limit protocols
| going to initiate opportunistic, first installing pass negotiationshunt
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| oe-negotiating eroute 192.1.3.209/32:0 --0-> 192.1.2.23/32:0 => %pass (raw_eroute)
| netlink_raw_eroute: SPI_PASS
| IPsec Sa SPD priority set to 1564647
| raw_eroute result=success
| added bare (possibly wided) passthrough negotiationshunt succeeded (violating API)
| add bare shunt 0x563e9cc22978 192.1.3.209/32:0 --0--> 192.1.2.23/32:0 => %hold 0    oe-negotiating
| fiddle_bare_shunt called
| fiddle_bare_shunt with transport_proto 1
| removing specific host-to-host bare shunt
| delete bare kernel shunt - was replaced with  negotiationshunt eroute 192.1.3.209/32:8 --1-> 192.1.2.23/32:0 => %hold (raw_eroute)
| netlink_raw_eroute: SPI_PASS
| raw_eroute result=success
| raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded
| delete bare shunt 0x563e9cc11e08 192.1.3.209/32:8 --1--> 192.1.2.23/32:0 => %hold 0    %acquire-netlink
| success taking down narrow bare shunt
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| checking private-or-clear-all
| checking block
| checking private
| checking private-or-clear
| checking private-or-clear#192.1.2.0/24
| checking clear-or-private
| checking clear
| checking clear#192.1.2.253/32
| checking clear#192.1.3.253/32
| checking clear#192.1.3.254/32
| checking clear#192.1.2.254/32
| find_host_pair: comparing 192.1.3.209:500 to 0.0.0.0:500 but ignoring ports
| checking private-or-clear-all
| checking block
| checking private
| checking private-or-clear
| checking private-or-clear#192.1.2.0/24
| checking clear-or-private
| checking clear
| checking clear#192.1.2.253/32
| checking clear#192.1.3.253/32
| checking clear#192.1.3.254/32
| checking clear#192.1.2.254/32
| connect_to_host_pair: 192.1.3.209:500 192.1.2.23:500 -> hp@(nil): none
| new hp@0x563e9cc23238
| oppo instantiate d="private-or-clear#192.1.2.0/24" from c="private-or-clear#192.1.2.0/24" with c->routing prospective erouted, d->routing unrouted
| new oppo instance: 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...192.1.2.23[ID_NULL]===192.1.2.0/24
| oppo_instantiate() instantiated "[1] ...192.1.2.23"private-or-clear#192.1.2.0/24: 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org]---192.1.3.254...192.1.2.23[ID_NULL]
| assigning negotiation_shunt to connection
| assign hold, routing was unrouted, needs to be unrouted HOLD
| assign_holdpass() removing bare shunt
| delete bare shunt 0x563e9cc22978 192.1.3.209/32:0 --0--> 192.1.2.23/32:0 => %hold 0    oe-negotiating
|  assign_holdpass() done - returning success
| assign_holdpass succeeded
| initiate on demand from 192.1.3.209:0 to 192.1.2.23:0 proto=1 because: acquire
| FOR_EACH_STATE_... in find_phase1_state
| creating state object #1 at 0x563e9cc23318
| State DB: adding IKEv2 state #1 in UNDEFINED
| pstats #1 ikev2.ike started
| Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0
| parent state #1: UNDEFINED(ignore) => PARENT_I0(ignore)
| Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:535)
| dup_any(fd@-1) -> fd@-1 (in ikev2_parent_outI1() at ikev2_parent.c:551)
| Queuing pending IPsec SA negotiating with 192.1.2.23 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 IKE SA #1 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23
| constructing local IKE proposals for private-or-clear#192.1.2.0/24 (IKE SA initiator selecting KE)
| converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23: constructed local IKE proposals for private-or-clear#192.1.2.0/24 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| adding ikev2_outI1 KE work-order 1 for state #1
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563e9cc25a88
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x563e9cc05c98 size 128
| #1 spent 0.359 milliseconds in ikev2_parent_outI1()
| RESET processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_parent_outI1() at ikev2_parent.c:610)
| initiate on demand using RSASIG from 192.1.3.209 to 192.1.2.23
| spent 0.696 milliseconds in kernel message
| crypto helper 0 resuming
| crypto helper 0 starting work-order 1 for state #1
| crypto helper 0 doing build KE and nonce (ikev2_outI1 KE); request ID 1
| crypto helper 0 finished build KE and nonce (ikev2_outI1 KE); request ID 1 time elapsed 0.000812 seconds
| (#1) spent 0.812 milliseconds in crypto helper computing work-order 1: ikev2_outI1 KE (pcr)
| crypto helper 0 sending results from work-order 1 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f3eec002888 size 128
| crypto helper 0 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in resume_handler() at server.c:797)
| crypto helper 0 replies to request ID 1
| calling continuation function 0x563e9b9bdb50
| ikev2_parent_outI1_continue for #1
| **emit ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| using existing local IKE proposals for connection private-or-clear#192.1.2.0/24 (IKE SA initiator emitting local proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Emitting ikev2_proposals ...
| ***emit IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| discarding INTEG=NONE
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding INTEG=NONE
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 100
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding INTEG=NONE
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 2 (0x2)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding INTEG=NONE
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 100
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 3 (0x3)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 116
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    prop #: 4 (0x4)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 116
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 436
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ***emit IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE)
| next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x  29 5b 2d 4f  ed 72 22 98  e7 eb fe d6  36 81 0b db
| ikev2 g^x  7c 38 dc 97  9e 64 ce bc  c6 06 ff 62  fc 37 17 53
| ikev2 g^x  52 dc cc fc  fb 30 90 b9  1f 9e 45 94  ed a0 ca 0f
| ikev2 g^x  4c 41 88 d8  e2 98 a5 c7  d1 63 ed d6  dd 75 17 0e
| ikev2 g^x  4e 2b 3f 99  c5 19 4e bb  12 f0 bb 73  66 ae dc e3
| ikev2 g^x  99 bf 83 1e  42 38 1a 1f  05 d3 41 0a  bb 1d 1e 72
| ikev2 g^x  a6 be 4d 5a  3b 38 bf 42  8f 77 f6 21  03 10 c9 e2
| ikev2 g^x  5f 5c e9 ba  39 a0 4c c4  ad 98 50 09  36 ef 39 8d
| ikev2 g^x  b2 a8 a9 7f  62 d1 1e 63  c0 f2 20 a3  25 94 18 83
| ikev2 g^x  30 77 46 64  d2 35 23 55  73 92 94 6a  6f c2 70 05
| ikev2 g^x  88 97 1e c6  58 51 75 10  c0 5d 20 73  af 5b 14 4a
| ikev2 g^x  ec 46 ae 92  ae aa 32 8e  88 87 ad 1f  22 b5 f9 9e
| ikev2 g^x  a4 83 bc 16  76 30 7a 8c  5c 5d a7 c2  4e 9c 32 5e
| ikev2 g^x  3a 5e 56 08  7a 85 27 e1  ec da a1 82  18 43 98 17
| ikev2 g^x  9f 6b cf c2  30 0a b3 2e  01 9d 27 df  31 28 aa 1e
| ikev2 g^x  75 01 1f 82  59 8f f8 eb  15 a4 d5 14  bb f3 b1 5b
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
| next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N
| next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni)
| next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce  0f 6e 67 f8  7d 88 c6 a9  cb b2 6d 76  4b f9 4e 8d
| IKEv2 nonce  88 b4 77 27  fa 34 19 1c  58 16 a9 1d  43 16 42 7a
| emitting length of IKEv2 Nonce Payload: 36
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Notify Payload: 8
|  NAT-Traversal support  [enabled] add v2N payloads.
