FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2365 core dump dir: /run/pluto secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x55c3e15956b8 size 40 | libevent_malloc: new ptr-libevent@0x55c3e1595638 size 40 | libevent_malloc: new ptr-libevent@0x55c3e15955b8 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x55c3e1595938 size 56 | libevent_malloc: new ptr-libevent@0x55c3e15083a8 size 664 | libevent_malloc: new ptr-libevent@0x55c3e15cfcd8 size 24 | libevent_malloc: new ptr-libevent@0x55c3e15cfd28 size 384 | libevent_malloc: new ptr-libevent@0x55c3e15cfc98 size 16 | libevent_malloc: new ptr-libevent@0x55c3e1595538 size 40 | libevent_malloc: new ptr-libevent@0x55c3e15954b8 size 48 | libevent_realloc: new ptr-libevent@0x55c3e1508038 size 256 | libevent_malloc: new ptr-libevent@0x55c3e15cfed8 size 16 | libevent_free: release ptr-libevent@0x55c3e1595938 | libevent initialized | libevent_realloc: new ptr-libevent@0x55c3e1595938 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 started thread for crypto helper 1 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) started thread for crypto helper 2 | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | checking IKEv1 state table | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | crypto helper 6 waiting (nothing to do) | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55c3e158f3e8 | libevent_malloc: new ptr-libevent@0x55c3e15ce468 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15d54d8 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55c3e15d5468 | libevent_malloc: new ptr-libevent@0x55c3e1587c88 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15d5138 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55c3e15d5908 | libevent_malloc: new ptr-libevent@0x55c3e15e1768 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15eca58 size 16 | libevent_realloc: new ptr-libevent@0x55c3e15eca98 size 256 | libevent_malloc: new ptr-libevent@0x55c3e15ecbc8 size 8 | libevent_realloc: new ptr-libevent@0x55c3e15ecc08 size 144 | libevent_malloc: new ptr-libevent@0x55c3e15939a8 size 152 | libevent_malloc: new ptr-libevent@0x55c3e15eccc8 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x55c3e15ecd08 size 8 | libevent_malloc: new ptr-libevent@0x55c3e1508f08 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x55c3e15ecd48 size 8 | libevent_malloc: new ptr-libevent@0x55c3e1501618 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x55c3e15ecd88 size 8 | libevent_realloc: release ptr-libevent@0x55c3e15ecc08 | libevent_realloc: new ptr-libevent@0x55c3e15ecdc8 size 256 | libevent_malloc: new ptr-libevent@0x55c3e15016e8 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:2434) using fork+execve | forked child 2434 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth0:1 | found eth0:1 with address 192.0.2.244 | Inspecting interface eth0:2 | found eth0:2 with address 192.0.2.234 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0:2/eth0:2 (esp-hw-offload not supported by kernel) 192.0.2.234:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0:2/eth0:2 192.0.2.234:4500 adding interface eth0:1/eth0:1 (esp-hw-offload not supported by kernel) 192.0.2.244:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0:1/eth0:1 192.0.2.244:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed648 | libevent_malloc: new ptr-libevent@0x55c3e15e16b8 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15ed6b8 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 26 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed6f8 | libevent_malloc: new ptr-libevent@0x55c3e1587d38 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15ed768 size 16 | setup callback for interface lo 127.0.0.1:500 fd 25 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed7a8 | libevent_malloc: new ptr-libevent@0x55c3e1587688 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15ed818 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 24 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed858 | libevent_malloc: new ptr-libevent@0x55c3e1586f58 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15ed8c8 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 23 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed908 | libevent_malloc: new ptr-libevent@0x55c3e1587058 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15edf38 size 16 | setup callback for interface eth0:1 192.0.2.244:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x55c3e15edf78 | libevent_malloc: new ptr-libevent@0x55c3e1587108 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15edfe8 size 16 | setup callback for interface eth0:1 192.0.2.244:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ee028 | libevent_malloc: new ptr-libevent@0x55c3e15ee098 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15ee148 size 16 | setup callback for interface eth0:2 192.0.2.234:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ee188 | libevent_malloc: new ptr-libevent@0x55c3e15ee1f8 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15ee2a8 size 16 | setup callback for interface eth0:2 192.0.2.234:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ee2e8 | libevent_malloc: new ptr-libevent@0x55c3e15ee358 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15ee408 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ee448 | libevent_malloc: new ptr-libevent@0x55c3e15ee4b8 size 128 | libevent_malloc: new ptr-libevent@0x55c3e15ee568 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.78 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth0:1 | found eth0:1 with address 192.0.2.244 | Inspecting interface eth0:2 | found eth0:2 with address 192.0.2.234 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x55c3e15e16b8 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed648 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed648 | libevent_malloc: new ptr-libevent@0x55c3e15e16b8 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 26 | libevent_free: release ptr-libevent@0x55c3e1587d38 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed6f8 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed6f8 | libevent_malloc: new ptr-libevent@0x55c3e1587d38 size 128 | setup callback for interface lo 127.0.0.1:500 fd 25 | libevent_free: release ptr-libevent@0x55c3e1587688 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed7a8 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed7a8 | libevent_malloc: new ptr-libevent@0x55c3e1587688 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 24 | libevent_free: release ptr-libevent@0x55c3e1586f58 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed858 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed858 | libevent_malloc: new ptr-libevent@0x55c3e1586f58 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 23 | libevent_free: release ptr-libevent@0x55c3e1587058 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed908 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ed908 | libevent_malloc: new ptr-libevent@0x55c3e1587058 size 128 | setup callback for interface eth0:1 192.0.2.244:4500 fd 22 | libevent_free: release ptr-libevent@0x55c3e1587108 | free_event_entry: release EVENT_NULL-pe@0x55c3e15edf78 | add_fd_read_event_handler: new ethX-pe@0x55c3e15edf78 | libevent_malloc: new ptr-libevent@0x55c3e1587108 size 128 | setup callback for interface eth0:1 192.0.2.244:500 fd 21 | libevent_free: release ptr-libevent@0x55c3e15ee098 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ee028 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ee028 | libevent_malloc: new ptr-libevent@0x55c3e15ee098 size 128 | setup callback for interface eth0:2 192.0.2.234:4500 fd 20 | libevent_free: release ptr-libevent@0x55c3e15ee1f8 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ee188 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ee188 | libevent_malloc: new ptr-libevent@0x55c3e15ee1f8 size 128 | setup callback for interface eth0:2 192.0.2.234:500 fd 19 | libevent_free: release ptr-libevent@0x55c3e15ee358 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ee2e8 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ee2e8 | libevent_malloc: new ptr-libevent@0x55c3e15ee358 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x55c3e15ee4b8 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ee448 | add_fd_read_event_handler: new ethX-pe@0x55c3e15ee448 | libevent_malloc: new ptr-libevent@0x55c3e15ee4b8 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.293 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 2434 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0125 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection TUNNEL-A with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | ASCII to DN <= "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org" | ASCII to DN => 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | ASCII to DN => 31 10 30 0e 06 03 55 04 08 13 07 4f 6e 74 61 72 | ASCII to DN => 69 6f 31 10 30 0e 06 03 55 04 07 13 07 54 6f 72 | ASCII to DN => 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 13 09 4c | ASCII to DN => 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | ASCII to DN => 0b 13 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | ASCII to DN => 6e 74 31 23 30 21 06 03 55 04 03 13 1a 77 65 73 | ASCII to DN => 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | ASCII to DN => 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | ASCII to DN => 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | ASCII to DN => 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | ASCII to DN => 77 61 6e 2e 6f 72 67 | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'east' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f3118 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f30c8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f2f88 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f24c8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f2478 | unreference key: 0x55c3e15f3168 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x55c3e15f3428 added connection description "TUNNEL-A" | ike_life: 60s; ipsec_life: 28800s; rekey_margin: 2s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]===192.0.1.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.918 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection TUNNEL-B with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | ASCII to DN <= "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org" | ASCII to DN => 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | ASCII to DN => 31 10 30 0e 06 03 55 04 08 13 07 4f 6e 74 61 72 | ASCII to DN => 69 6f 31 10 30 0e 06 03 55 04 07 13 07 54 6f 72 | ASCII to DN => 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 13 09 4c | ASCII to DN => 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | ASCII to DN => 0b 13 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | ASCII to DN => 6e 74 31 23 30 21 06 03 55 04 03 13 1a 77 65 73 | ASCII to DN => 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | ASCII to DN => 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | ASCII to DN => 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | ASCII to DN => 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | ASCII to DN => 77 61 6e 2e 6f 72 67 | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'east' pubkey | unreference key: 0x55c3e15f5b68 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f5408 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f58b8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f5398 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f4e08 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f3578 | unreference key: 0x55c3e15f3828 192.1.2.23 cnt 1-- | unreference key: 0x55c3e15f4bf8 east@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f5188 @east.testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f56a8 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f61e8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | secrets entry for east already exists | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@0x55c3e15f3428: TUNNEL-A added connection description "TUNNEL-B" | ike_life: 60s; ipsec_life: 28800s; rekey_margin: 2s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.244/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]===192.0.1.