| natd_hash: rcookie is zero
| natd_hash: hasher=0x563e9ba92800(20)
| natd_hash: icookie=  45 de 21 c6  8e 76 c2 02
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  c1 52 1d d8  5f 68 4b c3  c8 58 bf 1b  6a 45 a0 ea
| natd_hash: hash=  22 b5 50 b9
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  c1 52 1d d8  5f 68 4b c3  c8 58 bf 1b  6a 45 a0 ea
| Notify data  22 b5 50 b9
| emitting length of IKEv2 Notify Payload: 28
| natd_hash: rcookie is zero
| natd_hash: hasher=0x563e9ba92800(20)
| natd_hash: icookie=  45 de 21 c6  8e 76 c2 02
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  29 5e 5c e3  81 9f 35 1d  68 14 bb a8  10 a3 ab a2
| natd_hash: hash=  45 7b 36 72
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  29 5e 5c e3  81 9f 35 1d  68 14 bb a8  10 a3 ab a2
| Notify data  45 7b 36 72
| emitting length of IKEv2 Notify Payload: 28
| emitting length of ISAKMP Message: 828
| stop processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_parent_outI1_common() at ikev2_parent.c:817)
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK
| IKEv2: transition from state STATE_PARENT_I0 to state STATE_PARENT_I1
| parent state #1: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA)
| Message ID: updating counters for #1 to 4294967295 after switching state
| Message ID: IKE #1 skipping update_recv as MD is fake
| Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1->0 wip.responder=-1
| STATE_PARENT_I1: sent v2I1, expected v2R1
| sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.209:500)
| sending 828 bytes for STATE_PARENT_I0 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
|   45 de 21 c6  8e 76 c2 02  00 00 00 00  00 00 00 00
|   21 20 22 08  00 00 00 00  00 00 03 3c  22 00 01 b4
|   02 00 00 64  01 01 00 0b  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  03 00 00 08
|   02 00 00 05  03 00 00 08  04 00 00 0e  03 00 00 08
|   04 00 00 0f  03 00 00 08  04 00 00 10  03 00 00 08
|   04 00 00 12  03 00 00 08  04 00 00 13  03 00 00 08
|   04 00 00 14  03 00 00 08  04 00 00 15  00 00 00 08
|   04 00 00 1f  02 00 00 64  02 01 00 0b  03 00 00 0c
|   01 00 00 14  80 0e 00 80  03 00 00 08  02 00 00 07
|   03 00 00 08  02 00 00 05  03 00 00 08  04 00 00 0e
|   03 00 00 08  04 00 00 0f  03 00 00 08  04 00 00 10
|   03 00 00 08  04 00 00 12  03 00 00 08  04 00 00 13
|   03 00 00 08  04 00 00 14  03 00 00 08  04 00 00 15
|   00 00 00 08  04 00 00 1f  02 00 00 74  03 01 00 0d
|   03 00 00 0c  01 00 00 0c  80 0e 01 00  03 00 00 08
|   02 00 00 07  03 00 00 08  02 00 00 05  03 00 00 08
|   03 00 00 0e  03 00 00 08  03 00 00 0c  03 00 00 08
|   04 00 00 0e  03 00 00 08  04 00 00 0f  03 00 00 08
|   04 00 00 10  03 00 00 08  04 00 00 12  03 00 00 08
|   04 00 00 13  03 00 00 08  04 00 00 14  03 00 00 08
|   04 00 00 15  00 00 00 08  04 00 00 1f  00 00 00 74
|   04 01 00 0d  03 00 00 0c  01 00 00 0c  80 0e 00 80
|   03 00 00 08  02 00 00 07  03 00 00 08  02 00 00 05
|   03 00 00 08  03 00 00 0e  03 00 00 08  03 00 00 0c
|   03 00 00 08  04 00 00 0e  03 00 00 08  04 00 00 0f
|   03 00 00 08  04 00 00 10  03 00 00 08  04 00 00 12
|   03 00 00 08  04 00 00 13  03 00 00 08  04 00 00 14
|   03 00 00 08  04 00 00 15  00 00 00 08  04 00 00 1f
|   28 00 01 08  00 0e 00 00  29 5b 2d 4f  ed 72 22 98
|   e7 eb fe d6  36 81 0b db  7c 38 dc 97  9e 64 ce bc
|   c6 06 ff 62  fc 37 17 53  52 dc cc fc  fb 30 90 b9
|   1f 9e 45 94  ed a0 ca 0f  4c 41 88 d8  e2 98 a5 c7
|   d1 63 ed d6  dd 75 17 0e  4e 2b 3f 99  c5 19 4e bb
|   12 f0 bb 73  66 ae dc e3  99 bf 83 1e  42 38 1a 1f
|   05 d3 41 0a  bb 1d 1e 72  a6 be 4d 5a  3b 38 bf 42
|   8f 77 f6 21  03 10 c9 e2  5f 5c e9 ba  39 a0 4c c4
|   ad 98 50 09  36 ef 39 8d  b2 a8 a9 7f  62 d1 1e 63
|   c0 f2 20 a3  25 94 18 83  30 77 46 64  d2 35 23 55
|   73 92 94 6a  6f c2 70 05  88 97 1e c6  58 51 75 10
|   c0 5d 20 73  af 5b 14 4a  ec 46 ae 92  ae aa 32 8e
|   88 87 ad 1f  22 b5 f9 9e  a4 83 bc 16  76 30 7a 8c
|   5c 5d a7 c2  4e 9c 32 5e  3a 5e 56 08  7a 85 27 e1
|   ec da a1 82  18 43 98 17  9f 6b cf c2  30 0a b3 2e
|   01 9d 27 df  31 28 aa 1e  75 01 1f 82  59 8f f8 eb
|   15 a4 d5 14  bb f3 b1 5b  29 00 00 24  0f 6e 67 f8
|   7d 88 c6 a9  cb b2 6d 76  4b f9 4e 8d  88 b4 77 27
|   fa 34 19 1c  58 16 a9 1d  43 16 42 7a  29 00 00 08
|   00 00 40 2e  29 00 00 1c  00 00 40 04  c1 52 1d d8
|   5f 68 4b c3  c8 58 bf 1b  6a 45 a0 ea  22 b5 50 b9
|   00 00 00 1c  00 00 40 05  29 5e 5c e3  81 9f 35 1d
|   68 14 bb a8  10 a3 ab a2  45 7b 36 72
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x563e9cc05c98
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563e9cc25a88
| success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds
| event_schedule: new EVENT_RETRANSMIT-pe@0x563e9cc25a88
| inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x563e9cc25bb8 size 128
| #1 STATE_PARENT_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29578.332677
| resume sending helper answer for #1 suppresed complete_v2_state_transition() and stole MD
| #1 spent 1.14 milliseconds in resume sending helper answer
| stop processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f3eec002888
| spent 0.00287 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 437 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500)
|   45 de 21 c6  8e 76 c2 02  56 b8 4c 3f  69 6a 43 06
|   21 20 22 20  00 00 00 00  00 00 01 b5  22 00 00 28
|   00 00 00 24  01 01 00 03  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  00 00 00 08
|   04 00 00 0e  28 00 01 08  00 0e 00 00  d6 93 df 10
|   a4 87 4d a9  7d 34 5b 0e  23 aa db 53  29 45 b6 46
|   30 25 5c c6  80 68 31 93  cc c9 a2 21  55 38 07 e0
|   90 5f 98 7c  f3 ca 2b 9a  3f b5 1e 4c  d6 b4 5c 64
|   56 21 87 3c  f4 ec 76 0b  7c 33 e6 0a  e2 75 bd cc
|   a4 de f3 1e  8b fe ab d9  d9 d4 f3 b7  52 ca 71 dc
|   ae bb 55 cb  bf 48 6e ca  35 5c f1 12  9b 89 1e e4
|   98 a2 0e b8  c8 22 73 65  c3 de cb cb  d4 0b 38 73
|   b6 c3 56 4d  f3 d0 7e 48  cf 9c ed 1f  31 36 81 7c
|   0b c4 15 82  99 b2 2f a0  21 94 aa 5f  8f 4d 18 4b
|   68 e9 e6 20  52 33 50 f9  f6 90 97 93  09 63 29 bf
|   3d 93 3c 0c  4b 82 48 3d  1d 3e 59 2a  be a9 06 e1
|   af 19 b5 67  22 ba a1 2d  fe 59 58 80  8d 27 85 20
|   fd de bd f0  5f 03 7a 35  59 af f2 6c  d4 b6 90 01
|   bd 65 0b 56  d7 07 3c e6  04 71 66 4d  84 2e 44 03
|   e8 f9 d9 ba  8c 80 9a 0d  7a f8 ad 43  02 6c 17 e4
|   70 3b da c5  a5 f2 98 7a  fa ea 68 14  29 00 00 24
|   e7 a5 ae 84  cd 8b 82 83  97 f0 94 e3  f4 83 ea eb
|   4b 81 7b 09  ed 0b a9 e1  0c 87 4a 4a  89 8f f9 1f
|   29 00 00 08  00 00 40 2e  29 00 00 1c  00 00 40 04
|   48 93 a6 9b  e4 b8 8d af  f1 55 7b eb  83 91 f0 0d
|   49 b2 a0 65  26 00 00 1c  00 00 40 05  d9 43 fa 73
|   71 9e 42 58  a4 d2 73 33  79 d0 07 b5  83 e3 37 4e
|   00 00 00 05  04
| start processing: from 192.1.2.23:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   56 b8 4c 3f  69 6a 43 06
|    next payload type: ISAKMP_NEXT_v2SA (0x21)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 0 (0x0)
|    length: 437 (0x1b5)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34)
| I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response 
| State DB: found IKEv2 state #1 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi)
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062)
| #1 is idle
| #1 idle
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| ***parse IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2KE (0x22)
|    flags: none (0x0)
|    length: 40 (0x28)
| processing payload: ISAKMP_NEXT_v2SA (len=36)
| Now let's proceed with payload (ISAKMP_NEXT_v2KE)
| ***parse IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2Ni (0x28)
|    flags: none (0x0)
|    length: 264 (0x108)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| processing payload: ISAKMP_NEXT_v2KE (len=256)
| Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
| ***parse IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 36 (0x24)
| processing payload: ISAKMP_NEXT_v2Ni (len=32)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 8 (0x8)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2CERTREQ (0x26)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ)
| ***parse IKEv2 Certificate Request Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 5 (0x5)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| processing payload: ISAKMP_NEXT_v2CERTREQ (len=0)
| State DB: re-hashing IKEv2 state #1 IKE SPIi and SPI[ir]
| #1 in state PARENT_I1: sent v2I1, expected v2R1
| selected state microcode Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH
| Now let's proceed with state specific processing
| calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH
| ikev2 parent inR1: calculating g^{xy} in order to send I2
| using existing local IKE proposals for connection private-or-clear#192.1.2.0/24 (IKE SA initiator accepting remote proposal): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Comparing remote proposals against IKE initiator (accepting) 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 2 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 8 transforms
| local proposal 1 type ESN has 0 transforms
| local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 2 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 8 transforms
| local proposal 2 type ESN has 0 transforms
| local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 2 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 8 transforms
| local proposal 3 type ESN has 0 transforms
| local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 2 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 8 transforms
| local proposal 4 type ESN has 0 transforms
| local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    length: 36 (0x24)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 3 (0x3)
| Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| remote proposal 1 transform 2 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0
| remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none
| comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH
| remote proposal 1 matches local proposal 1
| remote accepted the proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048[first-match]
| converting proposal to internal trans attrs
| natd_hash: hasher=0x563e9ba92800(20)
| natd_hash: icookie=  45 de 21 c6  8e 76 c2 02
| natd_hash: rcookie=  56 b8 4c 3f  69 6a 43 06
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  d9 43 fa 73  71 9e 42 58  a4 d2 73 33  79 d0 07 b5
| natd_hash: hash=  83 e3 37 4e
| natd_hash: hasher=0x563e9ba92800(20)
| natd_hash: icookie=  45 de 21 c6  8e 76 c2 02
| natd_hash: rcookie=  56 b8 4c 3f  69 6a 43 06
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  48 93 a6 9b  e4 b8 8d af  f1 55 7b eb  83 91 f0 0d
| natd_hash: hash=  49 b2 a0 65
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23
| offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16
| adding ikev2_inR1outI2 KE work-order 2 for state #1
| state #1 requesting EVENT_RETRANSMIT to be deleted
| #1 STATE_PARENT_I1: retransmits: cleared
| libevent_free: release ptr-libevent@0x563e9cc25bb8
| free_event_entry: release EVENT_RETRANSMIT-pe@0x563e9cc25a88
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x563e9cc25a88
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x7f3eec002888 size 128
|   #1 spent 0.205 milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in log_stf_suspend() at ikev2.c:3269)
| "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1 complete v2 state STATE_PARENT_I1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.438 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.448 milliseconds in comm_handle_cb() reading and processing packet
| crypto helper 1 resuming
| crypto helper 1 starting work-order 2 for state #1
| crypto helper 1 doing compute dh (V2) (ikev2_inR1outI2 KE); request ID 2
| calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4
| crypto helper 1 finished compute dh (V2) (ikev2_inR1outI2 KE); request ID 2 time elapsed 0.001103 seconds
| (#1) spent 1.11 milliseconds in crypto helper computing work-order 2: ikev2_inR1outI2 KE (pcr)
| crypto helper 1 sending results from work-order 2 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f3ee4000f48 size 128
| crypto helper 1 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in resume_handler() at server.c:797)
| crypto helper 1 replies to request ID 2
| calling continuation function 0x563e9b9bdb50
| ikev2_parent_inR1outI2_continue for #1: calculating g^{xy}, sending I2
| creating state object #2 at 0x563e9cc28428
| State DB: adding IKEv2 state #2 in UNDEFINED
| pstats #2 ikev2.child started
| duplicating state object #1 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 as #2 for IPSEC SA
| #2 setting local endpoint to 192.1.3.209:500 from #1.st_localport (in duplicate_state() at state.c:1484)
| Message ID: init_child #1.#2; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=0->-1
| Message ID: switch-from #1 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=0->-1 wip.responder=-1
| Message ID: switch-to #1.#2 response 0; ike: initiator.sent=0 initiator.recv=-1 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->0 wip.responder=-1
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x7f3eec002888
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x563e9cc25a88
| event_schedule: new EVENT_SA_REPLACE-pe@0x563e9cc25a88
| inserting event EVENT_SA_REPLACE, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x7f3eec002888 size 128
| parent state #1: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA)
| **emit ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   56 b8 4c 3f  69 6a 43 06
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| IKEv2 CERT: send a certificate?
| IKEv2 CERT: OK to send a certificate (always)
| IDr payload will be sent
| ****emit IKEv2 Identification - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    ID type: ID_DER_ASN1_DN (0x9)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi)
| next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet'
| emitting 183 raw bytes of my identity into IKEv2 Identification - Initiator - Payload
| my identity  30 81 b4 31  0b 30 09 06  03 55 04 06  13 02 43 41
| my identity  31 10 30 0e  06 03 55 04  08 0c 07 4f  6e 74 61 72
| my identity  69 6f 31 10  30 0e 06 03  55 04 07 0c  07 54 6f 72
| my identity  6f 6e 74 6f  31 12 30 10  06 03 55 04  0a 0c 09 4c
| my identity  69 62 72 65  73 77 61 6e  31 18 30 16  06 03 55 04
| my identity  0b 0c 0f 54  65 73 74 20  44 65 70 61  72 74 6d 65
| my identity  6e 74 31 23  30 21 06 03  55 04 03 0c  1a 72 6f 61
| my identity  64 2e 74 65  73 74 69 6e  67 2e 6c 69  62 72 65 73
| my identity  77 61 6e 2e  6f 72 67 31  2e 30 2c 06  09 2a 86 48
| my identity  86 f7 0d 01  09 01 16 1f  75 73 65 72  2d 72 6f 61
| my identity  64 40 74 65  73 74 69 6e  67 2e 6c 69  62 72 65 73
| my identity  77 61 6e 2e  6f 72 67
| emitting length of IKEv2 Identification - Initiator - Payload: 191
| Sending [CERT] of certificate: E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
| ****emit IKEv2 Certificate Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT)
| next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet'
| emitting 1224 raw bytes of CERT into IKEv2 Certificate Payload
| CERT  30 82 04 c4  30 82 04 2d  a0 03 02 01  02 02 01 05
| CERT  30 0d 06 09  2a 86 48 86  f7 0d 01 01  0b 05 00 30
| CERT  81 ac 31 0b  30 09 06 03  55 04 06 13  02 43 41 31
| CERT  10 30 0e 06  03 55 04 08  0c 07 4f 6e  74 61 72 69
| CERT  6f 31 10 30  0e 06 03 55  04 07 0c 07  54 6f 72 6f
| CERT  6e 74 6f 31  12 30 10 06  03 55 04 0a  0c 09 4c 69
| CERT  62 72 65 73  77 61 6e 31  18 30 16 06  03 55 04 0b
| CERT  0c 0f 54 65  73 74 20 44  65 70 61 72  74 6d 65 6e
| CERT  74 31 25 30  23 06 03 55  04 03 0c 1c  4c 69 62 72
| CERT  65 73 77 61  6e 20 74 65  73 74 20 43  41 20 66 6f
| CERT  72 20 6d 61  69 6e 63 61  31 24 30 22  06 09 2a 86
| CERT  48 86 f7 0d  01 09 01 16  15 74 65 73  74 69 6e 67
| CERT  40 6c 69 62  72 65 73 77  61 6e 2e 6f  72 67 30 22
| CERT  18 0f 32 30  31 39 30 38  32 34 30 39  30 37 35 33
| CERT  5a 18 0f 32  30 32 32 30  38 32 33 30  39 30 37 35
| CERT  33 5a 30 81  b4 31 0b 30  09 06 03 55  04 06 13 02
| CERT  43 41 31 10  30 0e 06 03  55 04 08 0c  07 4f 6e 74
| CERT  61 72 69 6f  31 10 30 0e  06 03 55 04  07 0c 07 54
| CERT  6f 72 6f 6e  74 6f 31 12  30 10 06 03  55 04 0a 0c
| CERT  09 4c 69 62  72 65 73 77  61 6e 31 18  30 16 06 03
| CERT  55 04 0b 0c  0f 54 65 73  74 20 44 65  70 61 72 74
| CERT  6d 65 6e 74  31 23 30 21  06 03 55 04  03 0c 1a 72
| CERT  6f 61 64 2e  74 65 73 74  69 6e 67 2e  6c 69 62 72
| CERT  65 73 77 61  6e 2e 6f 72  67 31 2e 30  2c 06 09 2a
| CERT  86 48 86 f7  0d 01 09 01  16 1f 75 73  65 72 2d 72
| CERT  6f 61 64 40  74 65 73 74  69 6e 67 2e  6c 69 62 72
| CERT  65 73 77 61  6e 2e 6f 72  67 30 82 01  a2 30 0d 06
| CERT  09 2a 86 48  86 f7 0d 01  01 01 05 00  03 82 01 8f
| CERT  00 30 82 01  8a 02 82 01  81 00 de eb  73 26 86 d7
| CERT  2c 84 21 13  0e a4 23 30  11 c6 d4 b1  e8 99 58 5b
| CERT  54 fa 8c cb  90 bf aa 54  64 e2 ef 00  f9 df b2 5a
| CERT  20 d0 1f fd  fb 02 a8 d4  60 ac 44 ab  c0 91 e1 eb
| CERT  81 59 f7 6d  08 30 04 c9  63 5f 07 58  6a d7 e6 ff
| CERT  96 d3 79 c2  a1 6b d3 24  00 31 74 f3  8f b4 e9 17
| CERT  af d1 3c 33  ee 8b a9 19  b2 03 f1 98  8a 60 f2 f6
| CERT  14 4b 31 a3  8b cb cb ae  31 d9 70 5a  88 2d cc c8
| CERT  77 e8 27 1f  75 07 9a 9b  cc 5a 53 bd  69 be 82 0e
| CERT  9c b9 3b c8  4f fa 84 87  bb b6 0d 2d  ff 11 a1 2d
| CERT  51 d4 3f c2  93 09 22 b4  2e 48 0e 77  81 b6 79 ee
| CERT  31 37 3d 55  2f 3d 4f 0e  26 7e 73 34  4f 0d d1 90
| CERT  84 c9 06 53  b6 31 7f 6e  62 51 c6 35  3b a1 03 8a
| CERT  8b 62 bb 4d  37 a5 44 42  54 a2 10 80  5f 75 0e 17
| CERT  a0 4e d8 46  e8 02 bf a1  f5 e5 2a 2e  5c dc b2 d7
| CERT  93 d9 04 45  51 1d 5e 7d  d8 fd 03 96  0c d5 02 5b
| CERT  72 03 26 b7  d6 cd a0 18  86 a7 07 d0  74 c6 07 e8
| CERT  5c 1f 7a af  be d0 ae b8  e7 7a 3b cf  5c fa ca ea
| CERT  ae c3 6f 85  22 9b 46 81  be 7c 89 15  4f 06 47 30
| CERT  9f bb ee 24  55 e2 21 cd  8e 93 f5 0e  33 49 5d 50
| CERT  48 39 ac ab  37 59 f8 a2  61 be a0 81  d5 25 97 2f
| CERT  8b 2f bd d9  47 a4 5c a5  3b c0 99 19  c5 fb 43 da
| CERT  6f 6c 33 54  60 af 00 d5  41 12 60 e5  bb 07 b8 76
| CERT  8a 55 c4 c3  47 8b bd 12  bc e8 5e 94  62 7a 20 91
| CERT  11 fb 23 b7  2d f5 6f 73  b6 a9 02 03  01 00 01 a3
| CERT  81 e3 30 81  e0 30 09 06  03 55 1d 13  04 02 30 00
| CERT  30 25 06 03  55 1d 11 04  1e 30 1c 82  1a 72 6f 61
| CERT  64 2e 74 65  73 74 69 6e  67 2e 6c 69  62 72 65 73
| CERT  77 61 6e 2e  6f 72 67 30  0b 06 03 55  1d 0f 04 04
| CERT  03 02 07 80  30 1d 06 03  55 1d 25 04  16 30 14 06
| CERT  08 2b 06 01  05 05 07 03  01 06 08 2b  06 01 05 05
| CERT  07 03 02 30  41 06 08 2b  06 01 05 05  07 01 01 04
| CERT  35 30 33 30  31 06 08 2b  06 01 05 05  07 30 01 86
| CERT  25 68 74 74  70 3a 2f 2f  6e 69 63 2e  74 65 73 74
| CERT  69 6e 67 2e  6c 69 62 72  65 73 77 61  6e 2e 6f 72
| CERT  67 3a 32 35  36 30 30 3d  06 03 55 1d  1f 04 36 30
| CERT  34 30 32 a0  30 a0 2e 86  2c 68 74 74  70 3a 2f 2f
| CERT  6e 69 63 2e  74 65 73 74  69 6e 67 2e  6c 69 62 72
| CERT  65 73 77 61  6e 2e 6f 72  67 2f 72 65  76 6f 6b 65
| CERT  64 2e 63 72  6c 30 0d 06  09 2a 86 48  86 f7 0d 01
| CERT  01 0b 05 00  03 81 81 00  79 c0 dc 4f  ca 3c 5f 4e
| CERT  21 3c 76 b0  44 66 c8 74  40 7b 34 5d  63 96 6e ee
| CERT  c5 df ef 0f  fe c2 e4 25  18 39 25 d8  f8 6a b8 87
| CERT  f9 17 94 73  7f 8d fb 7d  9d 24 5e c5  95 19 96 3e
| CERT  04 dd 8a d0  ad 11 f4 97  32 43 d2 f3  1a d3 1c b1
| CERT  e9 01 90 f2  72 36 cf d4  bd 14 e6 ad  8d d2 84 3b
| CERT  92 94 99 40  21 16 68 aa  e7 5e ac 95  88 11 40 55
| CERT  28 90 af 7f  98 b1 80 36  c5 18 f7 6e  43 40 bc 93
| CERT  86 b3 f1 aa  b3 89 b4 15
| emitting length of IKEv2 Certificate Payload: 1229
| IKEv2 CERTREQ: send a cert request?