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.769 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection TUNNEL-C with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | ASCII to DN <= "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org" | ASCII to DN => 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | ASCII to DN => 31 10 30 0e 06 03 55 04 08 13 07 4f 6e 74 61 72 | ASCII to DN => 69 6f 31 10 30 0e 06 03 55 04 07 13 07 54 6f 72 | ASCII to DN => 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 13 09 4c | ASCII to DN => 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | ASCII to DN => 0b 13 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | ASCII to DN => 6e 74 31 23 30 21 06 03 55 04 03 13 1a 77 65 73 | ASCII to DN => 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | ASCII to DN => 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | ASCII to DN => 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | ASCII to DN => 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | ASCII to DN => 77 61 6e 2e 6f 72 67 | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'east' pubkey | unreference key: 0x55c3e15f56a8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f4e98 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f6478 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f6428 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f63d8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15f6388 | unreference key: 0x55c3e15f3168 192.1.2.23 cnt 1-- | unreference key: 0x55c3e15f3828 east@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f4bf8 @east.testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f5188 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f69b8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | secrets entry for east already exists | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@0x55c3e15f3428: TUNNEL-B added connection description "TUNNEL-C" | ike_life: 60s; ipsec_life: 28800s; rekey_margin: 2s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.234/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]===192.0.1.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.04 milliseconds in whack | spent 0.00353 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 792 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 00 3c 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 00 3c 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 00 3c 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 00 3c 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 00 3c 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 00 3c 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 00 3c 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 00 3c 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 00 3c 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 792 (0x318) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (TUNNEL-C) | find_next_host_connection returns TUNNEL-C | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (TUNNEL-B) | find_next_host_connection returns TUNNEL-B | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (TUNNEL-A) | find_next_host_connection returns TUNNEL-A | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | creating state object #1 at 0x55c3e15f84c8 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669) | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) "TUNNEL-C" #1: responding to Main Mode | **emit ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 00 3c 80 01 00 07 80 02 00 04 | attributes 80 03 00 03 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 144 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 144 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x55c3e15f5948 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c3e15f23c8 size 128 "TUNNEL-C" #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.86 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00251 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 85 0a 93 f9 e9 c0 4f b2 4b b1 36 c7 aa b6 81 df | 08 a2 5c b2 f2 da 95 91 ff 70 22 db 46 14 6e 10 | d9 8a a8 cc a0 1b f1 5a 65 b9 3a 7d f9 fd 35 48 | 23 d0 e3 ee 9a 84 9a 85 7b 96 7d 3c 13 39 05 0b | 37 fc 9c 04 50 e8 0f 7b ee ac 4a d5 1f b5 dd f5 | a8 54 3f 7a 15 c1 5d 5d c0 35 38 10 94 0c b3 1d | fe e9 73 d0 3f f7 f3 40 e3 1a 67 48 7e 5b a7 0e | f0 d1 32 d3 86 7d c4 bf 4d 25 d7 20 19 bc d6 6a | e3 51 62 a4 8a a7 31 a1 91 7a d1 18 ef 31 0d 06 | 4e 15 fe b9 58 05 74 ea a0 ad f9 2a 67 c9 b1 26 | 9b c0 f1 74 61 53 9c a4 93 48 95 65 31 b3 bd 9d | 5f 51 b9 62 87 9e 8e b0 b0 0b 36 a4 81 00 eb 5b | 63 3e 5e 94 6d e3 16 ec bf 9c 2f 1c d3 9b 12 66 | 55 d9 91 c9 72 cc 20 b3 bb ec 44 ea dc 29 56 39 | ae 83 c7 94 28 f2 38 90 0d ba c4 dc 95 e7 8d fd | f6 41 13 6e fa 15 af 8e ca 46 ea de 4c e2 4b fe | 14 00 00 24 80 08 0b ed f7 0b 36 76 9e 46 08 d2 | c1 f5 8e ed 2c 7a 16 b7 af 78 d2 f3 db 1c 44 c0 | 80 3a 6f ac 14 00 00 24 a2 f9 64 8b 22 67 cd d3 | 8e 59 05 76 42 d2 1d 89 4d 4e 04 bb bf 7f b9 89 | 6f 84 5f 3c e6 3e 12 d8 00 00 00 24 0a da e0 b8 | c0 72 21 90 26 25 eb af 7e 52 1e 76 1e ee df b9 | 83 e1 f8 5d 5b f6 34 a1 f9 36 bc b3 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55c3e0873ca0(32) | natd_hash: icookie= 50 48 d3 e7 c5 a5 6d 29 | natd_hash: rcookie= ba db bc b1 d4 d2 34 51 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= a2 f9 64 8b 22 67 cd d3 8e 59 05 76 42 d2 1d 89 | natd_hash: hash= 4d 4e 04 bb bf 7f b9 89 6f 84 5f 3c e6 3e 12 d8 | natd_hash: hasher=0x55c3e0873ca0(32) | natd_hash: icookie= 50 48 d3 e7 c5 a5 6d 29 | natd_hash: rcookie= ba db bc b1 d4 d2 34 51 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 0a da e0 b8 c0 72 21 90 26 25 eb af 7e 52 1e 76 | natd_hash: hash= 1e ee df b9 83 e1 f8 5d 5b f6 34 a1 f9 36 bc b3 | expected NAT-D(me): a2 f9 64 8b 22 67 cd d3 8e 59 05 76 42 d2 1d 89 | expected NAT-D(me): 4d 4e 04 bb bf 7f b9 89 6f 84 5f 3c e6 3e 12 d8 | expected NAT-D(him): | 0a da e0 b8 c0 72 21 90 26 25 eb af 7e 52 1e 76 | 1e ee df b9 83 e1 f8 5d 5b f6 34 a1 f9 36 bc b3 | received NAT-D: a2 f9 64 8b 22 67 cd d3 8e 59 05 76 42 d2 1d 89 | received NAT-D: 4d 4e 04 bb bf 7f b9 89 6f 84 5f 3c e6 3e 12 d8 | received NAT-D: 0a da e0 b8 c0 72 21 90 26 25 eb af 7e 52 1e 76 | received NAT-D: 1e ee df b9 83 e1 f8 5d 5b f6 34 a1 f9 36 bc b3 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x55c3e15f23c8 | free_event_entry: release EVENT_SO_DISCARD-pe@0x55c3e15f5948 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c3e15f5948 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c3e15f82e8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | crypto helper 0 resuming | #1 spent 0.0837 milliseconds in process_packet_tail() | crypto helper 0 starting work-order 1 for state #1 | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | crypto helper 0 doing build KE and nonce (inI2_outR2 KE); request ID 1 | spent 0.188 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.00059 seconds | (#1) spent 0.584 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f0814002888 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x55c3e079eb50 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 1b d3 e9 8d 18 9b 2a 90 95 2e 11 93 f5 fb 8b ad | keyex value d9 8f ed ab 93 eb 13 12 bd ae 60 19 ac 3d c8 27 | keyex value 90 43 1c 5e b7 6a 3a b0 b1 e8 dc ff 94 89 ef 9c | keyex value 53 4a b5 f6 62 ea b0 70 67 b3 b8 f7 6d fa eb 5e | keyex value 7b d2 17 88 fb 80 72 df bf 4c 45 1c 26 e5 68 d5 | keyex value a1 8b 9b b7 06 e0 ac 54 20 35 8c aa b0 68 8c d9 | keyex value 0e cf 02 ea 64 09 86 d4 93 8c 22 0b a4 04 77 2d | keyex value 50 1a 76 e3 a4 cb 25 75 f8 19 27 34 f2 67 16 44 | keyex value 53 e9 47 3f 02 95 b6 45 38 6c 21 fd ea 70 5f 89 | keyex value e2 86 63 ac bf 8a a2 5e e1 a8 14 2d 1d 0d ac 9c | keyex value 21 cd dd 74 08 af 31 ff 0c 2c 91 df 31 dc 3b c3 | keyex value 41 37 4a 34 dc 29 e6 0c 5a 49 2e 44 e3 16 e6 52 | keyex value 1b 33 76 f8 d8 01 5e c6 28 79 f3 09 99 af 06 05 | keyex value ce 9b 7c d2 54 21 0e 1f f0 24 d6 8a fc 04 ec 5f | keyex value 54 ff b9 30 b5 c2 bd da 11 37 25 1b 09 07 0a a8 | keyex value 44 ff 6a ac 17 9a 0f c3 9b ea 3a b4 43 95 9a a3 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 41 a9 cc 1c a6 32 e2 77 a7 c1 61 0e d7 5a 2f 63 | Nr 95 74 03 78 fb 14 24 d1 f6 64 a8 17 cc e6 ee 96 | emitting length of ISAKMP Nonce Payload: 36 | sending NAT-D payloads | natd_hash: hasher=0x55c3e0873ca0(32) | natd_hash: icookie= 50 48 d3 e7 c5 a5 6d 29 | natd_hash: rcookie= ba db bc b1 d4 d2 34 51 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 0a da e0 b8 c0 72 21 90 26 25 eb af 7e 52 1e 76 | natd_hash: hash= 1e ee df b9 83 e1 f8 5d 5b f6 34 a1 f9 36 bc b3 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 0a da e0 b8 c0 72 21 90 26 25 eb af 7e 52 1e 76 | NAT-D 1e ee df b9 83 e1 f8 5d 5b f6 34 a1 f9 36 bc b3 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x55c3e0873ca0(32) | natd_hash: icookie= 50 48 d3 e7 c5 a5 6d 29 | natd_hash: rcookie= ba db bc b1 d4 d2 34 51 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= a2 f9 64 8b 22 67 cd d3 8e 59 05 76 42 d2 1d 89 | natd_hash: hash= 4d 4e 04 bb bf 7f b9 89 6f 84 5f 3c e6 3e 12 d8 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D a2 f9 64 8b 22 67 cd d3 8e 59 05 76 42 d2 1d 89 | NAT-D 4d 4e 04 bb bf 7f b9 89 6f 84 5f 3c e6 3e 12 d8 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c3e15f82e8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c3e15f5948 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c3e15f5948 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c3e15f95c8 size 128 | #1 main_inI2_outR2_continue1_tail:1165 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | crypto helper 1 resuming | crypto helper 1 starting work-order 2 for state #1 | [RE]START processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | crypto helper 1 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | #1 is idle; has background offloaded task | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c3e15f95c8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c3e15f5948 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 396 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 1b d3 e9 8d 18 9b 2a 90 95 2e 11 93 f5 fb 8b ad | d9 8f ed ab 93 eb 13 12 bd ae 60 19 ac 3d c8 27 | 90 43 1c 5e b7 6a 3a b0 b1 e8 dc ff 94 89 ef 9c | 53 4a b5 f6 62 ea b0 70 67 b3 b8 f7 6d fa eb 5e | 7b d2 17 88 fb 80 72 df bf 4c 45 1c 26 e5 68 d5 | a1 8b 9b b7 06 e0 ac 54 20 35 8c aa b0 68 8c d9 | 0e cf 02 ea 64 09 86 d4 93 8c 22 0b a4 04 77 2d | 50 1a 76 e3 a4 cb 25 75 f8 19 27 34 f2 67 16 44 | 53 e9 47 3f 02 95 b6 45 38 6c 21 fd ea 70 5f 89 | e2 86 63 ac bf 8a a2 5e e1 a8 14 2d 1d 0d ac 9c | 21 cd dd 74 08 af 31 ff 0c 2c 91 df 31 dc 3b c3 | 41 37 4a 34 dc 29 e6 0c 5a 49 2e 44 e3 16 e6 52 | 1b 33 76 f8 d8 01 5e c6 28 79 f3 09 99 af 06 05 | ce 9b 7c d2 54 21 0e 1f f0 24 d6 8a fc 04 ec 5f | 54 ff b9 30 b5 c2 bd da 11 37 25 1b 09 07 0a a8 | 44 ff 6a ac 17 9a 0f c3 9b ea 3a b4 43 95 9a a3 | 14 00 00 24 41 a9 cc 1c a6 32 e2 77 a7 c1 61 0e | d7 5a 2f 63 95 74 03 78 fb 14 24 d1 f6 64 a8 17 | cc e6 ee 96 14 00 00 24 0a da e0 b8 c0 72 21 90 | 26 25 eb af 7e 52 1e 76 1e ee df b9 83 e1 f8 5d | 5b f6 34 a1 f9 36 bc b3 00 00 00 24 a2 f9 64 8b | 22 67 cd d3 8e 59 05 76 42 d2 1d 89 4d 4e 04 bb | bf 7f b9 89 6f 84 5f 3c e6 3e 12 d8 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55c3e15f5948 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c3e15f95c8 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29783.003408 "TUNNEL-C" #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.311 milliseconds in resume sending helper answer | stop processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f0814002888 | crypto helper 1 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.000981 seconds | (#1) spent 0.981 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f080c000f48 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 2 | calling continuation function 0x55c3e079eb50 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1015) | stop processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1028) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.0127 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f080c000f48 | spent 0.00243 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 1884 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 05 10 02 01 00 00 00 00 00 00 07 5c b1 56 7e ee | 75 eb 01 