| IKEv2 CERTREQ: no CA DN known to send
| ****emit IKEv2 Identification - Responder - Payload:
|    next payload type: ISAKMP_NEXT_v2AUTH (0x27)
|    flags: none (0x0)
|    ID type: ID_NULL (0xd)
| next payload chain: ignoring supplied 'IKEv2 Identification - Responder - Payload'.'next payload type' value 39:ISAKMP_NEXT_v2AUTH
| next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr)
| next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet'
| emitting 0 raw bytes of IDr into IKEv2 Identification - Responder - Payload
| IDr
| emitting length of IKEv2 Identification - Responder - Payload: 8
| not sending INITIAL_CONTACT
| ****emit IKEv2 Authentication Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    auth method: IKEv2_AUTH_RSA (0x1)
| next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH)
| next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet'
| started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org->ID_NULL of kind PKK_RSA
| searching for certificate PKK_RSA:AQPHFfpyJ vs PKK_RSA:AwEAAd7rc
| private key for cert road not found in local cache; loading from NSS DB
| certs and keys locked by 'lsw_add_rsa_secret'
| certs and keys unlocked by 'lsw_add_rsa_secret'
| searching for certificate PKK_RSA:AwEAAd7rc vs PKK_RSA:AwEAAd7rc
|     #1 spent 7.45 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA()
| emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload
| rsa signature  1e cc 08 d0  5f ac e4 5f  10 e2 42 a5  2c f8 97 83
| rsa signature  51 a2 7f a0  52 0b 5e 1d  db 0e 3c 2e  c7 05 24 2f
| rsa signature  96 34 0f fd  97 14 05 11  25 bd c1 1b  5a 1f 63 4b
| rsa signature  a2 32 02 b3  5b 9a 33 e8  22 42 ed 2e  0e 31 40 33
| rsa signature  f5 a6 4e a1  17 5e fd 7a  0c 1d 48 34  4b b6 77 3c
| rsa signature  2d 7c 00 92  21 68 0f 89  85 33 13 f8  fd d6 db 33
| rsa signature  4a 53 27 d7  e1 49 e4 0c  26 6d 8c 6b  13 48 60 be
| rsa signature  55 06 0c e5  cd 31 26 32  5f 98 45 0d  8e bf f9 b9
| rsa signature  72 c9 c1 87  3e 67 37 5c  19 01 a4 05  6d e8 23 d6
| rsa signature  80 99 8f 0e  d7 4d 51 39  d7 00 12 24  ac 35 38 40
| rsa signature  c3 2d 33 07  3f e4 5c 16  22 f4 90 25  f1 04 68 c2
| rsa signature  8d ad ad 42  9c 52 6e e4  33 75 bd b3  6d 37 3d e6
| rsa signature  50 6d 85 28  e2 20 47 a3  94 78 78 48  ae 0e 37 26
| rsa signature  10 4f 30 f9  63 bf 6a 5c  fa 0c 13 a1  e3 2e 4e a8
| rsa signature  db a1 28 c1  c8 49 e0 17  86 5c 66 55  b2 41 86 a7
| rsa signature  0a fc 09 cd  ea 2b f6 5d  b2 93 89 17  13 93 8a a5
| rsa signature  d6 b1 47 2e  f9 d6 7c 3a  cb fa 22 78  6a 85 b5 de
| rsa signature  55 aa d2 ca  04 71 42 a5  7d 5a 4c 16  df 94 9c e8
| rsa signature  aa e4 9a cb  36 50 7e a7  72 2d 6e ad  3e 52 1a 9f
| rsa signature  83 da 82 f5  fd b0 9f 5d  e6 9d 2b b6  58 c1 73 b6
| rsa signature  de 43 b8 60  99 48 63 0f  1e 71 ca 0f  98 39 f1 5a
| rsa signature  a3 64 61 6a  6c 0a fd 01  8e 75 ad e4  7c 05 74 7f
| rsa signature  51 47 80 24  29 37 21 95  94 42 b9 4b  a3 6f 77 4c
| rsa signature  11 af 57 4f  fb 6c f9 f4  34 86 32 4f  da f1 52 2a
|   #1 spent 7.86 milliseconds in ikev2_calculate_rsa_hash()
| emitting length of IKEv2 Authentication Payload: 392
| getting first pending from state #1
| netlink_get_spi: allocated 0xac2a2f4b for esp.0@192.1.3.209
| constructing ESP/AH proposals with all DH removed  for private-or-clear#192.1.2.0/24 (IKE SA initiator emitting ESP/AH proposals)
| converting proposal AES_GCM_16_256-NONE to ikev2 ...
| ...  ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_GCM_16_128-NONE to ikev2 ...
| ...  ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ...  ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ...  ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23: constructed local ESP/AH proposals for private-or-clear#192.1.2.0/24 (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| Emitting ikev2_proposals ...
| ****emit IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| discarding INTEG=NONE
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 2 (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi  ac 2a 2f 4b
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| discarding INTEG=NONE
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding INTEG=NONE
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 2 (0x2)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 2 (0x2)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi  ac 2a 2f 4b
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| discarding INTEG=NONE
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    prop #: 3 (0x3)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 4 (0x4)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi  ac 2a 2f 4b
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 48
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| discarding DH=NONE
| *****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    prop #: 4 (0x4)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 4 (0x4)
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is v2_PROPOSAL_NON_LAST (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi  ac 2a 2f 4b
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| discarding DH=NONE
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 48
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 164
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ****emit IKEv2 Traffic Selector - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi)
| next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start  c0 01 03 d1
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end  c0 01 03 d1
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24
| ****emit IKEv2 Traffic Selector - Responder - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr)
| next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start  c0 01 02 17
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end  c0 01 02 17
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Responder - Payload: 24
| Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE
| Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 2061
| emitting length of ISAKMP Message: 2089
| **parse ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   56 b8 4c 3f  69 6a 43 06
|    next payload type: ISAKMP_NEXT_v2SK (0x2e)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 2089 (0x829)
| **parse IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2IDi (0x23)
|    flags: none (0x0)
|    length: 2061 (0x80d)
| **emit ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   56 b8 4c 3f  69 6a 43 06
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2IDi (0x23)
|    flags: none (0x0)
|    fragment number: 1 (0x1)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 35:ISAKMP_NEXT_v2IDi
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  25 00 00 bf  09 00 00 00  30 81 b4 31  0b 30 09 06
| cleartext fragment  03 55 04 06  13 02 43 41  31 10 30 0e  06 03 55 04
| cleartext fragment  08 0c 07 4f  6e 74 61 72  69 6f 31 10  30 0e 06 03
| cleartext fragment  55 04 07 0c  07 54 6f 72  6f 6e 74 6f  31 12 30 10
| cleartext fragment  06 03 55 04  0a 0c 09 4c  69 62 72 65  73 77 61 6e
| cleartext fragment  31 18 30 16  06 03 55 04  0b 0c 0f 54  65 73 74 20
| cleartext fragment  44 65 70 61  72 74 6d 65  6e 74 31 23  30 21 06 03
| cleartext fragment  55 04 03 0c  1a 72 6f 61  64 2e 74 65  73 74 69 6e
| cleartext fragment  67 2e 6c 69  62 72 65 73  77 61 6e 2e  6f 72 67 31
| cleartext fragment  2e 30 2c 06  09 2a 86 48  86 f7 0d 01  09 01 16 1f
| cleartext fragment  75 73 65 72  2d 72 6f 61  64 40 74 65  73 74 69 6e
| cleartext fragment  67 2e 6c 69  62 72 65 73  77 61 6e 2e  6f 72 67 24
| cleartext fragment  00 04 cd 04  30 82 04 c4  30 82 04 2d  a0 03 02 01
| cleartext fragment  02 02 01 05  30 0d 06 09  2a 86 48 86  f7 0d 01 01
| cleartext fragment  0b 05 00 30  81 ac 31 0b  30 09 06 03  55 04 06 13
| cleartext fragment  02 43 41 31  10 30 0e 06  03 55 04 08  0c 07 4f 6e
| cleartext fragment  74 61 72 69  6f 31 10 30  0e 06 03 55  04 07 0c 07
| cleartext fragment  54 6f 72 6f  6e 74 6f 31  12 30 10 06  03 55 04 0a
| cleartext fragment  0c 09 4c 69  62 72 65 73  77 61 6e 31  18 30 16 06
| cleartext fragment  03 55 04 0b  0c 0f 54 65  73 74 20 44  65 70 61 72
| cleartext fragment  74 6d 65 6e  74 31 25 30  23 06 03 55  04 03 0c 1c
| cleartext fragment  4c 69 62 72  65 73 77 61  6e 20 74 65  73 74 20 43
| cleartext fragment  41 20 66 6f  72 20 6d 61  69 6e 63 61  31 24 30 22
| cleartext fragment  06 09 2a 86  48 86 f7 0d  01 09 01 16  15 74 65 73
| cleartext fragment  74 69 6e 67  40 6c 69 62  72 65 73 77  61 6e 2e 6f
| cleartext fragment  72 67 30 22  18 0f 32 30  31 39 30 38  32 34 30 39
| cleartext fragment  30 37 35 33  5a 18 0f 32  30 32 32 30  38 32 33 30
| cleartext fragment  39 30 37 35  33 5a 30 81  b4 31 0b 30  09 06 03 55
| cleartext fragment  04 06 13 02  43 41 31 10  30 0e 06 03  55 04 08 0c
| cleartext fragment  07 4f 6e 74  61 72 69 6f  31 10 30 0e  06 03
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   56 b8 4c 3f  69 6a 43 06
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    fragment number: 2 (0x2)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  55 04 07 0c  07 54 6f 72  6f 6e 74 6f  31 12 30 10
| cleartext fragment  06 03 55 04  0a 0c 09 4c  69 62 72 65  73 77 61 6e
| cleartext fragment  31 18 30 16  06 03 55 04  0b 0c 0f 54  65 73 74 20
| cleartext fragment  44 65 70 61  72 74 6d 65  6e 74 31 23  30 21 06 03
| cleartext fragment  55 04 03 0c  1a 72 6f 61  64 2e 74 65  73 74 69 6e
| cleartext fragment  67 2e 6c 69  62 72 65 73  77 61 6e 2e  6f 72 67 31
| cleartext fragment  2e 30 2c 06  09 2a 86 48  86 f7 0d 01  09 01 16 1f
| cleartext fragment  75 73 65 72  2d 72 6f 61  64 40 74 65  73 74 69 6e
| cleartext fragment  67 2e 6c 69  62 72 65 73  77 61 6e 2e  6f 72 67 30
| cleartext fragment  82 01 a2 30  0d 06 09 2a  86 48 86 f7  0d 01 01 01
| cleartext fragment  05 00 03 82  01 8f 00 30  82 01 8a 02  82 01 81 00
| cleartext fragment  de eb 73 26  86 d7 2c 84  21 13 0e a4  23 30 11 c6
| cleartext fragment  d4 b1 e8 99  58 5b 54 fa  8c cb 90 bf  aa 54 64 e2
| cleartext fragment  ef 00 f9 df  b2 5a 20 d0  1f fd fb 02  a8 d4 60 ac
| cleartext fragment  44 ab c0 91  e1 eb 81 59  f7 6d 08 30  04 c9 63 5f
| cleartext fragment  07 58 6a d7  e6 ff 96 d3  79 c2 a1 6b  d3 24 00 31
| cleartext fragment  74 f3 8f b4  e9 17 af d1  3c 33 ee 8b  a9 19 b2 03
| cleartext fragment  f1 98 8a 60  f2 f6 14 4b  31 a3 8b cb  cb ae 31 d9
| cleartext fragment  70 5a 88 2d  cc c8 77 e8  27 1f 75 07  9a 9b cc 5a
| cleartext fragment  53 bd 69 be  82 0e 9c b9  3b c8 4f fa  84 87 bb b6
| cleartext fragment  0d 2d ff 11  a1 2d 51 d4  3f c2 93 09  22 b4 2e 48
| cleartext fragment  0e 77 81 b6  79 ee 31 37  3d 55 2f 3d  4f 0e 26 7e
| cleartext fragment  73 34 4f 0d  d1 90 84 c9  06 53 b6 31  7f 6e 62 51
| cleartext fragment  c6 35 3b a1  03 8a 8b 62  bb 4d 37 a5  44 42 54 a2
| cleartext fragment  10 80 5f 75  0e 17 a0 4e  d8 46 e8 02  bf a1 f5 e5
| cleartext fragment  2a 2e 5c dc  b2 d7 93 d9  04 45 51 1d  5e 7d d8 fd
| cleartext fragment  03 96 0c d5  02 5b 72 03  26 b7 d6 cd  a0 18 86 a7
| cleartext fragment  07 d0 74 c6  07 e8 5c 1f  7a af be d0  ae b8 e7 7a
| cleartext fragment  3b cf 5c fa  ca ea ae c3  6f 85 22 9b  46 81 be 7c
| cleartext fragment  89 15 4f 06  47 30 9f bb  ee 24 55 e2  21 cd
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   56 b8 4c 3f  69 6a 43 06
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    fragment number: 3 (0x3)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  8e 93 f5 0e  33 49 5d 50  48 39 ac ab  37 59 f8 a2
| cleartext fragment  61 be a0 81  d5 25 97 2f  8b 2f bd d9  47 a4 5c a5
| cleartext fragment  3b c0 99 19  c5 fb 43 da  6f 6c 33 54  60 af 00 d5
| cleartext fragment  41 12 60 e5  bb 07 b8 76  8a 55 c4 c3  47 8b bd 12
| cleartext fragment  bc e8 5e 94  62 7a 20 91  11 fb 23 b7  2d f5 6f 73
| cleartext fragment  b6 a9 02 03  01 00 01 a3  81 e3 30 81  e0 30 09 06
| cleartext fragment  03 55 1d 13  04 02 30 00  30 25 06 03  55 1d 11 04
| cleartext fragment  1e 30 1c 82  1a 72 6f 61  64 2e 74 65  73 74 69 6e
| cleartext fragment  67 2e 6c 69  62 72 65 73  77 61 6e 2e  6f 72 67 30
| cleartext fragment  0b 06 03 55  1d 0f 04 04  03 02 07 80  30 1d 06 03
| cleartext fragment  55 1d 25 04  16 30 14 06  08 2b 06 01  05 05 07 03
| cleartext fragment  01 06 08 2b  06 01 05 05  07 03 02 30  41 06 08 2b
| cleartext fragment  06 01 05 05  07 01 01 04  35 30 33 30  31 06 08 2b
| cleartext fragment  06 01 05 05  07 30 01 86  25 68 74 74  70 3a 2f 2f
| cleartext fragment  6e 69 63 2e  74 65 73 74  69 6e 67 2e  6c 69 62 72
| cleartext fragment  65 73 77 61  6e 2e 6f 72  67 3a 32 35  36 30 30 3d
| cleartext fragment  06 03 55 1d  1f 04 36 30  34 30 32 a0  30 a0 2e 86
| cleartext fragment  2c 68 74 74  70 3a 2f 2f  6e 69 63 2e  74 65 73 74
| cleartext fragment  69 6e 67 2e  6c 69 62 72  65 73 77 61  6e 2e 6f 72
| cleartext fragment  67 2f 72 65  76 6f 6b 65  64 2e 63 72  6c 30 0d 06
| cleartext fragment  09 2a 86 48  86 f7 0d 01  01 0b 05 00  03 81 81 00
| cleartext fragment  79 c0 dc 4f  ca 3c 5f 4e  21 3c 76 b0  44 66 c8 74
| cleartext fragment  40 7b 34 5d  63 96 6e ee  c5 df ef 0f  fe c2 e4 25
| cleartext fragment  18 39 25 d8  f8 6a b8 87  f9 17 94 73  7f 8d fb 7d
| cleartext fragment  9d 24 5e c5  95 19 96 3e  04 dd 8a d0  ad 11 f4 97
| cleartext fragment  32 43 d2 f3  1a d3 1c b1  e9 01 90 f2  72 36 cf d4
| cleartext fragment  bd 14 e6 ad  8d d2 84 3b  92 94 99 40  21 16 68 aa
| cleartext fragment  e7 5e ac 95  88 11 40 55  28 90 af 7f  98 b1 80 36
| cleartext fragment  c5 18 f7 6e  43 40 bc 93  86 b3 f1 aa  b3 89 b4 15
| cleartext fragment  27 00 00 08  0d 00 00 00  21 00 01 88  01 00
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   56 b8 4c 3f  69 6a 43 06
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    fragment number: 4 (0x4)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  00 00 1e cc  08 d0 5f ac  e4 5f 10 e2  42 a5 2c f8
| cleartext fragment  97 83 51 a2  7f a0 52 0b  5e 1d db 0e  3c 2e c7 05
| cleartext fragment  24 2f 96 34  0f fd 97 14  05 11 25 bd  c1 1b 5a 1f
| cleartext fragment  63 4b a2 32  02 b3 5b 9a  33 e8 22 42  ed 2e 0e 31
| cleartext fragment  40 33 f5 a6  4e a1 17 5e  fd 7a 0c 1d  48 34 4b b6
| cleartext fragment  77 3c 2d 7c  00 92 21 68  0f 89 85 33  13 f8 fd d6
| cleartext fragment  db 33 4a 53  27 d7 e1 49  e4 0c 26 6d  8c 6b 13 48
| cleartext fragment  60 be 55 06  0c e5 cd 31  26 32 5f 98  45 0d 8e bf
| cleartext fragment  f9 b9 72 c9  c1 87 3e 67  37 5c 19 01  a4 05 6d e8
| cleartext fragment  23 d6 80 99  8f 0e d7 4d  51 39 d7 00  12 24 ac 35
| cleartext fragment  38 40 c3 2d  33 07 3f e4  5c 16 22 f4  90 25 f1 04
| cleartext fragment  68 c2 8d ad  ad 42 9c 52  6e e4 33 75  bd b3 6d 37
| cleartext fragment  3d e6 50 6d  85 28 e2 20  47 a3 94 78  78 48 ae 0e
| cleartext fragment  37 26 10 4f  30 f9 63 bf  6a 5c fa 0c  13 a1 e3 2e
| cleartext fragment  4e a8 db a1  28 c1 c8 49  e0 17 86 5c  66 55 b2 41
| cleartext fragment  86 a7 0a fc  09 cd ea 2b  f6 5d b2 93  89 17 13 93
| cleartext fragment  8a a5 d6 b1  47 2e f9 d6  7c 3a cb fa  22 78 6a 85
| cleartext fragment  b5 de 55 aa  d2 ca 04 71  42 a5 7d 5a  4c 16 df 94
| cleartext fragment  9c e8 aa e4  9a cb 36 50  7e a7 72 2d  6e ad 3e 52
| cleartext fragment  1a 9f 83 da  82 f5 fd b0  9f 5d e6 9d  2b b6 58 c1
| cleartext fragment  73 b6 de 43  b8 60 99 48  63 0f 1e 71  ca 0f 98 39
| cleartext fragment  f1 5a a3 64  61 6a 6c 0a  fd 01 8e 75  ad e4 7c 05
| cleartext fragment  74 7f 51 47  80 24 29 37  21 95 94 42  b9 4b a3 6f
| cleartext fragment  77 4c 11 af  57 4f fb 6c  f9 f4 34 86  32 4f da f1
| cleartext fragment  52 2a 2c 00  00 a4 02 00  00 20 01 03  04 02 ac 2a
| cleartext fragment  2f 4b 03 00  00 0c 01 00  00 14 80 0e  01 00 00 00
| cleartext fragment  00 08 05 00  00 00 02 00  00 20 02 03  04 02 ac 2a
| cleartext fragment  2f 4b 03 00  00 0c 01 00  00 14 80 0e  00 80 00 00
| cleartext fragment  00 08 05 00  00 00 02 00  00 30 03 03  04 04 ac 2a
| cleartext fragment  2f 4b 03 00  00 0c 01 00  00 0c 80 0e  01 00
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 511
| emitting length of ISAKMP Message: 539
| **emit ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   56 b8 4c 3f  69 6a 43 06
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    fragment number: 5 (0x5)
|    total fragments: 5 (0x5)
| next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF)
| next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet'
| emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment
| emitting 120 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment
| cleartext fragment  03 00 00 08  03 00 00 0e  03 00 00 08  03 00 00 0c
| cleartext fragment  00 00 00 08  05 00 00 00  00 00 00 30  04 03 04 04
| cleartext fragment  ac 2a 2f 4b  03 00 00 0c  01 00 00 0c  80 0e 00 80
| cleartext fragment  03 00 00 08  03 00 00 0e  03 00 00 08  03 00 00 0c
| cleartext fragment  00 00 00 08  05 00 00 00  2d 00 00 18  01 00 00 00
| cleartext fragment  07 00 00 10  00 00 ff ff  c0 01 03 d1  c0 01 03 d1
| cleartext fragment  00 00 00 18  01 00 00 00  07 00 00 10  00 00 ff ff
| cleartext fragment  c0 01 02 17  c0 01 02 17
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment
| emitting length of IKEv2 Encrypted Fragment: 153
| emitting length of ISAKMP Message: 181
| suspend processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| start processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() md.from_state=PARENT_I1 md.svm.state[from]=PARENT_I1 UNDEFINED->PARENT_I2 with status STF_OK
| IKEv2: transition from state STATE_PARENT_I1 to state STATE_PARENT_I2
| child state #2: UNDEFINED(ignore) => PARENT_I2(open IKE SA)
| Message ID: updating counters for #2 to 0 after switching state
| Message ID: recv #1.#2 response 0; ike: initiator.sent=0 initiator.recv=-1->0 responder.sent=-1 responder.recv=-1; child: wip.initiator=0->-1 wip.responder=-1
| Message ID: sent #1.#2 request 1; ike: initiator.sent=0->1 initiator.recv=0 responder.sent=-1 responder.recv=-1; child: wip.initiator=-1->1 wip.responder=-1
| STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
| sending V2 reply packet to 192.1.2.23:500 (from 192.1.3.209:500)
| sending fragments ...