5c ea c6 dc 19 63 ca a6 b0 3f 31 aa 9a | df a0 64 55 81 35 64 92 a2 ae f5 a0 1f ef 7c 28 | 9a 10 29 b3 09 50 36 8a 9b e3 02 e2 42 09 3c 2b | 3e a7 b4 51 dc db 4f 9a 42 a0 55 2b 1a 37 8d e2 | fb 41 d5 e0 d7 49 b0 6f a7 a3 c8 3d 41 80 ee 9e | 65 40 60 48 86 af 81 d1 a7 72 8a 59 26 7c dd 89 | 9d c4 91 08 aa 05 f7 ea 32 95 f8 f6 67 93 9d ca | e0 b5 04 24 1f 43 f1 9c b0 80 fd 1e d5 6c d1 91 | b8 1a 8c 17 cd 43 40 9b 87 04 2f 8e c9 8a e9 b6 | 17 c2 4e 9c 3b 49 4c a3 d6 36 d1 c2 dc 2f df fb | 66 c3 59 6e 01 46 7b 02 05 0d 84 9a ed d7 92 61 | ca c2 4d ed f7 09 9a 17 79 1e 8a 1e 20 ee 5f 8b | 06 f5 a3 80 c1 cd 27 7a a8 6a 70 e6 b7 f2 ac bf | 26 c7 c5 aa a6 1d 38 44 20 82 6a 78 dc 08 89 a5 | f3 94 37 2e a1 ac cd 13 1e a9 39 73 01 1f 93 06 | b0 de 7f 63 3e b7 f5 d0 e5 d6 01 f7 c7 fd a1 c1 | b7 98 36 60 57 b6 b4 e4 34 30 dd d7 e6 92 bd ab | a7 3c d6 ae 81 4c d8 37 d6 27 ba e0 06 f3 fe a4 | 5f 9c a3 19 19 72 80 3e c7 d5 23 cc 59 6f 7a c5 | 13 04 bb 0d 2d 5c de e8 6d 63 e8 15 14 38 48 1b | 24 22 a2 3e 9c 1e aa 0f dd d2 37 ef 49 ac 89 fc | 93 1b 59 b7 8d ec 5d 28 25 5d bf cf 89 9d f4 17 | 84 50 60 f3 70 bb 7c 4a 28 c3 12 4b 9b 4e 12 be | 49 d0 53 d0 84 2e d4 19 27 06 a5 e0 8d 96 b3 41 | fc 5f 1f 8a 6a c2 dd 6b f0 35 a3 df e2 2d ff 57 | d9 c4 3e 82 39 4a 79 04 a9 ae ec 3d 31 51 f8 ff | b1 eb 2c ce ef 67 82 58 c1 1e cc 20 87 6f c3 42 | 88 80 87 5f 80 60 0f bf 95 14 49 43 d7 24 e9 fe | 18 a4 2e b1 88 12 15 ed 81 b9 84 b6 ac 9e 03 2a | 98 a4 2d 3d e1 e0 16 ac bd f1 83 1f a5 6f 1e 4d | 73 d0 b0 c0 30 cd 2f 7a 93 de 6a e5 c8 d5 7d cc | 4a 7d fc 58 fa 22 b2 3c 15 76 10 46 78 fa 0d 03 | 0b 38 32 af 5d 9b 50 e2 86 80 e1 ff c3 98 3a 7b | 6f fa 2d 47 33 de 91 46 f5 c6 55 ee e3 5e b9 69 | 1c 30 3e 04 69 47 1f be 8f 00 78 2e 9a b8 11 1c | 61 d6 0e e1 20 18 a8 91 f5 70 c9 5f c8 a0 d3 15 | a4 ec 35 f1 21 f0 4b 0a 76 3f 7b ed 14 4d d3 1b | d1 28 e3 b4 62 55 25 f8 a3 9c bf 6d e6 69 c8 11 | 84 ed ad 07 cc bb d7 04 55 8a 72 13 a9 8a f1 ee | 3d 9a 70 94 bd da 7f 76 6f 96 10 5a 21 57 30 89 | 91 47 af 22 50 4e c3 a3 45 78 a3 13 f8 7a 15 5d | 9b e1 92 96 5a b2 dc d0 58 88 f5 bd 9c 1a 5f 8e | c7 bf 6b 2d ba 8c b9 0d 9a 5f be 33 f3 9b b4 39 | 4f 3a d9 25 4e d9 37 a4 e1 e5 c4 f2 c2 8c d2 98 | fa 0a 28 64 38 e9 3c 13 19 a4 54 33 c7 09 6f c7 | 2f f6 59 ef 04 27 90 b7 a0 30 50 f0 e9 50 f7 9f | 55 60 af 54 14 5d 38 0f fa 21 d2 8a 7b 8f d4 1f | da 61 95 30 10 97 63 8c 0a 02 a5 f8 f6 ac 0c 90 | 8f e0 86 a9 a4 1e 93 ee cd 30 76 5c 70 23 6e 32 | 1e a7 f2 5e 08 ca b2 f6 a4 3c 33 c2 5b 88 78 65 | 2a 95 68 4d bb 88 7b 4a c8 b1 61 a8 e0 9a 50 3b | c3 62 0e 73 07 ac 5d 8e df f6 cc f7 28 6d 57 c1 | 8a e1 45 d2 22 42 f3 09 63 2d 3a 22 93 70 db b0 | 7e a0 1c 48 57 d3 09 e5 f0 47 c0 67 2a c6 af 7a | 53 ad a8 25 7a 1e fd ee f3 a5 9a 53 16 01 b6 ae | 3c c7 73 47 c9 20 6a 09 88 f3 59 08 5a 5b c6 9e | dd f4 2d 5e e8 ff 22 4e 5d 74 6e 5b 88 2a 26 be | 2e 1b d7 f1 31 d2 03 14 f4 6c b9 3a f6 c1 ca ef | ff 08 d5 36 a0 6b 73 7d e8 ec ad 2c ee 59 0e 42 | 07 32 05 81 54 72 e7 4b 4a d9 94 19 25 a9 80 e6 | a0 18 6b c5 20 62 92 8b 8b 01 70 13 57 0c 97 0c | 20 aa 96 fc 75 a9 0f a5 78 50 ee 5f 38 93 bf 55 | 1a ec 43 e9 cb cd 06 e0 d9 e1 13 be a5 a1 10 bb | ed 39 a2 d1 02 8d 7d a1 73 6a 22 c8 42 84 27 63 | a5 66 c7 13 08 db bd 43 58 7e fc c3 fb d7 c8 40 | 58 e5 84 32 f2 31 68 12 d8 cf 01 09 01 ca e0 73 | 55 b1 41 f1 c3 69 c9 7e ef 4c f8 6d d5 f9 11 b6 | 3b d1 00 2e 01 8e 38 99 da ea 43 d5 9d 11 b6 99 | 76 0b a0 ee 4e 13 95 00 05 ea 85 d1 bd 48 9b 01 | e8 52 2a 36 1d 56 a4 22 47 17 50 7c 25 f5 01 c0 | 2c 99 64 43 b8 b5 94 df 57 5b eb 06 6a 8d 6f 92 | a2 8f f4 e7 9f 5d 93 2b 1c e8 c9 b7 95 76 ec f9 | 17 e3 dc c5 fc fe b1 5f f9 e5 23 32 21 1c 08 9d | 4f 8e b6 29 5f 6d 96 65 8a ff 6d fd 97 c1 1d d0 | 46 91 7d 61 55 9f 77 bb 4e ad 92 d3 a2 83 50 3d | a1 2a c2 ee 55 2f 9e 64 33 8c 7f 2e a1 33 45 50 | 1b 81 25 23 60 d3 13 c2 76 6e f5 b1 b8 5a c2 83 | 4f 79 61 59 8b 57 46 d8 00 69 39 59 e5 9e e7 43 | a1 ff 0f 61 7f 48 a5 68 6d 1e 0f b7 97 54 50 70 | db 82 31 68 d3 88 2e fb e8 0b c4 fd ee 31 76 bb | 06 af c6 91 c5 65 11 8b 9d 25 13 a3 6c 73 1f e1 | 7e e6 04 e3 9a cb 64 ee 93 13 f3 76 4b ef 81 23 | 6f ac 87 df 82 c9 4f 26 49 35 61 1f bc bd 89 d9 | 50 49 c1 fd 3e f9 94 8d a0 24 f1 a6 ff 1a 77 39 | 48 66 39 b0 7f b4 93 19 fd ef 2a 6b d7 6e 43 2a | be c3 64 fb 15 f5 ba 82 45 af a9 8c 8b 14 a4 f3 | 78 1f 87 6a 6a 8f 1a 7a 62 a8 25 43 f0 84 82 bb | 0a e2 80 db f0 61 37 f5 9d 68 10 9c fd e4 50 a8 | 4b 87 e9 6b 43 da 23 c2 44 5d 95 76 65 45 05 6d | f0 94 26 09 fb d8 15 57 f5 17 6a a7 e6 41 fd 92 | bb c9 fe 7a 13 b4 61 9f 4a 3b 13 58 5d de c6 4e | 65 cc 4f 10 36 f4 9f 4c 9a 1a 1a b3 21 3e d7 c5 | fa 5c c3 c5 26 bb 56 80 f7 f8 66 e8 2f 16 91 dd | c0 7f 83 22 b8 ed f5 a7 ac d0 6e 3c 31 50 f7 30 | 44 1d 4b 9c bb 3d a0 1b 26 d5 05 26 fd 8b f9 a5 | a4 29 e2 a7 5b 71 15 4c d0 a2 c5 93 7d 80 9a a6 | 65 2e 34 52 75 0a 96 57 d7 12 fa ba f3 ed de 6d | 1c ca 42 84 95 90 f4 05 e6 a7 c0 ae 81 f1 21 a2 | f7 e9 2e 56 5f 2a 4f 6c 46 62 1a 11 95 1b 03 ef | f3 09 7d fb fd 07 dd 54 ba ec 58 ce ea 7d db f9 | 8f 64 f7 d8 20 5b d2 57 40 cb 6b 7e 6f 31 53 96 | 77 7e e7 60 38 da d2 f6 05 9c 75 ca c5 74 dd 43 | 19 6b 48 64 1e f0 55 0c 1b 57 f2 28 88 3a 08 13 | 9a 1b a4 eb cc 37 64 bf c0 7e a4 2a 08 f2 f5 5c | 77 e7 02 89 32 12 ca df d4 86 6a 12 5e 16 ac cd | d5 04 6a 99 ba 2a bd cf 36 d2 d9 61 3a 8a db 9a | 0f 2b 03 d7 ea 7e e8 4f a3 17 db ea da 73 a9 52 | 25 07 cb fe 0e 9d dc 7c 29 f3 25 fb 06 7b 03 c8 | 45 5c 4e fe a9 13 51 f6 49 43 7b 90 a1 ea 00 78 | 29 ae d6 25 21 ef 02 28 30 f2 01 57 d9 0a 3a 71 | db 66 54 a6 6d 69 7b 37 85 98 26 68 87 c0 7f e1 | 1d 51 dc 5c 6a 90 8e 78 48 54 b8 ee 4a da 7b 76 | 18 84 67 6c 5e 39 e6 f6 a7 62 1d 5b 5b 7c 07 6f | 82 09 61 14 cf 57 e1 b1 20 d8 11 30 d9 db fc 91 | 48 68 1b d3 ad 82 76 7a 72 89 68 17 2e 5a ff 09 | 27 c2 88 61 96 11 ea 20 ac 8c 0b 0f | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 1884 (0x75c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1459) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_CERT (0x6) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | obj: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | obj: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | obj: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 | got payload 0x40 (ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | length: 1265 (0x4f1) | cert encoding: CERT_X509_SIGNATURE (0x4) | got payload 0x80 (ISAKMP_NEXT_CR) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 5 (0x5) | cert type: CERT_X509_SIGNATURE (0x4) | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 7 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 "TUNNEL-C" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 2.67 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.0148 milliseconds in get_root_certs() filtering CAs | #1 spent 2.71 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.426 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0287 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec | certificate is valid (profile IPsec) | #1 spent 0.0867 milliseconds in find_and_verify_certs() calling verify_end_cert() "TUNNEL-C" #1: certificate verified OK: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e160c018 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e160b658 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e160b4a8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e160a318 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e1612698 | unreference key: 0x55c3e1612728 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | #1 spent 0.221 milliseconds in decode_certs() calling add_pubkey_from_nss_cert() | #1 spent 3.5 milliseconds in decode_certs() | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' matched our ID | SAN ID matched, updating that.cert | X509: CERT and ID matches current connection | CR | requested CA: '%any' | refine_host_connection for IKEv1: starting with "TUNNEL-C" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: checking "TUNNEL-C" against "TUNNEL-C", best=(none) with match=1(id=1(0)/ca=1(7)/reqca=1(0)) | Warning: not switching back to template of current instance | No IDr payload received from peer | refine_host_connection: checked TUNNEL-C against TUNNEL-C, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | refine_host_connection: picking new best "TUNNEL-C" (wild=0, peer_pathlen=7/our=0) | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: checking "TUNNEL-C" against "TUNNEL-B", best=TUNNEL-C with match=1(id=1(0)/ca=1(7)/reqca=1(0)) | Warning: not switching back to template of current instance | No IDr payload received from peer | refine_host_connection: checked TUNNEL-C against TUNNEL-B, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: checking "TUNNEL-C" against "TUNNEL-A", best=TUNNEL-C with match=1(id=1(0)/ca=1(7)/reqca=1(0)) | Warning: not switching back to template of current instance | No IDr payload received from peer | refine_host_connection: checked TUNNEL-C against TUNNEL-A, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | refine going into 2nd loop allowing instantiated conns as well | returning since no better match than original best_found | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAZd0v [remote certificates] | #1 spent 0.103 milliseconds in try_all_RSA_keys() trying a pubkey "TUNNEL-C" #1: Authenticated using RSA | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so send cert. | **emit ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_CERT (0x6) | ID type: ID_DER_ASN1_DN (0x9) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 6:ISAKMP_NEXT_CERT | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Identification Payload (IPsec DOI): 191 "TUNNEL-C" #1: I am sending my cert | ***emit ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_SIG (0x9) | cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: ignoring supplied 'ISAKMP Certificate Payload'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Certificate Payload (6:ISAKMP_NEXT_CERT) | next payload chain: saving location 'ISAKMP Certificate Payload'.'next payload type' in 'reply packet' | emitting 1260 raw bytes of CERT into ISAKMP Certificate Payload | CERT 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 39 30 38 32 34 30 39 30 37 35 33 | CERT 5a 18 0f 32 30 32 32 30 38 32 33 30 39 30 37 35 | CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 b1 1e 7c b3 bf 11 | CERT 96 94 23 ca 97 5e c7 66 36 55 71 49 95 8d 0c 2a | CERT 5c 30 4d 58 29 a3 7b 4d 3b 3f 03 06 46 a6 04 63 | CERT 71 0d e1 59 4f 9c ec 3a 17 24 8d 91 6a a8 e2 da | CERT 57 41 de f4 ff 65 bf f6 11 34 d3 7d 5a 7f 6e 3a | CERT 3b 74 3c 51 2b e4 bf ce 6b b2 14 47 26 52 f5 57 | CERT 28 bc c5 fb f9 bc 2d 4e b9 f8 46 54 c7 95 41 a7 | CERT a4 b4 d3 b3 fe 55 4b df f5 c3 78 39 8b 4e 04 57 | CERT c0 1d 5b 17 3c 28 eb 40 9d 1d 7c b3 bb 0f f0 63 | CERT c7 c0 84 b0 4e e4 a9 7c c5 4b 08 43 a6 2d 00 22 | CERT fd 98 d4 03 d0 ad 97 85 d1 48 15 d3 e4 e5 2d 46 | CERT 7c ab 41 97 05 27 61 77 3d b6 b1 58 a0 5f e0 8d | CERT 26 84 9b 03 20 ce 5e 27 7f 7d 14 03 b6 9d 6b 9f | CERT fd 0c d4 c7 2d eb be ea 62 87 fa 99 e0 a6 1c 85 | CERT 4f 34 da 93 2e 5f db 03 10 58 a8 c4 99 17 2d b1 | CERT bc e5 7b bd af 0e 28 aa a5 74 ea 69 74 5e fa 2c | CERT c3 00 3c 2f 58 d0 20 cf e3 46 8d de aa f9 f7 30 | CERT 5c 16 05 04 89 4c 92 9b 8a 33 11 70 83 17 58 24 | CERT 2a 4b ab be b6 ec 84 9c 78 9c 11 04 2a 02 ce 27 | CERT 83 a1 1f 2b 38 3f 27 7d 46 94 63 ff 64 59 4e 6c | CERT 87 ca 3e e6 31 df 1e 7d 48 88 02 c7 9d fa 4a d7 | CERT f2 5b a5 fd 7f 1b c6 dc 1a bb a6 c4 f8 32 cd bf | CERT a7 0b 71 8b 2b 31 41 17 25 a4 18 52 7d 32 fc 0f | CERT 5f b8 bb ca e1 94 1a 42 4d 1f 37 16 67 84 ae b4 | CERT 32 42 9c 5a 91 71 62 b4 4b 07 02 03 01 00 01 a3 | CERT 82 01 06 30 82 01 02 30 09 06 03 55 1d 13 04 02 | CERT 30 00 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 | CERT 1d 0f 04 04 03 02 07 80 30 1d 06 03 55 1d 25 04 | CERT 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b | CERT 06 01 05 05 07 03 02 30 41 06 08 2b 06 01 05 05 | CERT 07 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 | CERT 07 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d | CERT 1f 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 | CERT 70 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e | CERT 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 | CERT 76 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 | CERT 86 f7 0d 01 01 0b 05 00 03 81 81 00 3a 56 a3 7d | CERT b1 4e 62 2f 82 0d e3 fe 74 40 ef cb eb 93 ea ad | CERT e4 74 8b 80 6f ae 8b 65 87 12 a6 24 0d 21 9c 5f | CERT 70 5c 6f d9 66 8d 98 8b ea 59 f8 96 52 6a 6c 86 | CERT d6 7d ba 37 a9 8c 33 8c 77 18 23 0b 1b 2a 66 47 | CERT e7 95 94 e6 75 84 30 d4 db b8 23 eb 89 82 a9 fd | CERT ed 46 8b ce 46 7f f9 19 8f 49 da 29 2e 1e 97 cd | CERT 12 42 86 c7 57 fc 4f 0a 19 26 8a a1 0d 26 81 4d | CERT 53 f4 5c 92 a1 03 03 8d 6c 51 33 cc | emitting length of ISAKMP Certificate Payload: 1265 | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Certificate Payload'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 384 raw bytes of SIG_R into ISAKMP Signature Payload | SIG_R a2 1b 25 5a fa 05 1c 6f e6 62 b0 0a eb 49 f2 92 | SIG_R ab 58 9b fe 45 f7 23 47 14 43 77 af ab fb ec 8b | SIG_R 9a 9b f8 93 ec 6c 8f a2 7c 6a 07 cc 7a dd 9e 5c | SIG_R 33 32 d8 41 00 1f 42 f9 52 ed 63 35 6a f8 9a 2f | SIG_R 1e 81 13 30 42 9f d3 9c 84 63 39 00 c4 e7 62 ae | SIG_R b8 d5 bb d3 0e 48 5d 7f ed 98 f5 cf c5 10 06 bf | SIG_R 12 41 44 4e 59 3a d8 c1 0b 6a 9b 0e 79 3e c4 74 | SIG_R c2 99 4e f5 f5 b6 36 e1 60 7d d5 34 db 1a 89 ee | SIG_R fc 16 83 e6 0f 09 94 0c df cc 47 14 1a 2a d7 7f | SIG_R f5 1a 05 83 07 69 55 36 68 a5 25 58 de 7e 8a fd | SIG_R 96 a2 22 08 25 31 c1 7b a1 2c f5 80 fe 23 ef 3f | SIG_R cd 58 61 5d 5d a3 ba 25 cf 4a 1a fc 35 d9 47 13 | SIG_R 60 c1 f7 33 fd af 48 4a d3 b3 d6 48 63 74 59 44 | SIG_R db a7 2d da 4a 31 d8 d5 44 ba 0b 68 c9 1e 11 db | SIG_R 84 81 5a b2 a3 6d 70 b0 91 55 f7 7c 70 a8 a4 f8 | SIG_R be ea 5d 59 62 43 bf 67 25 49 6d 4f 66 5d 8a 13 | SIG_R a3 4b 4d 54 f1 9d 6b 0a 7d 71 e0 89 df 28 40 cf | SIG_R 21 6b 14 d4 a7 5f 54 e8 5b 7a ff b1 63 91 13 7f | SIG_R b9 0d e9 cd 9b c1 59 1d fd 98 c6 b9 bc 02 0f bd | SIG_R 15 ab c0 1f f6 dd 9f ed ce 75 88 ce 33 b7 41 5e | SIG_R 28 e8 35 57 2e 2c 8b 95 9f 2a cb 6f fa 6f 68 6e | SIG_R b5 45 a0 59 b4 98 32 5e c2 1d 36 b9 49 fd 71 aa | SIG_R e8 d9 5b c6 23 b4 11 fb b7 3a 61 42 f0 b6 93 33 | SIG_R f0 6e 97 4b 4f a6 ab de f9 c2 60 fc 96 ee f5 af | emitting length of ISAKMP Signature Payload: 388 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 1884 | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 | parent state #1: MAIN_R2(open IKE SA) => MAIN_R3(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_R3: retransmits: cleared | libevent_free: release ptr-libevent@0x55c3e15f95c8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55c3e15f5948 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 1884 bytes for STATE_MAIN_R2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 05 10 02 01 00 00 00 00 00 00 07 5c 9c a8 38 d8 | 5d 51 4b 95 0e e5 cf c4 d4 37 34 be 6f bc 7b 2e | 85 99 cb 7d a2 cd 73 e7 49 5e aa b4 79 d3 d5 66 | e0 19 d6 79 ae 66 31 1c 07 61 70 16 b4 0c 0c 90 | 73 8d ca 71 db fb a8 b8 32 59 a2 46 fe c2 b0 a8 | d7 c8 f7 27 58 de 7c 0b fa 00 63 a4 aa 2f b3 96 | e5 ff ce 64 57 44 a8 0e e7 aa 73 9c 91 d1 14 76 | 26 c6 2a 34 a9 22 4c ca 95 3f ce ac 3e 65 2f 84 | 2b 0e 78 20 61 1a 60 3e f3 62 9d 73 b8 eb 4f bb | 33 a4 0f 3b 8c a5 68 f7 7f 6d 8c 7d 2e 69 92 e3 | e4 30 2c 66 d1 37 9a 9d dd 78 f1 c8 ff ed 4e 09 | 8c 63 e1 f5 a1 c8 d7 36 1b 37 bb 51 b9 cc 56 3f | d1 1c 0a de 47 6f e0 a6 74 23 cb 88 7c fe ac d6 | 97 1b 59 03 d9 21 73 7b c7 0e 21 e6 16 23 14 39 | 1f 0b d9 77 fd e8 67 95 39 10 4c 5a f6 4d 32 00 | 0a 23 46 33 85 62 2a 33 e4 c0 43 57 fd f5 f5 6e | a0 3b 54 b1 32 c9 86 91 5b fa 3e be ad 1a 6b f8 | 74 64 7b 05 3a e8 6d 8b c6 af 60 06 9d 0b d8 46 | dd 50 9f 52 c0 b0 62 78 db dc d5 f9 8a 3e 4d d0 | 01 b0 c8 88 c7 f8 9c 3c 21 09 ef ad 68 ac 2f 9f | 88 18 65 07 22 63 53 e0 67 33 2e 71 1a ac ef 6b | 7d cb 4c da 7d d8 e7 94 56 6b 6f a0 e3 5b cc c1 | 6d 6c b1 1d 66 d1 3a 25 18 4b 2c f1 87 59 f5 da | 6d c8 58 ff 45 87 74 93 d8 a4 5d ec 50 9e 5d 8e | 76 e4 7c c5 89 8e 1c 4b 1d ca 5e e5 37 3b 22 95 | c5 25 8c 3b cf 73 84 f8 c4 49 0a 4f b2 2b 2c 87 | a0 21 7c 97 94 6e 85 f0 d3 f2 56 ba 3c 50 8c dd | 4f b0 a8 0f 7d c3 46 db 00 3b 00 76 f9 fa 9c 6d | cd 24 c5 02 5e de 43 54 87 e1 b9 b7 2b df 5f a2 | 68 18 51 8a d3 73 89 e5 9d 46 1a 17 93 cd 11 34 | 16 54 cf 69 bc 55 c6 e7 f2 41 bb 59 14 78 ae 9e | a3 1e ac 19 cf 5a 12 cb 68 50 31 e8 c6 34 3f 4d | c6 20 58 e9 49 e1 2c 52 5b 7f 36 cd 2f 6d 09 c4 | e9 7b df fe 58 6f bb 84 31 bf 3b 0e ff 0a 88 18 | 16 9e a9 92 3c 6d 5d 42 27 87 20 5f 0d c5 41 c8 | 64 a3 6a 65 07 c1 21 9e f6 0a fe 5b c1 94 9c 29 | d8 0e ef 79 09 f2 70 09 39 b2 d6 f8 9f 06 63 2d | d7 9c ca 10 e8 b0 5f 62 d3 7f 87 b1 83 52 b0 20 | 69 7f 51 0e c8 c4 9f f1 10 9b e0 04 ab bd 1b e0 | f8 48 8f 8f c4 a1 b9 c7 99 7e b0 f8 c3 66 c5 52 | 0a 39 eb 35 6d f8 78 1c c6 a6 fe 49 0c c8 01 80 | f9 5a 6d 4c b9 d5 1a df be a6 9e ac 03 13 c2 98 | 35 62 ef 34 3f e0 64 30 2c dd 4c da 76 b3 a8 cd | 37 11 37 65 7b 11 35 84 3b 50 21 73 08 6e 3a 76 | c0 c2 28 9d 6b 34 25 a4 2d 15 cd 69 09 bd 3b 7c | f7 c7 50 ad 80 78 54 d0 a7 7f d8 cb 02 cc df 85 | 9f f2 8a fd dc c9 0d 0f 71 8e 62 93 31 ad 9f 14 | fa 83 48 67 a1 4b 9a 46 46 ec 2c 9b 8d 6e 99 83 | 44 05 c7 4c 5a 9e cc 50 09 15 71 dc 41 1f 1b 9e | 36 14 aa 7d 21 3c 26 e7 94 23 f1 a3 31 9e 92 dd | e1 88 eb d6 ce 59 e1 9a 5b 73 c4 63 05 3a e6 a4 | cd c7 2d 3e 77 ac 86 e5 77 62 51 2d cb 02 e8 a4 | fe 90 ca 82 78 b5 f0 05 28 43 38 c1 40 58 f7 a9 | 43 16 ea 52 51 c2 79 d3 d3 b9 06 07 b5 f4 c7 c5 | 7f 8e 6d a3 07 ee b2 a7 e8 3e cc b6 a8 a0 04 32 | 78 0e db 01 d0 34 26 6c 24 bc f9 30 dd b8 5f 24 | ee 0f c9 8d 6d 4c a1 7c da 24 8c 35 e7 84 78 a5 | 73 b2 07 9e 7a f4 d8 5a 56 09 b1 c1 da 78 a9 59 | 70 90 27 0f e0 34 fc f0 c5 65 80 ef 81 da f5 a6 | 27 a4 27 bd 16 a9 5a 25 78 3b 06 77 a9 5d 5f 44 | 5f 7a ea 0f e7 14 1a de 07 8e 30 e2 5d 36 b5 bd | 8e 57 8c 44 68 cf 1f 1c 68 ad d5 34 dc ff 44 6d | c7 58 51 2f ac 08 91 0d ab 30 5a 6d ab ba 15 75 | 41 3d 1f 90 b8 30 bd e8 b9 75 c6 36 2a d4 6b 89 | 5b 56 96 58 db 68 ba b1 19 17 8f 4f 7b 4c f0 de | aa 91 0f 66 23 16 18 96 de 29 5b b0 49 b0 d2 7a | 0f 53 1c dd 44 b3 4a 90 fe 19 dd 77 af 2d 59 85 | 16 d0 3f a4 64 5c 5f 99 ea 70 f8 b2 f1 92 d1 a1 | d0 97 49 c5 40 21 3b be ff 6e 4f 59 70 75 6c ad | 0f 7f d0 32 39 71 53 ba 4b 5e 34 61 47 a8 2d 01 | c9 9a 8d 30 bd cb db 39 c4 39 ce 36 4d c8 0d f9 | 9a 72 7a 3c 01 2e 6d bb ed 93 b4 32 b8 08 21 2c | 82 9a d4 3e 03 e4 e7 52 09 b5 ba be 1e 55 f5 fb | 44 d5 16 5e aa 12 e2 25 19 1e e8 6f f4 34 57 7b | 9f 55 e6 d8 17 e7 f9 23 37 f9 4d 59 fb 05 e5 f0 | b3 fb 33 7a fa c7 e1 0f 47 e1 14 21 cf 01 cf 02 | 28 86 f8 33 d7 26 3a 3a b0 04 e2 80 8b 24 f3 1f | da 7b ef ff e5 39 4c 9f 14 57 6c 13 55 43 c7 b8 | 38 8d b3 47 87 5b 0f 0c 93 b2 19 f9 e6 8d 23 cd | e7 30 75 2e 4b 22 ab 1a d9 73 a5 11 6d 71 95 fa | 0f 7e b8 00 2c 9e e6 07 92 63 cb 33 db 69 d6 45 | 46 61 59 3f cf 39 64 59 28 d8 8c 43 fa 6f 25 4d | e8 01 56 49 c8 5e 9c 01 8f a4 e3 93 27 c3 ca 1e | 5c f0 90 ea 95 b9 4f e3 39 ca 2d 91 11 0d 45 60 | cb 17 69 f8 be 69 6f 21 b9 ff f4 ab 93 29 98 38 | 09 ca 54 4f 19 36 7f ba 3e 6a af 89 e5 06 67 e5 | 95 7f 88 8a 2b 98 b4 d3 ef 55 06 56 4d 98 42 56 | 6c 35 cd fe 98 a0 01 76 cb 51 d1 09 56 a5 58 09 | 65 24 af f7 3a 55 7a a1 6a 9c b9 ad 10 b1 9b f1 | 87 dd b3 b4 89 6c 79 be cc 09 54 87 96 52 56 e8 | 1f 73 a0 fe a6 b9 6f d6 32 e4 d4 04 0c 37 8b e7 | d3 4f 30 3b 66 a0 27 47 ba 7a c7 5e 7f 6d 6d 13 | fa aa b7 e9 7f a5 97 a7 1e 9e ec 13 8d db 01 59 | 83 b5 18 75 f4 0e d7 d6 28 c6 fd f0 f2 d8 61 20 | da a1 82 cb 73 03 03 2b e4 8f 01 ac b3 6a 4d 7c | 8e aa 3a 6a 0f 5a c4 cb 9e 62 8f f5 5e eb 95 00 | e0 b9 93 f7 13 de d5 f4 06 4b 77 c9 7d 1a 3f 62 | 2c 1f 93 be 12 ca 48 f9 11 c0 84 8e f0 dd eb b3 | 47 88 8f 23 96 25 c5 e6 f9 fd 6d ce 85 67 f1 02 | 2b 53 8a 59 98 53 b7 c5 01 72 ff 7f c0 85 b2 65 | 2a 45 49 fa c6 bf 61 9e a1 a2 7b 0b 01 58 c8 45 | e7 e0 3f 04 07 4a ab 72 38 37 57 01 b2 0d a3 78 | d7 f0 b6 b8 fb 98 b6 fb dd 7c 7b 49 1e f9 a5 63 | 84 4c 4f f1 77 8d f1 8c 32 e6 1b 1f 38 33 c5 a2 | 94 c3 a4 d5 11 e8 68 1a 11 d3 9d e1 c6 b7 6e a5 | 75 22 32 2a e0 68 72 a8 83 36 50 fd e0 51 6b 56 | d1 1c 58 33 e0 8f 0b cd cc 7c ce 5e d0 8b aa 1d | 3d f1 21 e0 9e 38 c5 3a f3 79 fc 14 80 01 3b 03 | e4 cb 87 98 89 b1 a3 41 34 ea 11 5c da 85 61 fd | 2b 8b 9a 1e e6 93 a1 79 58 ff 20 a9 a3 f3 b2 bb | 77 d0 24 8a b7 e9 2f 5c 8c 5f 62 f8 b7 8b 36 95 | 20 2b 16 82 97 6c 77 0e 27 18 c8 c4 21 b8 a8 ec | 53 e9 58 39 f0 0b a6 20 ee f9 e7 7a 97 61 b7 e1 | 9a 26 37 82 5e 61 64 6c b2 c2 fe da f2 5f 09 b3 | 4f 52 32 d0 64 2e c3 da 95 1a c0 5c df ac 08 aa | cd d8 2c 4b e6 b5 ec 7f 12 4d 8b 8b c6 05 23 4b | eb 10 ae dd 51 b5 c0 3c ea e2 b6 71 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55c3e15f5948 | inserting event EVENT_SA_REPLACE, timeout in 59 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c3e16130d8 size 128 | pstats #1 ikev1.isakmp established "TUNNEL-C" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | #1 spent 6.14 milliseconds | #1 spent 10 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 10.2 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00268 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 20 01 4c 11 ae 0f 00 00 01 dc ee b0 c0 ae | b7 a9 e4 ce a2 28 4b fe e3 af d4 b9 94 5a 46 2f | 23 bf e9 1c 99 8d 0b 0d e2 32 82 bd 3b 12 87 bb | 08 06 a0 06 9d 7d 41 82 ed 58 a0 2f d5 90 38 4c | 81 ba b2 2b ba 21 58 1f 22 22 03 56 2a 7c 3c c9 | 77 2a d3 7b 19 23 d5 c0 4c a5 ec 7b b1 18 2c c9 | c6 27 64 a1 8d 4d 2f b9 d5 e2 4a c9 fb 15 ff f4 | f5 dc 54 54 1b 80 5a d2 35 fe 34 53 0f 6c b8 54 | 32 39 80 6a 21 72 07 ed 89 4f 77 95 e0 cd 3c cd | 20 68 13 5c c0 21 6b 5b a7 4e dd d1 78 5d d7 65 | d2 05 1c 03 8e 42 f9 da 6e c3 b7 a3 c2 df 29 e8 | d4 4d 01 01 99 06 75 08 58 26 5d 4c fc 6a 7d 1e | 43 3d a0 5b d3 ae 19 60 d1 23 6f 03 5e 2e 6c 11 | 46 ed 4b 0b 1a 6e 82 cf be 85 57 d1 65 8e 30 2b | 82 c4 96 88 af 0d b5 10 cf a7 3f 0c 78 61 a9 d1 | 23 87 7c 4b ec 81 21 9f c9 a0 f8 b6 e7 c2 e3 ca | be d4 0a 81 4e 0a aa 68 97 9c 17 2a 0a af 6b d0 | 7b fe 28 5b 8c c7 d2 e2 e5 82 0a 74 d7 8a d2 17 | cb 09 b2 39 c5 57 d3 81 7b ee 77 d3 ef 9c 03 9f | cb 48 39 a8 b1 ab 82 35 67 28 86 aa db e0 6d a6 | 3c e4 d8 13 b8 6a 70 40 d3 42 eb 29 82 be 72 19 | 21 82 c9 70 07 5e b5 74 fd a0 61 c5 f0 1d 4f 7d | c9 af 52 5d 35 d3 ef e0 61 e0 da 3d eb 5a 82 ee | 1a 84 0d 6c 32 95 d3 99 c4 56 47 42 ba 7f 37 8b | 45 bc 09 89 ee 48 74 31 a7 b9 d9 34 d4 6f 9a ae | a0 3e 81 fb f0 ed f7 25 92 6c 14 0b 15 3b bb 9a | d6 fc 00 eb 09 e9 52 ba f3 5f 90 75 cd 6c 6e d3 | 20 b8 89 68 7d 0b 50 e7 25 b4 e6 c6 86 32 10 41 | be 7b 51 45 d3 d3 88 70 42 8d 8a 51 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1276227087 (0x4c11ae0f) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 fe | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 fe | removing 8 bytes of padding | quick_inI1_outR1 HASH(1): | d3 e6 54 c0 29 45 69 a6 df 13 0d 88 60 71 e1 30 | a9 09 a4 bc c6 65 21 8c ea 6b b6 1f 01 9f 9c 8d | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 fe | peer client is 192.0.1.254/32 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 fe | our client is 192.0.2.254/32 | our client protocol/port is 0/0 "TUNNEL-C" #1: the peer proposed: 192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 | find_client_connection starting with TUNNEL-C | looking for 192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 | concrete checking against sr#0 192.0.2.234/32 -> 192.0.1.254/32 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | fc_try trying TUNNEL-C:192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 vs TUNNEL-C:192.0.2.234/32:0/0 -> 192.0.1.254/32:0/0 | our client (192.0.2.234/32) not in our_net (192.0.2.254/32) | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | fc_try trying TUNNEL-C:192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 vs TUNNEL-B:192.0.2.244/32:0/0 -> 192.0.1.254/32:0/0 | our client (192.0.2.244/32) not in our_net (192.0.2.254/32) | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | fc_try trying TUNNEL-C:192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 vs TUNNEL-A:192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 | fc_try concluding with TUNNEL-A [128] | fc_try TUNNEL-C gives TUNNEL-A | concluding with d = TUNNEL-A | using connection "TUNNEL-A" | client wildcard: no port wildcard: no virtual: no | creating state object #2 at 0x55c3e16114c8 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "TUNNEL-C" as #2 for IPSEC SA | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | in connection_discard for connection TUNNEL-C | start processing: connection "TUNNEL-A" (BACKGROUND) (in quick_inI1_outR1_tail() at ikev1_quick.c:1286) | suspend processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #2: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 63 25 f2 23 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c3e15faed8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x55c3e15c9bf8 size 128 | libevent_realloc: release ptr-libevent@0x55c3e1595938 | libevent_realloc: new ptr-libevent@0x55c3e15eeef8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #2 and saving MD | #2 is busy; has a suspended MD | #1 spent 0.167 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in process_md() at demux.c:382) | resume processing: connection "TUNNEL-A" (in process_md() at demux.c:382) | stop processing: connection "TUNNEL-A" (in process_md() at demux.c:383) | spent 0.332 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 2 resuming | crypto helper 2 starting work-order 3 for state #2 | crypto helper 2 doing build KE and nonce (quick_outI1 KE); request ID 3 | crypto helper 2 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000542 seconds | (#2) spent 0.545 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 2 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f0810003f28 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 3 | calling continuation function 0x55c3e079eb50 | quick_inI1_outR1_cryptocontinue1 for #2: calculated ke+nonce, calculating DH | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 4 for state #2 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c3e15c9bf8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c3e15faed8 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c3e15faed8 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x55c3e15c9bf8 size 128 | suspending state #2 and saving MD | #2 is busy; has a suspended MD | resume sending helper answer for #2 suppresed complete_v1_state_transition() and stole MD | #2 spent 0.0516 milliseconds in resume sending helper answer | stop processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f0810003f28 | crypto helper 3 resuming | crypto helper 3 starting work-order 4 for state #2 | crypto helper 3 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 | crypto helper 3 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 time elapsed 0.000529 seconds | (#2) spent 0.532 milliseconds in crypto helper computing work-order 4: quick outR1 DH (pcr) | crypto helper 3 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f0804003618 size 128 | crypto helper 3 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 4 | calling continuation function 0x55c3e079eb50 | quick_inI1_outR1_cryptocontinue2 for #2: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1276227087 (0x4c11ae0f) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 63 25 f2 23 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0xf581f61c for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI f5 81 f6 1c | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "TUNNEL-A" #2: responding to Quick Mode proposal {msgid:4c11ae0f} "TUNNEL-A" #2: us: 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org] "TUNNEL-A" #2: them: 192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]===192.0.1.254/32 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr ea 3d eb 93 2a 38 11 64 d1 30 4d 8e b3 ad f7 7d | Nr a5 d8 13 c3 c4 e2 ed 73 d9 e1 93 78 a3 36 86 4e | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 92 ca d9 15 14 80 05 55 c8 dd cc 59 41 9b 11 28 | keyex value 82 45 53 6a ce df 4b b8 3a 95 dd 06 7c f5 53 18 | keyex value 83 29 41 f3 1c 03 3f 1f fc ac 5b f3 5e 47 ae 96 | keyex value f3 33 59 68 4a 1d 35 2f 19 98 6b f8 5b 75 8a 81 | keyex value 5e cc b7 cd 56 9b 5a d7 23 d0 4e 08 c6 d0 f8 51 | keyex value 2f 8d 46 de 6d ef 70 9d fd cd de 95 88 e3 9d 29 | keyex value 57 f0 46 9a 76 c9 90 4e f3 25 ed 23 13 4c 67 24 | keyex value 00 c9 00 d1 5d 12 ed 3e 77 7e b9 4b c1 a7 cc 6f | keyex value 8e fe 7d a8 ba 21 0d 40 8c dd c5 df db 86 3c 3d | keyex value 4d f3 fd 6e d1 cb b1 d5 75 f2 40 3b 66 33 5c 58 | keyex value e2 13 06 55 0c 78 24 b0 0c 6d 4b af be 10 ac 7e | keyex value 5b 89 58 73 f5 5f e3 cb ce fb 2e 88 9c 6d 57 59 | keyex value e6 5b f8 1b 16 fd d0 a9 e8 ac 65 f2 9b 3f d2 b0 | keyex value 3b f5 2f 64 b3 68 44 1a d7 c3 8f 18 be cc b2 dd | keyex value 52 6b 8c 61 10 56 e0 e3 0b 4a 34 df 68 8c fc 71 | keyex value f7 0e d0 d7 5d ff a4 17 fc 81 84 3d ca 8c fe 50 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 fe | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 fe | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | quick inR1 outI2 HASH(2): | ab 93 67 62 23 a7 59 47 d4 a6 6b 4a 0e b3 eb fc | 34 2d 4c f8 ab 9c a0 ab 97 66 89 ef 1c 02 7b 1e | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-A" unrouted: NULL | install_inbound_ipsec_sa() checking if we can route | could_route called for TUNNEL-A (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-A" unrouted: NULL; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55c3e16114c8 ost=(nil) st->serialno=#2 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'TUNNEL-A' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.6325f223@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'TUNNEL-A' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.f581f61c@192.1.2.23 included non-error error | priority calculation of connection "TUNNEL-A" is 0xfdfdf | add inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.254/32:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 444 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #2: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c3e15c9bf8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c3e15faed8 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 444 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 20 01 4c 11 ae 0f 00 00 01 bc 26 fd 49 ff | b1 ac 93 5f 36 b3 02 51 b3 b8 56 10 d3 6e 56 23 | 29 54 24 39 d0 0c 0f 57 04 a1 5f d9 89 28 50 9f | af ad b5 1b 8b 3d 5b fa 68 97 6a 3a 27 60 52 9d | a6 52 01 ed 4c 3a 67 58 7c d4 e0 c3 45 1c 57 74 | 62 5c 25 68 d7 86 da 39 61 28 67 aa 75 66 80 93 | 21 d4 75 ad 48 a3 38 84 5f 68 6b 03 94 39 72 fe | bd 39 bf 4f ed 6f 11 1c b3 10 14 bb 44 b8 0b ce | 89 d9 63 02 64 e4 c5 63 63 6e 6d bf d6 a3 90 d0 | 85 ad c4 35 c7 24 20 77 84 ca b5 91 78 a7 6d 61 | 1b 8a 3c 00 e2 97 39 06 de 04 c3 24 96 dc 05 e3 | 55 05 08 99 aa 17 e5 fe 96 17 53 f6 57 66 42 a0 | ca 44 a8 f4 d1 5c fd a4 7f c5 25 79 b1 3e ee 2b | 5f ab 2e 1a fc a2 62 32 d2 dd f9 fe 45 d2 03 50 | f9 0a a9 14 b7 67 a1 e4 b1 32 4f 1a 7e 7a c9 53 | 13 c3 c0 9e 27 1b 3f b4 35 59 62 30 5c 8b 5a dc | ad 00 bb 33 21 29 c4 1c 71 4f e5 21 be 56 09 a4 | 2d 71 b5 12 16 8b 76 25 b9 88 b7 d4 1d 67 4d 22 | 9a f1 50 76 20 38 17 36 49 1b ae 04 27 5e 27 44 | a2 8a 69 2c 1b 37 5a 43 2b c3 8f 5d 99 fa f2 bb | 82 3f da 4c 87 cd eb 7e 6d 00 c7 2c f3 e0 95 44 | 43 28 ec 11 36 ac fd 2f 96 ce 8b 5c ea f1 a0 39 | c9 fd 93 69 45 f8 4c 89 60 59 42 f1 67 3a 87 d9 | 45 6a 63 ab 6c 78 d0 32 d2 d5 2d 49 a6 82 de e3 | a2 70 ef f9 83 b2 92 c7 a0 09 fa d5 e7 ad 11 9f | 27 4a c3 04 f5 95 b8 4f e0 42 76 7e a3 43 53 f1 | c0 8a 87 16 75 af 97 a5 6b c8 8b b4 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55c3e15faed8 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2 | libevent_malloc: new ptr-libevent@0x55c3e15ff1e8 size 128 | #2 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29783.030034 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "TUNNEL-A" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x6325f223 <0xf581f61c xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 0.606 milliseconds in resume sending helper answer | stop processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f0804003618 | spent 0.00281 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 20 01 4c 11 ae 0f 00 00 00 4c 19 28 d8 d3 | 9e e7 9c a8 ac 59 bd fb 7d 8a b0 bc 52 a7 1f 4d | cc 1e bd 84 a9 f3 56 3c 14 f7 0a 2d 64 72 c9 68 | 10 29 62 79 fc d1 17 64 bb b1 21 67 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1276227087 (0x4c11ae0f) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_R1 (find_state_ikev1) | start processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #2 is idle | #2 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | c3 15 68 47 26 66 2d be 02 85 07 d6 5d 3d da 64 | 2a 8c 0a d5 f7 ec 79 62 3c a8 7a 2e 7a 3b c1 a7 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #2: outbound only | could_route called for TUNNEL-A (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-A" unrouted: NULL; eroute owner: NULL | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-A" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: TUNNEL-A (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "TUNNEL-A" is 0xfdfdf | eroute_connection add eroute 192.0.2.254/32:0 --0-> 192.0.1.254/32:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMIL | popen cmd is 1313 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUTO_INT: | cmd( 80):ERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=C: | cmd( 160):A, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libre: | cmd( 240):swan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PL: | cmd( 320):UTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_: | cmd( 400):PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_: | cmd( 480):PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Te: | cmd( 560):st Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org': | cmd( 640): PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PE: | cmd( 720):ER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: | cmd( 800):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+E: | cmd( 880):NCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND: | cmd( 960):='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='1: | cmd(1040):92.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INF: | cmd(1120):O='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CON: | cmd(1200):FIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x6325f223 SPI_: | cmd(1280):OUT=0xf581f61c ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN | popen cmd is 1318 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUT: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: | cmd( 160):='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.: | cmd( 240):libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/3: | cmd( 320):2' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUT: | cmd( 400):O_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' P: | cmd( 480):LUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, : | cmd( 560):OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan: | cmd( 640):.