| sending 539 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
|   45 de 21 c6  8e 76 c2 02  56 b8 4c 3f  69 6a 43 06
|   35 20 23 08  00 00 00 01  00 00 02 1b  23 00 01 ff
|   00 01 00 05  f2 f8 b5 b9  fc f4 c9 87  0a c0 dd da
|   02 a7 26 57  75 e8 03 a3  66 34 0b 74  8f fa e9 b1
|   2d 32 e1 7e  41 0a 8b c9  9f 79 57 01  91 15 c8 5f
|   fc 44 93 cf  b8 33 0a 25  7a 8d 82 0d  ac ea 16 63
|   04 7b e2 72  20 ef ec 5e  06 5a 29 c4  41 3a 6b c6
|   a0 00 36 b2  f9 de be 67  84 0c 67 0c  33 b7 94 d2
|   2f a1 22 12  07 d3 d8 a2  40 6c 51 38  51 03 8a 0b
|   22 da 63 bf  ac d5 28 64  6b 9c fb 4e  88 70 23 95
|   82 94 db 85  b6 8d 8f 3c  10 9c f6 5e  fe 75 7f 03
|   67 62 ca 9a  ff 8f 60 ee  fa 88 50 95  18 69 ec 17
|   0b 9d 1f 03  5e d9 9a e3  5f 66 ba cc  07 f7 8f d0
|   13 d1 9b de  88 1b 3f d7  0d f6 94 59  e1 fc 05 49
|   5e 74 07 0e  3d f0 70 73  a1 9a 72 95  1a e3 ea 1d
|   16 5e 15 42  d7 56 79 3a  c8 21 63 ea  cd 55 9c 99
|   c4 a5 79 a7  70 43 b4 78  ef b2 b7 16  ee 1d d2 90
|   e8 99 92 d1  24 dc c1 79  22 f6 af 91  38 14 f3 10
|   ce ee 1d 1a  2b 9c 5e 00  94 bf 07 7b  1b c4 05 90
|   13 42 5c e9  a5 ad 63 aa  e0 db f0 38  75 51 ca 3b
|   b3 41 08 31  30 b9 5f 99  ed 6b 88 87  9f b7 ba 63
|   03 9a 53 59  34 9c 93 15  83 72 9f 7a  76 dc 97 a2
|   f0 d2 88 c2  5c 89 b4 26  17 b7 83 49  7f d5 9e 42
|   dd 23 be b2  83 00 f5 1a  aa a1 e0 2d  70 48 18 07
|   37 0b 12 f6  b4 65 45 1a  c1 61 88 7f  78 37 73 52
|   82 bc 21 90  37 e9 2b 6a  a7 3a ed 8d  0d da e3 be
|   a9 db 31 fd  6a 0f 83 e3  1e e4 43 89  74 66 c5 ea
|   51 3a 1e 3c  b7 c3 00 9d  2b 87 88 65  32 0a 2e 2d
|   9e 1f 3e d7  a4 26 40 63  f5 67 21 87  8a 0f 53 f7
|   04 8f 79 24  58 22 73 2f  25 06 0d af  83 b7 1c 7b
|   35 9f 96 3c  96 fd 57 97  e3 e8 77 21  0a e0 36 1a
|   b5 3e bf 7f  82 02 3c d6  80 07 02 af  1a 23 b9 50
|   bd 89 62 d6  76 cc 2d 69  f8 c4 c9 73  3c 70 71 53
|   df 72 99 7e  a7 b1 fb 68  db 3f 15
| sending 539 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
|   45 de 21 c6  8e 76 c2 02  56 b8 4c 3f  69 6a 43 06
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 02 00 05  5b 09 6a a3  a7 95 11 07  96 32 a5 06
|   5e a4 90 b5  1a d9 11 93  40 e3 c8 92  d1 c1 47 c5
|   72 b7 5c 11  d2 04 a9 72  6f f3 4d d8  75 27 fe 5e
|   35 91 69 21  fe cd ec d8  5e bd bc 1f  e2 b0 2b 62
|   90 5b ad a3  48 42 98 77  e9 6a 89 37  fc 95 ea 5a
|   85 74 02 97  bd c2 1b 7b  c1 a7 b9 49  ed 86 ca c6
|   04 07 0e 48  a4 cd e4 f0  f7 5a 97 33  6e 83 8a 8e
|   33 8b e2 32  28 cf 0d 66  c3 09 cf ff  9a 23 07 88
|   d3 22 5b 6e  e4 b2 a5 52  52 c6 b0 45  72 28 bb 2c
|   30 2e 18 3e  53 37 bd 3c  bd 95 a9 4b  6e 29 b1 0d
|   bf 1c 01 65  42 d2 19 48  6d c4 8f b7  14 e7 09 cb
|   77 c3 fa a8  ad 1b 61 c7  e5 dd 98 ab  7b 49 20 9a
|   4e 14 2e a7  b2 34 99 1a  41 7d 44 8e  ac 1e 55 45
|   08 de 47 eb  f0 7f 02 cc  27 49 7c d9  b5 4b 3b cb
|   e4 34 29 47  d5 3f 7e 35  3a cc ff 7e  ac 7c c3 e0
|   f9 0a c9 9b  b3 e7 cb 09  f3 a5 c8 0f  bb 24 32 e0
|   bd 0d 01 01  fb 4d 14 8c  ba 87 d2 66  ae 3f c9 04
|   da de 01 8f  4a 3c 33 88  48 bb a5 f1  5f 28 cc e9
|   7d 70 5d 1d  55 eb c6 40  d6 45 4e 1e  73 92 75 95
|   3a b2 ae 9a  87 9f 60 e2  47 d1 32 6a  50 34 d9 96
|   95 a4 64 3d  e5 cb 6b 6f  6f a8 2c 6c  ec 4b 4d 9f
|   65 70 90 f0  97 74 eb 76  dc a4 df 4b  b3 a5 00 14
|   9c 10 0f 43  66 4d fd 84  d9 c8 c3 8e  87 66 f2 76
|   1e 89 f8 f0  cd 5f dc 2c  a8 2a 9a 73  a3 fc d5 45
|   7e 66 41 23  97 a4 09 5e  c8 c8 a7 e8  b5 df c0 e4
|   0c 85 85 1b  25 b4 f5 57  f4 ab c6 1c  e9 65 84 cf
|   b0 53 92 3c  f4 05 67 f0  f1 79 48 28  02 99 8e 2e
|   40 a0 68 e2  d1 82 49 b9  d9 da 89 31  97 8d 7d 77
|   ed 2e 50 0e  cd 26 39 a4  12 f7 94 94  8f 4d 24 3a
|   86 06 1a 0b  06 06 b2 74  af 71 7d aa  0e fd c8 c2
|   d2 0e a9 ab  15 4f ca ce  d1 23 e1 ac  0c 96 31 62
|   9e bb 98 f7  68 ec a5 f6  79 c2 a8
| sending 539 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
|   45 de 21 c6  8e 76 c2 02  56 b8 4c 3f  69 6a 43 06
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 03 00 05  1e d2 6c 3f  fd f9 d7 d9  13 72 fc 14
|   60 a3 e4 3c  2f 97 ad e4  2d e7 ef b0  c5 d7 13 03
|   42 57 4c 30  94 fd 5f 11  35 fc b2 6a  57 a8 01 fb
|   a1 b4 9e bd  a8 8a 5b c6  cf 1c d2 0a  b6 9d 10 fc
|   60 8f c1 41  f2 72 0e b1  33 57 3d c0  c1 92 80 4f
|   ee 90 3e cc  b4 b5 1b b6  7f 6f 7b ca  8f 7c 59 68
|   8f 5f 5c 82  82 93 f5 94  38 9c c3 28  d0 da c0 62
|   1e 7c 83 23  5f 10 4b 0f  88 48 c5 38  52 1d 20 27
|   86 94 f1 bb  b8 93 5b 0e  a8 4d f7 ff  e8 65 18 26
|   4c c0 e8 9b  5b 6f 25 3d  c2 87 33 4b  d2 e8 b3 07
|   24 a5 fd be  94 20 f4 2f  cc 18 1f d5  92 c3 cd 0e
|   e9 0c b4 f3  83 ae 54 7c  73 79 a3 ef  8d 02 4a 73
|   54 60 00 6f  ac b7 7b 1b  fd 30 06 a8  3c 37 b0 25
|   14 26 c3 73  72 79 c5 64  1c 20 48 00  d8 d5 bb 96
|   3f 00 56 1c  94 2f 35 b1  4a 74 0a 03  94 be b0 44
|   21 2d a8 d6  ff 98 e8 da  de 9b 09 38  2f d8 ad 4e
|   8a 66 e9 5c  74 a7 6f 14  b7 8c e8 d5  a1 fc 02 89
|   d6 36 30 ff  22 cf a6 8f  f1 51 b7 d0  b2 6f 1c bc
|   77 92 07 3e  43 34 cf c4  67 74 a7 71  e5 17 c9 ea
|   1a d0 31 e1  03 53 f7 82  50 55 28 49  54 38 75 c6
|   34 5b 60 1c  99 de 44 31  c9 99 92 7e  a7 4b 49 4f
|   81 37 97 c4  be d4 5a 23  e4 5e 22 83  d7 c9 95 ba
|   16 3d af dd  48 61 bd 7e  46 ec 62 1e  2d 5a 2a 66
|   4d 8b 81 dd  4c 4f 95 82  fe a9 86 36  33 8b 9e b0
|   2a 99 1e d1  e7 16 7b 5c  c1 f0 dd df  fa 41 c8 12
|   ee b1 00 7c  99 99 0c 33  e6 0f 77 65  2d 47 df f3
|   f7 9b 60 58  bf 20 b1 df  2e 3f 03 1b  99 e2 c5 2a
|   1e 18 42 72  86 a9 1d 88  ce 3c db 93  b6 40 62 10
|   fb d0 58 b4  7d f6 bc 6e  2b 94 f6 49  bb 9a eb 52
|   da 19 8c 08  ca f5 66 fe  6e 3f c2 48  72 17 fa 6f
|   66 63 f4 9d  dd 80 51 ec  19 a5 45 74  52 7d c9 72
|   6e f8 81 6f  f1 42 e6 c8  13 0c 2f
| sending 539 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
|   45 de 21 c6  8e 76 c2 02  56 b8 4c 3f  69 6a 43 06
|   35 20 23 08  00 00 00 01  00 00 02 1b  00 00 01 ff
|   00 04 00 05  ed 9f dc d3  ec 94 5e 36  03 7f 2b bf
|   04 08 cf 45  b9 d9 51 2e  5c 47 b4 19  34 5b e8 0e
|   01 0d 77 bb  c0 dd 03 0a  12 22 8a e9  c1 a8 cb 47
|   68 99 ba d8  bc f5 cf fa  72 ff 64 cf  33 cd e6 3d
|   7c c8 ee b6  a5 61 77 ae  58 e9 89 df  67 ec f3 50
|   6a cf 00 f0  90 38 38 5b  ff 3a d9 b0  93 9b bc 37
|   2d 0d 62 39  27 c1 da 0c  9c 11 fa 13  73 ee 70 b1
|   12 39 6f 02  28 92 06 8a  a2 fc cd de  6d 80 07 ff
|   34 41 30 7c  f9 b0 f1 4e  62 0f 87 8e  9c c7 ec 6f
|   ee b0 ba 02  e9 41 17 e1  03 76 29 5f  4c 53 d7 bb
|   3d 74 34 e4  16 30 45 e9  79 6e f8 e2  42 b2 07 d6
|   6c da 9e 1c  17 d6 0d f3  86 c0 eb 36  fb 14 4f cd
|   27 40 e4 da  6b 17 a5 e0  37 6b 89 42  7b 91 02 67
|   2f 65 c4 79  37 c2 c4 92  7b 08 5e 98  22 ab 5d 14
|   b4 0f 64 20  f9 a0 3f 25  c5 96 d1 d2  16 9e 41 80
|   20 66 da b3  4f 35 02 6b  92 26 b4 56  8d 44 29 e1
|   07 a1 e0 26  56 4c a1 3a  ab 42 8c e2  09 b9 71 07
|   7b a8 e7 02  d5 08 f6 a4  17 b5 f4 51  ea f6 5d b6
|   37 8e 00 f2  bd 92 4a 12  a7 28 cc 37  ff 21 fa 11
|   16 60 94 2c  97 c2 02 39  54 a3 86 c1  21 38 ee 46
|   f7 9e 23 f0  df c6 1d 9a  37 a5 fe b2  49 ea ce 9e
|   5f 41 46 22  11 03 ad 7f  c2 61 2b 89  a6 6f 2f 3e
|   90 bb 59 35  fd 9e 75 63  c1 d7 72 9d  01 0a d8 08
|   6b 22 b7 42  a1 ac ae fa  ae e6 0f 74  b0 e5 13 67
|   44 40 b2 93  90 8d dd 20  ef f8 e3 c1  74 a1 c5 dc
|   8e 4c 2c 7f  74 e2 69 4d  ae 1d 47 cc  d0 53 2b e0
|   5f 5f 7c 52  c4 4a 94 c9  57 4b 91 01  a8 a6 9a b7
|   28 02 46 3d  02 52 32 3b  f0 3a a3 7e  ff 4f 68 02
|   47 05 74 f8  0b 53 eb ee  7b 80 cc 7c  02 d7 36 04
|   8b 76 94 6e  f8 3c f1 69  e6 12 8c 31  ee fe 26 04
|   e2 75 35 af  3d b9 7f c3  18 a8 22 f2  1a bb e3 5b
|   cd 13 4e fe  45 18 fd 50  23 2c e2
| sending 181 bytes for STATE_PARENT_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1)
|   45 de 21 c6  8e 76 c2 02  56 b8 4c 3f  69 6a 43 06
|   35 20 23 08  00 00 00 01  00 00 00 b5  00 00 00 99
|   00 05 00 05  1a 1f a3 1a  16 e2 9e 9b  63 6e de 57
|   7e dd a7 75  7c 94 86 da  c0 1b e8 46  bf 33 84 0f
|   01 59 49 1e  eb 3a 34 4e  1f 51 be 51  b6 68 77 da
|   b3 99 60 fe  0e 31 f1 f7  82 38 17 a4  b8 a5 cc 1a
|   59 f5 18 7d  76 98 0f 16  7a b3 e5 9d  59 b1 b4 cf
|   ae 75 94 b3  6c de e3 37  98 90 cf a5  08 f0 60 ec
|   b3 75 19 9f  70 ef 21 13  83 74 4b 87  fb 4a a2 a4
|   32 8e 8e 3d  6a cd 73 7e  f1 a2 a3 38  6b b9 f4 f9
|   61 cf e7 78  84 86 c5 53  f3 d4 b7 a8  93 ae c6 7e
|   96 76 1b 8d  62
| sent 5 fragments
| success_v2_state_transition scheduling EVENT_RETRANSMIT of c->r_interval=15000ms
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds
| event_schedule: new EVENT_RETRANSMIT-pe@0x563e9cc29598
| inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #2
| libevent_malloc: new ptr-libevent@0x563e9cc25c08 size 128
| #2 STATE_PARENT_I2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29578.346536
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
|   #1 spent 1.25 milliseconds
| #1 spent 9.45 milliseconds in resume sending helper answer
| stop processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f3ee4000f48
| spent 0.00288 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 65 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500)
|   45 de 21 c6  8e 76 c2 02  56 b8 4c 3f  69 6a 43 06
|   2e 20 23 20  00 00 00 01  00 00 00 41  29 00 00 25
|   cd c8 c3 32  96 b4 29 d6  08 28 35 68  aa 88 19 7f
|   b5 3a fa a2  fc 1f 20 38  34 6e 51 2a  7c d9 9c ba
|   a4
| start processing: from 192.1.2.23:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   45 de 21 c6  8e 76 c2 02
|    responder cookie:
|   56 b8 4c 3f  69 6a 43 06
|    next payload type: ISAKMP_NEXT_v2SK (0x2e)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 1 (0x1)
|    length: 65 (0x41)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response 
| State DB: found IKEv2 state #1 in PARENT_I2 (find_v2_ike_sa)
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: found IKEv2 state #2 in PARENT_I2 (find_v2_sa_by_initiator_wip)
| suspend processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062)
| start processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ike_process_packet() at ikev2.c:2062)
| #2 is idle
| #2 idle
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SK)
| ***parse IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 37 (0x25)
| processing payload: ISAKMP_NEXT_v2SK (len=33)
| #2 in state PARENT_I2: sent v2I2, expected v2R2
| #2 ikev2 ISAKMP_v2_IKE_AUTH decrypt success
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| **parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 8 (0x8)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_AUTHENTICATION_FAILED (0x18)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| selected state microcode Initiator: process AUTHENTICATION_FAILED AUTH notification
| Now let's proceed with state specific processing
| calling processor Initiator: process AUTHENTICATION_FAILED AUTH notification
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
| pstats #1 ikev2.ike failed auth-failed
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: scheduling retry attempt 1 of an unlimited number
| release_pending_whacks: state #2 has no whack fd
| release_pending_whacks: IKE SA #1 fd@-1 has pending CHILD SA with socket fd@-1
| libevent_free: release ptr-libevent@0x563e9cc25c08
| free_event_entry: release EVENT_RETRANSMIT-pe@0x563e9cc29598
| event_schedule: new EVENT_RETRANSMIT-pe@0x563e9cc29598
| inserting event EVENT_RETRANSMIT, timeout in 59.993546 seconds for #2
| libevent_malloc: new ptr-libevent@0x7f3ee4000f48 size 128
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: STATE_PARENT_I2: suppressing retransmits; will wait 59.993546 seconds for retry
| #2 spent 0.0321 milliseconds in processing: Initiator: process AUTHENTICATION_FAILED AUTH notification in ikev2_process_state_packet()
| [RE]START processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() PARENT_I2->PARENT_I2 with status STF_IGNORE
| stop processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.168 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.2.23:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.179 milliseconds in comm_handle_cb() reading and processing packet
| processing global timer EVENT_SHUNT_SCAN
| expiring aged bare shunts from shunt table
| spent 0.00464 milliseconds in global timer EVENT_SHUNT_SCAN
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_STATE_... in show_traffic_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.105 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0361 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_STATE_... in show_traffic_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0596 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.914 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
shutting down
| processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825)
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
| unreference key: 0x563e9cc1c0a8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc1dfe8 user-road@testing.libreswan.org cnt 1--
| unreference key: 0x563e9cc205f8 @road.testing.libreswan.org cnt 1--
| start processing: connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 (in delete_connection() at connections.c:189)
| removing pending policy for no connection {0x563e9cafd898}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #2
| suspend processing: connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310)
| start processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #2 ikev2.child deleted other
| #2 spent 0.0321 milliseconds in total
| [RE]START processing: state #2 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in delete_state() at state.c:879)
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: deleting state (STATE_PARENT_I2) aged 29.418s and NOT sending notification
| child state #2: PARENT_I2(open IKE SA) => delete
| child state #2: PARENT_I2(open IKE SA) => CHILDSA_DEL(informational)
| state #2 requesting EVENT_RETRANSMIT to be deleted
| #2 STATE_CHILDSA_DEL: retransmits: cleared
| libevent_free: release ptr-libevent@0x7f3ee4000f48
| free_event_entry: release EVENT_RETRANSMIT-pe@0x563e9cc29598
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfdf
| delete inbound eroute 192.1.2.23/32:0 --0-> 192.1.3.209/32:0 => unk255.10000@192.1.3.209 (raw_eroute)
| raw_eroute result=success
| stop processing: connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 (BACKGROUND) (in update_state_connection() at connections.c:4076)
| start processing: connection NULL (in update_state_connection() at connections.c:4077)
| in connection_discard for connection private-or-clear#192.1.2.0/24
| State DB: deleting IKEv2 state #2 in CHILDSA_DEL
| child state #2: CHILDSA_DEL(informational) => UNDEFINED(ignore)
| stop processing: state #2 from 192.1.2.23 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| state #1
| start processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #1 ikev2.ike deleted auth-failed
| #1 spent 13.5 milliseconds in total
| [RE]START processing: state #1 connection "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 from 192.1.2.23 (in delete_state() at state.c:879)
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting state (STATE_PARENT_I2) aged 29.425s and NOT sending notification
| parent state #1: PARENT_I2(open IKE SA) => delete
| state #1 requesting EVENT_SA_REPLACE to be deleted
| libevent_free: release ptr-libevent@0x7f3eec002888
| free_event_entry: release EVENT_SA_REPLACE-pe@0x563e9cc25a88
| State DB: IKEv2 state not found (flush_incomplete_children)
| in connection_discard for connection private-or-clear#192.1.2.0/24
| State DB: deleting IKEv2 state #1 in PARENT_I2
| parent state #1: PARENT_I2(open IKE SA) => UNDEFINED(ignore)
| stop processing: state #1 from 192.1.2.23 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'private-or-clear#192.1.2.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfdf
| netlink_raw_eroute: SPI_PASS
| free hp@0x563e9cc23238
| flush revival: connection 'private-or-clear#192.1.2.0/24' wasn't on the list
| processing: STOP connection NULL (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear-all" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private-or-clear-all' wasn't on the list
| stop processing: connection "private-or-clear-all" (in discard_connection() at connections.c:249)
| start processing: connection "block" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'block' wasn't on the list
| stop processing: connection "block" (in discard_connection() at connections.c:249)
| start processing: connection "private" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| flush revival: connection 'private' wasn't on the list
| stop processing: connection "private" (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear#192.1.2.0/24" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'private-or-clear#192.1.2.0/24' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| netlink_raw_eroute: SPI_PASS
| priority calculation of connection "private-or-clear#192.1.2.0/24" is 0x17dfe7
| netlink_raw_eroute: SPI_PASS
| FOR_EACH_CONNECTION_... in route_owner
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn private-or-clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn private-or-clear#192.1.2.0/24 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "private-or-clear#192.1.2.0/24" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLIENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P
| popen cmd is 1215 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='private-or-clear:
| cmd(  80):#192.1.2.0/24' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192:
| cmd( 160):.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm:
| cmd( 240):ent, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_:
| cmd( 320):CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK=':
| cmd( 400):255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16432' :
| cmd( 480):PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='ID_NULL' PLUTO_PEER_CLI:
| cmd( 560):ENT='192.1.2.0/24' PLUTO_PEER_CLIENT_NET='192.1.2.0' PLUTO_PEER_CLIENT_MASK='255:
| cmd( 640):.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_S:
| cmd( 720):TACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+NEG:
| cmd( 800):O_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO:
| cmd( 880):+failurePASS' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_F:
| cmd( 960):AILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='':
| cmd(1040): PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGU:
| cmd(1120):RED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ips:
| cmd(1200):ec _updown 2>&1:
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
"private-or-clear#192.1.2.0/24": unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'private-or-clear#192.1.2.0/24' wasn't on the list
| stop processing: connection "private-or-clear#192.1.2.0/24" (in discard_connection() at connections.c:249)
| start processing: connection "private-or-clear" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| flush revival: connection 'private-or-clear' wasn't on the list
| stop processing: connection "private-or-clear" (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.2.253/32" 0.0.0.0: deleting connection "clear#192.1.2.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.2.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.2.253/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.253/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='192.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 S