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLU: | cmd( 720):TO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0: | cmd( 800):' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSA: | cmd( 880):SIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN: | cmd( 960):_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCE: | cmd(1040):IP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAI: | cmd(1120):N_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_N: | cmd(1200):M_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x6325f223: | cmd(1280): SPI_OUT=0xf581f61c ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADD | popen cmd is 1316 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUTO_: | cmd( 80):INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=': | cmd( 160):C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.li: | cmd( 240):breswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32': | cmd( 320): PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_: | cmd( 400):MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLU: | cmd( 480):TO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU: | cmd( 560):=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.o: | cmd( 640):rg' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO: | cmd( 720):_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : | cmd( 800):PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASI: | cmd( 880):G+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_K: | cmd( 960):IND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP: | cmd(1040):='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_: | cmd(1120):INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_: | cmd(1200):CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x6325f223 S: | cmd(1280):PI_OUT=0xf581f61c ipsec _updown 2>&1: "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. "TUNNEL-A" #2: route-client output: Error: Peer netns reference is invalid. | route_and_eroute: instance "TUNNEL-A", setting eroute_owner {spd=0x55c3e15ee738,sr=0x55c3e15ee738} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 1.47 milliseconds in install_ipsec_sa() | inI2: instance TUNNEL-A[0], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #2: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x55c3e15ff1e8 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55c3e15faed8 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55c3e15faed8 | inserting event EVENT_SA_REPLACE, timeout in 28799 seconds for #2 | libevent_malloc: new ptr-libevent@0x7f0804003618 size 128 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "TUNNEL-A" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x6325f223 <0xf581f61c xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #2 spent 1.55 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 1.68 milliseconds in comm_handle_cb() reading and processing packet | kernel_process_msg_cb process netlink message | netlink_get: XFRM_MSG_EXPIRE message | spent 0.251 milliseconds in kernel message | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00308 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00197 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00194 milliseconds in signal handler PLUTO_SIGCHLD | spent 0.00277 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 20 01 d8 c9 a0 c1 00 00 01 dc a9 e0 c3 b3 | b0 c5 7b 64 a8 31 0a 48 fb ca e9 6b ae d3 d9 b2 | b1 55 64 3a 60 8d 16 38 41 6d 4f 2f 6f a5 f6 49 | 75 30 48 a2 a4 df d7 e4 69 2a 88 05 85 89 2c d0 | ae da 19 1c ed 6d 5c 5f d3 d1 b0 55 ff 09 04 c7 | d8 04 15 9e 72 27 6d a8 28 5f b0 e7 3a 98 55 00 | a1 62 1d 2c 52 ab 05 38 c6 36 cb c3 39 7d e4 c5 | 97 57 d9 12 c6 ad 94 dc 65 b4 51 98 f3 5c e5 51 | 47 e9 64 d1 7b bf df 28 29 11 ea ca ec 75 9d 06 | d3 c9 03 46 62 19 08 39 b0 d1 5e aa 97 80 5f aa | 80 9d 9c 3e e1 8f 11 93 eb 05 d9 d5 e0 fd 54 0c | 3d f3 b3 d4 a9 32 7d 3d ba 7d 32 f7 26 83 f8 b3 | cf ee e8 78 90 9f 24 20 6d 20 7f 77 72 1c 16 98 | e1 0b 47 16 5c 80 94 9e 9a c1 4d 38 2d f9 3d 85 | b9 4e 11 d2 98 ec 44 72 84 52 b7 f8 74 98 41 9f | 1d fe b5 40 0f 5d 2a 2b f1 6f 69 52 3e a0 a2 37 | f8 8e 15 9a 48 53 d5 17 76 54 23 3d 3c 16 df c3 | 4d 24 72 99 4d b8 f4 8c 44 07 f4 c7 ed 93 19 43 | 66 61 32 f3 98 a0 12 75 43 e0 50 e6 46 55 ae d7 | d5 eb 2a 04 ed 04 84 6a 15 e3 7f 64 4c 68 cb 7e | 30 1b e5 70 17 3b 51 7d 01 0c 54 8e 71 51 42 fc | ac b9 78 6d 4d d9 0c a5 20 79 98 88 72 fd 80 74 | 47 a5 79 c7 f2 df 64 4b 37 4d 0a 8c 54 37 ce 32 | ba e2 ce d7 53 2c 52 d8 16 37 e2 42 38 db 54 a9 | 74 4b 24 9a ff e6 9d 7c 2e 4f b1 bb 66 d1 1c cb | 33 38 62 7c c0 33 5b b9 48 03 73 61 d2 1d fd 9c | 75 f9 f9 b1 0d 68 f4 24 be 0e 47 2b 5c 44 30 f5 | 5a 4b 9b c8 ea 23 09 da b3 4e 37 0a 65 1b a3 97 | 50 03 76 48 94 36 ac b3 49 52 99 80 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3637092545 (0xd8c9a0c1) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 fe | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 f4 | removing 8 bytes of padding | quick_inI1_outR1 HASH(1): | d7 65 62 ba 63 2f da 1f b3 8a 7a a0 47 15 03 be | 77 6f 44 e7 e3 c8 a3 45 f6 36 3a 95 58 06 94 47 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 fe | peer client is 192.0.1.254/32 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 f4 | our client is 192.0.2.244/32 | our client protocol/port is 0/0 "TUNNEL-C" #1: the peer proposed: 192.0.2.244/32:0/0 -> 192.0.1.254/32:0/0 | find_client_connection starting with TUNNEL-C | looking for 192.0.2.244/32:0/0 -> 192.0.1.254/32:0/0 | concrete checking against sr#0 192.0.2.234/32 -> 192.0.1.254/32 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | fc_try trying TUNNEL-C:192.0.2.244/32:0/0 -> 192.0.1.254/32:0/0 vs TUNNEL-C:192.0.2.234/32:0/0 -> 192.0.1.254/32:0/0 | our client (192.0.2.234/32) not in our_net (192.0.2.244/32) | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | fc_try trying TUNNEL-C:192.0.2.244/32:0/0 -> 192.0.1.254/32:0/0 vs TUNNEL-B:192.0.2.244/32:0/0 -> 192.0.1.254/32:0/0 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | fc_try trying TUNNEL-C:192.0.2.244/32:0/0 -> 192.0.1.254/32:0/0 vs TUNNEL-A:192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 | our client (192.0.2.254/32) not in our_net (192.0.2.244/32) | fc_try concluding with TUNNEL-B [128] | fc_try TUNNEL-C gives TUNNEL-B | concluding with d = TUNNEL-B | using connection "TUNNEL-B" | client wildcard: no port wildcard: no virtual: no | creating state object #3 at 0x55c3e16000f8 | State DB: adding IKEv1 state #3 in UNDEFINED | pstats #3 ikev1.ipsec started | duplicating state object #1 "TUNNEL-C" as #3 for IPSEC SA | #3 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | in connection_discard for connection TUNNEL-C | start processing: connection "TUNNEL-B" (BACKGROUND) (in quick_inI1_outR1_tail() at ikev1_quick.c:1286) | suspend processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #3: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 37 2c 7d b6 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 5 for state #3 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f0810004218 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 | libevent_malloc: new ptr-libevent@0x55c3e15c9bf8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #3 and saving MD | #3 is busy; has a suspended MD | #1 spent 0.194 milliseconds in process_packet_tail() | crypto helper 4 resuming | crypto helper 4 starting work-order 5 for state #3 | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 4 doing build KE and nonce (quick_outI1 KE); request ID 5 | stop processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in process_md() at demux.c:382) | resume processing: connection "TUNNEL-B" (in process_md() at demux.c:382) | stop processing: connection "TUNNEL-B" (in process_md() at demux.c:383) | spent 0.451 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 4 finished build KE and nonce (quick_outI1 KE); request ID 5 time elapsed 0.000822 seconds | (#3) spent 0.828 milliseconds in crypto helper computing work-order 5: quick_outI1 KE (pcr) | crypto helper 4 sending results from work-order 5 for state #3 to event queue | scheduling resume sending helper answer for #3 | libevent_malloc: new ptr-libevent@0x7f0808002888 size 128 | crypto helper 4 waiting (nothing to do) | processing resume sending helper answer for #3 | start processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 4 replies to request ID 5 | calling continuation function 0x55c3e079eb50 | quick_inI1_outR1_cryptocontinue1 for #3: calculated ke+nonce, calculating DH | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 6 for state #3 | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c3e15c9bf8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f0810004218 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f0810004218 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 | libevent_malloc: new ptr-libevent@0x55c3e15c9bf8 size 128 | suspending state #3 and saving MD | #3 is busy; has a suspended MD | resume sending helper answer for #3 suppresed complete_v1_state_transition() and stole MD | #3 spent 0.0506 milliseconds in resume sending helper answer | crypto helper 5 resuming | crypto helper 5 starting work-order 6 for state #3 | stop processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in resume_handler() at server.c:833) | crypto helper 5 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 6 | libevent_free: release ptr-libevent@0x7f0808002888 | crypto helper 5 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 6 time elapsed 0.000597 seconds | (#3) spent 0.598 milliseconds in crypto helper computing work-order 6: quick outR1 DH (pcr) | crypto helper 5 sending results from work-order 6 for state #3 to event queue | scheduling resume sending helper answer for #3 | libevent_malloc: new ptr-libevent@0x7f07fc001f78 size 128 | crypto helper 5 waiting (nothing to do) | processing resume sending helper answer for #3 | start processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 5 replies to request ID 6 | calling continuation function 0x55c3e079eb50 | quick_inI1_outR1_cryptocontinue2 for #3: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3637092545 (0xd8c9a0c1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 37 2c 7d b6 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x4cadbfb4 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 4c ad bf b4 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "TUNNEL-B" #3: responding to Quick Mode proposal {msgid:d8c9a0c1} "TUNNEL-B" #3: us: 192.0.2.244/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org] "TUNNEL-B" #3: them: 192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]===192.0.1.254/32 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr b6 75 40 a3 5e c8 1d cd 7f 22 c7 90 0f d1 b9 2f | Nr 9b 6b 93 b7 64 86 4c c5 f5 db 5f 4f d2 3e 0c fe | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value ac b3 fa 66 5e d4 a8 6a 99 2e 4b a7 71 a3 14 45 | keyex value 33 09 55 d8 84 37 14 8c 1b 08 41 ba 69 a7 8a 20 | keyex value 5a f9 76 77 d9 05 e1 2a 17 cf 39 24 68 79 05 83 | keyex value bf c4 35 ae b5 ca b1 55 17 0e c2 d1 30 ae 8f b0 | keyex value 50 53 6c 47 31 73 18 ce 6a 4c c9 9e 1e a1 c1 3c | keyex value 83 3a f4 19 e8 40 be dc 67 22 10 74 7b 1d 8e 8c | keyex value 63 43 e2 2e 42 c1 d8 71 65 9f a6 c0 5d af 81 52 | keyex value c8 3c 1c 58 ee ad 29 52 09 a4 7c ca 96 0c 13 f9 | keyex value 9d 25 b3 56 bd 28 3b 95 09 a7 6d 9a f1 e7 46 0c | keyex value b4 23 e0 c4 cc f1 ca a2 df da a0 ea 5e 17 0d 50 | keyex value 04 c1 88 c0 b9 68 14 c0 0e 11 bc 6e af ec 9f ad | keyex value a7 30 b8 e8 8a c6 11 89 5f e4 a3 b0 f6 44 e9 bd | keyex value fc e6 e7 39 48 26 39 dd 80 6f c3 a0 d9 c0 32 65 | keyex value 14 79 60 4b f0 e6 6c a1 17 d6 32 44 8b ed 82 83 | keyex value 36 d1 f1 d8 ea 8e 72 99 2c 27 60 90 28 b1 35 f7 | keyex value 54 b9 78 d8 7d 32 a9 be 72 be d5 19 55 e1 b9 c6 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 fe | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 f4 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | quick inR1 outI2 HASH(2): | 52 05 0f 4a 2f 3e 88 2a b2 d1 38 5b c8 99 e6 5b | de 35 d1 c8 a4 b7 3b 4d 13 57 52 db 59 5c 68 1a | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-B" unrouted: "TUNNEL-A" erouted | install_inbound_ipsec_sa() checking if we can route | could_route called for TUNNEL-B (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-B" unrouted: "TUNNEL-A" erouted; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55c3e16000f8 ost=(nil) st->serialno=#3 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'TUNNEL-B' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.372c7db6@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'TUNNEL-B' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.4cadbfb4@192.1.2.23 included non-error error | priority calculation of connection "TUNNEL-B" is 0xfdfdf | add inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.244/32:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 444 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #3 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #3: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c3e15c9bf8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f0810004218 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 444 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #3) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 20 01 d8 c9 a0 c1 00 00 01 bc 14 bb 7c f8 | f9 b5 d8 28 27 3c 2e 71 37 a0 35 8e 41 c0 89 94 | 35 b2 66 df e2 19 fe 0f bd eb d9 36 1f 6b ad 33 | 2d 47 68 93 3b 96 fa 54 72 37 11 aa 12 dc fd d3 | d9 c1 82 e5 cc da ef b6 d6 e7 64 9c 07 15 29 26 | 24 a4 c7 48 3c 4c f4 c2 a8 01 0d ca a6 a4 23 f1 | b8 e2 21 81 2d 4b 43 4a e5 9d 4d ff c6 cf dd 00 | f2 7a 06 40 35 0f 81 7d c6 fa 91 44 95 ab 3e 40 | a2 eb 5b 37 c5 20 3f 21 0f b2 2c 44 29 17 27 09 | 96 11 6b eb d7 fd 09 5a a9 a7 26 7a 88 b5 ed c7 | 05 c8 ef 5e da 23 45 10 4c 97 88 41 8c 4a 7c 7a | 43 18 86 eb 95 3e c4 3a c9 d2 54 93 e4 8b e4 ca | b4 31 e9 e1 2c a0 2f 10 86 ed 69 78 3b 14 1e d6 | 84 db d0 bc 0f 85 2b f3 83 0e 65 e7 d5 a4 a3 08 | 6e 29 19 32 eb c5 61 fc ac df f0 df d5 10 f3 89 | 4a 84 12 a2 d1 eb f0 