| popen cmd is 1022 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16428' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.253/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.2.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_C:
| cmd( 640):ONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_G:
| cmd( 720):OING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P:
| cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S:
| cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=:
| cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.2.253/32' wasn't on the list
| stop processing: connection "clear#192.1.2.253/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.3.253/32" 0.0.0.0: deleting connection "clear#192.1.3.253/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.3.253/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.3.253/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.253/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.253/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.253/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='192.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 S
| popen cmd is 1022 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd(  80):3/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16424' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.253/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.3.253' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_C:
| cmd( 640):ONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_G:
| cmd( 720):OING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P:
| cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S:
| cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=:
| cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.253/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.3.253/32' wasn't on the list
| stop processing: connection "clear#192.1.3.253/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.3.254/32" 0.0.0.0: deleting connection "clear#192.1.3.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.3.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.3.254/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.3.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.3.254/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='192.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 S
| popen cmd is 1022 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.3.25:
| cmd(  80):4/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16420' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.3.254/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_C:
| cmd( 640):ONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_G:
| cmd( 720):OING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P:
| cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S:
| cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=:
| cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.3.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.3.254/32' wasn't on the list
| stop processing: connection "clear#192.1.3.254/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in delete_connection() at connections.c:189)
"clear#192.1.2.254/32" 0.0.0.0: deleting connection "clear#192.1.2.254/32" 0.0.0.0 instance with peer 0.0.0.0 {isakmp=#0/ipsec=#0}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| shunt_eroute() called for connection 'clear#192.1.2.254/32' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| priority calculation of connection "clear#192.1.2.254/32" is 0x17dfdf
| FOR_EACH_CONNECTION_... in route_owner
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear mark 0/00000000, 0/00000000
|  conn clear#192.1.2.254/32 mark 0/00000000, 0/00000000 vs
|  conn clear-or-private mark 0/00000000, 0/00000000
| route owner of "clear#192.1.2.254/32" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-host
| executing unroute-host: PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.254/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET='192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PLUTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='192.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 S
| popen cmd is 1022 chars long
| cmd(   0):PLUTO_VERB='unroute-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='clear#192.1.2.25:
| cmd(  80):4/32' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209':
| cmd( 160): PLUTO_MY_ID='192.1.3.209' PLUTO_MY_CLIENT='192.1.3.209/32' PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.1.3.209' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_SA_REQID='16416' PLUTO_SA_TYPE='none' PLUTO_PEER='0.0.0.0' PL:
| cmd( 400):UTO_PEER_ID='(none)' PLUTO_PEER_CLIENT='192.1.2.254/32' PLUTO_PEER_CLIENT_NET='1:
| cmd( 480):92.1.2.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_P:
| cmd( 560):EER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_C:
| cmd( 640):ONN_POLICY='AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE' PLUTO_CONN_KIND='CK_G:
| cmd( 720):OING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P:
| cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S:
| cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=:
| cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
"clear#192.1.2.254/32" 0.0.0.0: unroute-host output: Error: Peer netns reference is invalid.
| flush revival: connection 'clear#192.1.2.254/32' wasn't on the list
| stop processing: connection "clear#192.1.2.254/32" 0.0.0.0 (in discard_connection() at connections.c:249)
| start processing: connection "clear" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| flush revival: connection 'clear' wasn't on the list
| stop processing: connection "clear" (in discard_connection() at connections.c:249)
| start processing: connection "clear-or-private" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| free hp@0x563e9cc12ac8
| flush revival: connection 'clear-or-private' wasn't on the list
| stop processing: connection "clear-or-private" (in discard_connection() at connections.c:249)
| crl fetch request list locked by 'free_crl_fetch'
| crl fetch request list unlocked by 'free_crl_fetch'
shutting down interface lo/lo 127.0.0.1:4500
shutting down interface lo/lo 127.0.0.1:500
shutting down interface eth0/eth0 192.1.3.209:4500
shutting down interface eth0/eth0 192.1.3.209:500
| FOR_EACH_STATE_... in delete_states_dead_interfaces
| libevent_free: release ptr-libevent@0x563e9cc152a8
| free_event_entry: release EVENT_NULL-pe@0x563e9cc118d8
| libevent_free: release ptr-libevent@0x563e9cbac568
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11988
| libevent_free: release ptr-libevent@0x563e9cbac618
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11a38
| libevent_free: release ptr-libevent@0x563e9cbab548
| free_event_entry: release EVENT_NULL-pe@0x563e9cc11ae8
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| libevent_free: release ptr-libevent@0x563e9cc05d48
| free_event_entry: release EVENT_NULL-pe@0x563e9cbf9ee8
| libevent_free: release ptr-libevent@0x563e9cbf29e8
| free_event_entry: release EVENT_NULL-pe@0x563e9cbf9a48
| libevent_free: release ptr-libevent@0x563e9cbf2938
| free_event_entry: release EVENT_NULL-pe@0x563e9cbb3a18
| global timer EVENT_REINIT_SECRET uninitialized
| global timer EVENT_SHUNT_SCAN uninitialized
| global timer EVENT_PENDING_DDNS uninitialized
| global timer EVENT_PENDING_PHASE2 uninitialized
| global timer EVENT_CHECK_CRLS uninitialized
| global timer EVENT_REVIVE_CONNS uninitialized
| global timer EVENT_FREE_ROOT_CERTS uninitialized
| global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized
| global timer EVENT_NAT_T_KEEPALIVE uninitialized
| libevent_free: release ptr-libevent@0x563e9cbb7fe8
| signal event handler PLUTO_SIGCHLD uninstalled
| libevent_free: release ptr-libevent@0x563e9cb256b8
| signal event handler PLUTO_SIGTERM uninstalled
| libevent_free: release ptr-libevent@0x563e9cb3aa88
| signal event handler PLUTO_SIGHUP uninstalled
| libevent_free: release ptr-libevent@0x563e9cc114d8
| signal event handler PLUTO_SIGSYS uninstalled
| releasing event base
| libevent_free: release ptr-libevent@0x563e9cc113a8
| libevent_free: release ptr-libevent@0x563e9cbf4308
| libevent_free: release ptr-libevent@0x563e9cbf42b8
| libevent_free: release ptr-libevent@0x563e9cbab828
| libevent_free: release ptr-libevent@0x563e9cbf4278
| libevent_free: release ptr-libevent@0x563e9cc11038
| libevent_free: release ptr-libevent@0x563e9cc112a8
| libevent_free: release ptr-libevent@0x563e9cbf44b8
| libevent_free: release ptr-libevent@0x563e9cbf9ab8
| libevent_free: release ptr-libevent@0x563e9cbf9718
| libevent_free: release ptr-libevent@0x563e9cc11b58
| libevent_free: release ptr-libevent@0x563e9cc11aa8
| libevent_free: release ptr-libevent@0x563e9cc119f8
| libevent_free: release ptr-libevent@0x563e9cc11948
| libevent_free: release ptr-libevent@0x563e9cb41818
| libevent_free: release ptr-libevent@0x563e9cc11328
| libevent_free: release ptr-libevent@0x563e9cc112e8
| libevent_free: release ptr-libevent@0x563e9cc111a8
| libevent_free: release ptr-libevent@0x563e9cc11368
| libevent_free: release ptr-libevent@0x563e9cc11078
| libevent_free: release ptr-libevent@0x563e9cbb9b78
| libevent_free: release ptr-libevent@0x563e9cbb9af8
| libevent_free: release ptr-libevent@0x563e9cb352f8
| releasing global libevent data
| libevent_free: release ptr-libevent@0x563e9cbb9cf8
| libevent_free: release ptr-libevent@0x563e9cbb9c78
| libevent_free: release ptr-libevent@0x563e9cbb9bf8
leak: group instance name, item size: 30
leak: cloned from groupname, item size: 17
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: group instance name, item size: 21
leak: cloned from groupname, item size: 6
leak: policy group path, item size: 54
leak detective found 11 leaks, total size 209