48 72 a9 d3 8b c8 95 3d 1e | b2 c9 13 0f 33 2f 0a 58 00 86 f3 5d 99 2c b1 d5 | e1 a1 7b 7c 97 7e 46 5c 0e 63 31 71 70 18 b1 fc | df bb d3 b3 06 3e 14 fd 5e 34 ce c3 56 06 62 c9 | bf c4 73 86 2c f8 fe e5 39 21 74 0c a4 bf 90 4f | ad e2 22 42 e1 2f de 75 df dd 9f 93 79 93 fb b7 | 45 00 74 0d 16 d0 69 99 34 44 ba 17 70 c7 79 80 | ce 2e 91 40 79 4e 6b 21 14 24 ea 7d 2c d8 22 d4 | 7d 3e 84 f3 e6 e2 9d 02 25 bb 06 7b 90 f7 42 e5 | 68 90 36 fd c5 d3 ba 18 b4 7e a7 24 d3 a6 0b b6 | 61 7d 14 ac a0 d2 9b 98 d4 57 10 0c a4 02 d3 c2 | 73 fd ee 24 f3 3a 9e 57 f4 0b 34 b3 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7f0810004218 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #3 | libevent_malloc: new ptr-libevent@0x7f0808002888 size 128 | #3 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29783.120481 | pstats #3 ikev1.ipsec established | NAT-T: encaps is 'auto' "TUNNEL-B" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x372c7db6 <0x4cadbfb4 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #3 suppresed complete_v1_state_transition() | #3 spent 0.65 milliseconds in resume sending helper answer | stop processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f07fc001f78 | spent 0.00273 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 20 01 d8 c9 a0 c1 00 00 00 4c 07 23 87 fb | 9a 70 a9 1c 1d 11 d0 80 40 6b 85 77 31 d4 83 6c | 8d 90 f2 e6 92 f0 25 b9 0a c7 d2 5e 8a e8 62 68 | 85 12 ad 7d 2b 74 74 f8 20 e2 57 83 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3637092545 (0xd8c9a0c1) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #3 in QUICK_R1 (find_state_ikev1) | start processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #3 is idle | #3 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | 28 ad 0c 96 ad 61 75 00 8c 70 d8 86 b7 11 b9 d8 | 4e cc c1 5a 0c e0 76 2c 55 4b bf e8 92 a1 dc 9f | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #3: outbound only | could_route called for TUNNEL-B (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-B" unrouted: "TUNNEL-A" erouted; eroute owner: NULL | sr for #3: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-B" unrouted: "TUNNEL-A" erouted; eroute owner: NULL | route_and_eroute with c: TUNNEL-B (next: none) ero:null esr:{(nil)} ro:TUNNEL-A rosr:{0x55c3e15ee738} and state: #3 | priority calculation of connection "TUNNEL-B" is 0xfdfdf | eroute_connection add eroute 192.0.2.244/32:0 --0-> 192.0.1.254/32:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-B' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.244/32' PLUTO_MY_CLIENT_NET='192.0.2.244' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMIL | popen cmd is 1313 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-B' PLUTO_INT: | cmd( 80):ERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=C: | cmd( 160):A, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libre: | cmd( 240):swan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.244/32' PL: | cmd( 320):UTO_MY_CLIENT_NET='192.0.2.244' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_: | cmd( 400):PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_: | cmd( 480):PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Te: | cmd( 560):st Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org': | cmd( 640): PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PE: | cmd( 720):ER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: | cmd( 800):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+E: | cmd( 880):NCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND: | cmd( 960):='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='1: | cmd(1040):92.0.2.244' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INF: | cmd(1120):O='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CON: | cmd(1200):FIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x372c7db6 SPI_: | cmd(1280):OUT=0x4cadbfb4 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | route_and_eroute: instance "TUNNEL-B", setting eroute_owner {spd=0x55c3e15f3d28,sr=0x55c3e15f3d28} to #3 (was #0) (newest_ipsec_sa=#0) | #1 spent 0.574 milliseconds in install_ipsec_sa() | inI2: instance TUNNEL-B[0], setting IKEv1 newest_ipsec_sa to #3 (was #0) (spd.eroute=#3) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #3 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #3: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #3 requesting EVENT_RETRANSMIT to be deleted | #3 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7f0808002888 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f0810004218 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7f0810004218 | inserting event EVENT_SA_REPLACE, timeout in 28799 seconds for #3 | libevent_malloc: new ptr-libevent@0x7f07fc001f78 size 128 | pstats #3 ikev1.ipsec established | NAT-T: encaps is 'auto' "TUNNEL-B" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x372c7db6 <0x4cadbfb4 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #3 spent 0.666 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.791 milliseconds in comm_handle_cb() reading and processing packet | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00375 milliseconds in signal handler PLUTO_SIGCHLD | spent 0.00301 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 20 01 7b 61 d4 3e 00 00 01 dc d0 29 7d f1 | 68 9d df 90 44 f1 d6 59 a6 41 5a 76 6e 6b a8 e4 | 30 d3 b5 eb df 1a 03 33 80 b9 f1 ea ff a5 a5 12 | 61 a5 3f e4 f1 76 53 ba 3b 7f 97 df 77 53 8e 2c | e8 9d 09 8b ff 3d 0c f7 f4 08 c2 06 37 47 2d 3d | 93 9a e5 b3 89 cf 6d 01 ef 45 ce b0 a7 02 27 36 | c6 a0 da 4c 61 0e 18 63 bd 79 96 07 f3 16 90 fa | 64 bb 34 3b e7 3b f4 d7 8a 16 21 16 69 69 5f 03 | 07 18 97 e0 30 a5 61 d6 ae 4a 6a 20 dc 96 4f 02 | 47 83 fd 99 42 2f f8 50 24 66 e2 d3 3c 7f 94 a3 | 20 9f fe 08 dd a4 49 01 5d 89 11 59 02 f1 63 a3 | 72 70 1f 8b 9a 56 3e ae d9 0b 86 16 e0 08 56 7e | d3 7a cc 21 da ce 44 3a 92 ce aa 0b 99 d6 86 c0 | 07 d7 79 c6 7d 9a ed 97 2e ed a8 98 70 5f 5c 62 | 2e 6a 1b a7 bf ff 62 d9 32 80 37 7b 8a 11 bf aa | 51 f8 2d f9 fe d5 ea 1b 36 e7 e6 f5 55 f9 cf 67 | 6c c1 54 59 0c e1 9e cd f4 78 77 de 28 92 71 3f | ad 2a f3 9d 68 c1 2d 25 25 66 4c 81 33 0e 02 1e | 29 2e e6 f6 8a b4 ab f7 0a 30 91 6a c2 36 7d 06 | 6f 89 9b b8 7a b7 5a 49 e8 d2 62 1d 0a 8c 55 b3 | 77 4e f0 5b e8 2d 77 2e 5e f3 8a 8d 25 ea 03 ba | ad 1c d5 2d 19 7b 95 af 44 4b 72 f5 a5 8c 60 c6 | 49 95 1d 1b 8a 7c 25 e6 a2 56 3e 20 37 48 70 6f | aa 31 c8 7b 5b ef b6 5d e4 2e 18 6b 73 bd 3d ea | 73 2f d6 15 a1 90 c1 79 2c a5 a9 07 4c 31 15 f9 | 88 f5 ef fc fd ae 97 d5 7d 14 35 54 de df c6 0e | a8 6f 93 be c0 72 ea 1a 3d 49 07 ee b6 64 72 10 | a9 3a f1 e8 b4 88 3f da a4 81 08 4e f0 92 3c 92 | 0b a1 02 66 78 a1 81 bd b6 a3 17 21 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2070008894 (0x7b61d43e) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1607) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 fe | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 ea | removing 8 bytes of padding | quick_inI1_outR1 HASH(1): | 8e 99 b9 d1 bc 72 e2 f3 b0 77 7b 9c 7b d7 46 84 | 34 c7 5d f4 0a 96 3f 2e 32 ce 4e 39 ec a7 7c 4b | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 fe | peer client is 192.0.1.254/32 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 ea | our client is 192.0.2.234/32 | our client protocol/port is 0/0 "TUNNEL-C" #1: the peer proposed: 192.0.2.234/32:0/0 -> 192.0.1.254/32:0/0 | find_client_connection starting with TUNNEL-C | looking for 192.0.2.234/32:0/0 -> 192.0.1.254/32:0/0 | concrete checking against sr#0 192.0.2.234/32 -> 192.0.1.254/32 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | fc_try trying TUNNEL-C:192.0.2.234/32:0/0 -> 192.0.1.254/32:0/0 vs TUNNEL-C:192.0.2.234/32:0/0 -> 192.0.1.254/32:0/0 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | fc_try trying TUNNEL-C:192.0.2.234/32:0/0 -> 192.0.1.254/32:0/0 vs TUNNEL-B:192.0.2.244/32:0/0 -> 192.0.1.254/32:0/0 | our client (192.0.2.244/32) not in our_net (192.0.2.234/32) | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | fc_try trying TUNNEL-C:192.0.2.234/32:0/0 -> 192.0.1.254/32:0/0 vs TUNNEL-A:192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 | our client (192.0.2.254/32) not in our_net (192.0.2.234/32) | fc_try concluding with TUNNEL-C [129] | fc_try TUNNEL-C gives TUNNEL-C | concluding with d = TUNNEL-C | client wildcard: no port wildcard: no virtual: no | creating state object #4 at 0x55c3e1613188 | State DB: adding IKEv1 state #4 in UNDEFINED | pstats #4 ikev1.ipsec started | duplicating state object #1 "TUNNEL-C" as #4 for IPSEC SA | #4 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484) | suspend processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | start processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1295) | child state #4: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI ed 20 53 2c | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 7 for state #4 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f0808002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 | libevent_malloc: new ptr-libevent@0x55c3e15c9bf8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #4 and saving MD | #4 is busy; has a suspended MD | #1 spent 0.17 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.366 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 6 resuming | crypto helper 6 starting work-order 7 for state #4 | crypto helper 6 doing build KE and nonce (quick_outI1 KE); request ID 7 | crypto helper 6 finished build KE and nonce (quick_outI1 KE); request ID 7 time elapsed 0.00058 seconds | (#4) spent 0.56 milliseconds in crypto helper computing work-order 7: quick_outI1 KE (pcr) | crypto helper 6 sending results from work-order 7 for state #4 to event queue | scheduling resume sending helper answer for #4 | libevent_malloc: new ptr-libevent@0x7f0800002888 size 128 | crypto helper 6 waiting (nothing to do) | processing resume sending helper answer for #4 | start processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 6 replies to request ID 7 | calling continuation function 0x55c3e079eb50 | quick_inI1_outR1_cryptocontinue1 for #4: calculated ke+nonce, calculating DH | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 8 for state #4 | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c3e15c9bf8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f0808002b78 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f0808002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 | libevent_malloc: new ptr-libevent@0x55c3e15c9bf8 size 128 | suspending state #4 and saving MD | #4 is busy; has a suspended MD | resume sending helper answer for #4 suppresed complete_v1_state_transition() and stole MD | #4 spent 0.0514 milliseconds in resume sending helper answer | stop processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f0800002888 | crypto helper 0 resuming | crypto helper 0 starting work-order 8 for state #4 | crypto helper 0 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 8 | crypto helper 0 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 8 time elapsed 0.00051 seconds | (#4) spent 0.512 milliseconds in crypto helper computing work-order 8: quick outR1 DH (pcr) | crypto helper 0 sending results from work-order 8 for state #4 to event queue | scheduling resume sending helper answer for #4 | libevent_malloc: new ptr-libevent@0x7f08140027d8 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #4 | start processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 8 | calling continuation function 0x55c3e079eb50 | quick_inI1_outR1_cryptocontinue2 for #4: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2070008894 (0x7b61d43e) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI ed 20 53 2c | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x4dd21397 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 4d d2 13 97 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "TUNNEL-C" #4: responding to Quick Mode proposal {msgid:7b61d43e} "TUNNEL-C" #4: us: 192.0.2.234/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org] "TUNNEL-C" #4: them: 192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]===192.0.1.254/32 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 49 14 e3 bd 4c 03 54 84 a0 4d cb 58 44 8d a4 98 | Nr 50 ef 90 c1 5d cf 72 8c be 32 ea 04 d2 f1 69 4c | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 92 12 ec 7a 70 60 b2 eb ac 64 84 c8 08 51 7a 6f | keyex value cd 03 9f cd cc 65 15 4d 53 a3 81 62 c6 22 fd a6 | keyex value 23 8c ee d6 c8 02 c3 58 5b 6c bb 3e 4f f8 5e e2 | keyex value bf fb a0 9c 6b 84 c1 f0 ad c8 4e c7 06 e9 9c 5e | keyex value cb 24 2d 0e b5 9f a9 62 fa ee 65 07 e5 77 6d 5b | keyex value ec 54 c4 83 8e 50 2b dd 30 40 80 2e b2 0f df 32 | keyex value 3a 0b d5 e0 d6 82 e5 c4 2f d4 2c f3 68 25 dc 48 | keyex value 96 ce b9 e3 00 8a 51 4a d9 9e 60 80 68 db e9 1a | keyex value 00 af 38 00 15 59 01 6a c6 58 b9 a1 1d f8 bb 07 | keyex value a4 c1 56 29 44 d8 58 aa 52 c2 6a 44 9a de 26 5d | keyex value d8 94 cf a7 44 5b 28 5d 6e b5 af 58 e7 9b 20 26 | keyex value 04 90 84 a0 60 f1 55 e0 d6 21 6d 5d 31 a0 56 b4 | keyex value 11 43 a4 03 83 d8 83 99 a6 33 4a ff 29 62 08 ea | keyex value 74 ed 49 ec 51 94 fe 2a 1f cf bd d8 09 f7 27 60 | keyex value 10 82 4f 9a bf 36 35 01 75 5b fc ef 70 db 1f 20 | keyex value a9 db ca ac c0 ed 51 40 c5 d2 43 8c cd 27 91 50 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 fe | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 ea | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | quick inR1 outI2 HASH(2): | e7 cc 94 9b 9f bf bc 78 c6 2e 7d e7 6e b1 8f b6 | 3f ed 32 ce c5 bf 0d 95 47 f5 a2 a5 09 26 06 95 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-C" unrouted: "TUNNEL-B" erouted | install_inbound_ipsec_sa() checking if we can route | could_route called for TUNNEL-C (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-C" unrouted: "TUNNEL-B" erouted; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55c3e1613188 ost=(nil) st->serialno=#4 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'TUNNEL-C' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.ed20532c@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'TUNNEL-C' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.4dd21397@192.1.2.23 included non-error error | priority calculation of connection "TUNNEL-C" is 0xfdfdf | add inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.234/32:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 444 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #4 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #4: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #4 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c3e15c9bf8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f0808002b78 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 444 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #4) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 20 01 7b 61 d4 3e 00 00 01 bc b3 e5 77 93 | 16 1c 37 df 28 c8 d9 60 95 e5 d9 c4 ab db ba 92 | 65 22 ff f5 4b ee a3 f6 cb 59 0c 16 98 81 53 fd | 79 54 5d eb 64 ae c1 81 6c cf 18 f1 a8 86 7e 1b | c4 c4 1f 51 3e 77 ac 86 40 58 46 b9 54 17 6c dd | 82 9e 45 43 20 53 4e 4a ac 31 e6 7b 06 d5 f8 3c | 63 e2 2e 53 f2 87 2d d9 f1 9d 1b a7 dd 66 42 ee | f8 23 ac 5b 4b 83 f4 c5 14 62 1e 21 81 48 ae 22 | 39 fb b8 05 5e 70 d0 35 dc fb b2 0f 67 82 ad 13 | e0 34 67 94 ba ac 1f 26 0c 52 33 67 48 24 e7 8c | f5 41 13 75 15 ec fc d3 0f 10 1b 15 92 fa ad 12 | 1e 75 74 dd f3 2b d2 8a de 01 96 84 5d ba ae b1 | 3d 60 c9 8c 5d 03 a4 d4 29 ad fc 48 18 ed fa 68 | 7b de bf b6 2f b7 88 2e ac 40 44 48 a3 e4 a4 19 | 43 5f b9 21 28 fd a5 1a a0 a8 10 e6 91 b3 8f 56 | 26 05 05 48 41 c7 0c 16 6f 73 9d 35 13 1d 4a 49 | 01 29 43 db a9 6a 4f 78 b4 19 65 15 81 47 04 03 | d6 43 1b de ff f4 c6 be 27 94 c5 47 4c 3f cc 75 | 07 f7 e9 6f 8c 55 97 55 a5 4e 5c e6 10 da 1f fb | 49 d6 fd c2 34 5b cf de 83 1e d1 70 79 e3 ba 7a | 33 a9 85 55 5d 1b 46 b3 6f 78 e5 60 91 9d 48 17 | d4 fd ab 36 29 91 ba d4 0d 9c 81 bf 61 2c 4d 12 | 5c 37 cb c5 03 4e f3 73 98 f4 19 9a b3 a1 63 9d | d9 fe b4 6d 83 65 a1 be 53 02 15 c9 0b 04 44 62 | 32 e5 ce 3b df c6 d7 d5 bc c7 72 41 1a 59 7d 5c | ea 5e 14 1d 78 9f 19 0e 14 5c 30 96 fe c6 83 13 | 2e ac c4 94 da fc 9f 82 7e d1 64 83 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7f0808002b78 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #4 | libevent_malloc: new ptr-libevent@0x7f0800002888 size 128 | #4 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29783.213512 | pstats #4 ikev1.ipsec established | NAT-T: encaps is 'auto' "TUNNEL-C" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xed20532c <0x4dd21397 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #4 suppresed complete_v1_state_transition() | #4 spent 0.748 milliseconds in resume sending helper answer | stop processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f08140027d8 | spent 0.00302 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 20 01 7b 61 d4 3e 00 00 00 4c a1 ae 10 a0 | 27 0e b0 16 2a 9e b1 f2 58 66 48 ec cc 38 1a d4 | f1 c7 43 ce 81 f4 02 11 21 dc d7 b0 08 f0 0d cb | 68 b9 65 38 38 9d b0 ec 63 a2 6e b9 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2070008894 (0x7b61d43e) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #4 in QUICK_R1 (find_state_ikev1) | start processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1633) | #4 is idle | #4 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | d3 82 f9 9a 04 bd 2e d3 d5 f1 ea 3b 43 98 7c 12 | fb ee 6f 55 67 b0 1d 60 f3 ea 1d 25 98 49 9d 53 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #4: outbound only | could_route called for TUNNEL-C (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-C" unrouted: "TUNNEL-B" erouted; eroute owner: NULL | sr for #4: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-C" unrouted: "TUNNEL-B" erouted; eroute owner: NULL | route_and_eroute with c: TUNNEL-C (next: none) ero:null esr:{(nil)} ro:TUNNEL-B rosr:{0x55c3e15f3d28} and state: #4 | priority calculation of connection "TUNNEL-C" is 0xfdfdf | eroute_connection add eroute 192.0.2.234/32:0 --0-> 192.0.1.254/32:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-C' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.234/32' PLUTO_MY_CLIENT_NET='192.0.2.234' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMIL | popen cmd is 1313 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-C' PLUTO_INT: | cmd( 80):ERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=C: | cmd( 160):A, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libre: | cmd( 240):swan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.234/32' PL: | cmd( 320):UTO_MY_CLIENT_NET='192.0.2.234' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_: | cmd( 400):PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_: | cmd( 480):PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Te: | cmd( 560):st Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org': | cmd( 640): PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PE: | cmd( 720):ER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: | cmd( 800):TO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+E: | cmd( 880):NCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND: | cmd( 960):='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='1: | cmd(1040):92.0.2.234' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INF: | cmd(1120):O='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CON: | cmd(1200):FIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xed20532c SPI_: | cmd(1280):OUT=0x4dd21397 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | route_and_eroute: instance "TUNNEL-C", setting eroute_owner {spd=0x55c3e15f4318,sr=0x55c3e15f4318} to #4 (was #0) (newest_ipsec_sa=#0) | #1 spent 0.543 milliseconds in install_ipsec_sa() | inI2: instance TUNNEL-C[0], setting IKEv1 newest_ipsec_sa to #4 (was #0) (spd.eroute=#4) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2673) | #4 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #4: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #4 requesting EVENT_RETRANSMIT to be deleted | #4 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7f0800002888 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f0808002b78 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7f0808002b78 | inserting event EVENT_SA_REPLACE, timeout in 28799 seconds for #4 | libevent_malloc: new ptr-libevent@0x7f08140027d8 size 128 | pstats #4 ikev1.ipsec established | NAT-T: encaps is 'auto' "TUNNEL-C" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xed20532c <0x4dd21397 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #4 spent 0.645 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.787 milliseconds in comm_handle_cb() reading and processing packet | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00424 milliseconds in signal handler PLUTO_SIGCHLD | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00505 milliseconds in global timer EVENT_SHUNT_SCAN | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-C | [RE]START processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:774) | ka_event: send NAT-KA to 192.1.2.45:500 (state=#4) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #4) | ff | stop processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:786) | processing: STOP state #0 (in for_each_state() at state.c:1577) | start processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-B | [RE]START processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:774) | ka_event: send NAT-KA to 192.1.2.45:500 (state=#3) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #3) | ff | stop processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:786) | processing: STOP state #0 (in for_each_state() at state.c:1577) | start processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-A | [RE]START processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:774) | ka_event: send NAT-KA to 192.1.2.45:500 (state=#2) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) | ff | stop processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:786) | processing: STOP state #0 (in for_each_state() at state.c:1577) | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-C | stop processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in for_each_state() at state.c:1577) | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | spent 0.18 milliseconds in global timer EVENT_NAT_T_KEEPALIVE | spent 0.0026 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.45:500 | spent 0.00922 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00173 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.45:500 | spent 0.00608 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00238 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.45:500 | spent 0.00947 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00449 milliseconds in global timer EVENT_SHUNT_SCAN | spent 0.00309 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.45:500 | spent 0.00907 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-C | [RE]START processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:774) | ka_event: send NAT-KA to 192.1.2.45:500 (state=#4) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #4) | ff | stop processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:786) | processing: STOP state #0 (in for_each_state() at state.c:1577) | start processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-B | [RE]START processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:774) | ka_event: send NAT-KA to 192.1.2.45:500 (state=#3) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #3) | ff | stop processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:786) | processing: STOP state #0 (in for_each_state() at state.c:1577) | start processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-A | [RE]START processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:774) | ka_event: send NAT-KA to 192.1.2.45:500 (state=#2) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) | ff | stop processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:786) | processing: STOP state #0 (in for_each_state() at state.c:1577) | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-C | stop processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in for_each_state() at state.c:1577) | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | spent 0.0847 milliseconds in global timer EVENT_NAT_T_KEEPALIVE | spent 0.0011 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.45:500 | spent 0.00476 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00102 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.45:500 | spent 0.0039 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_PENDING_DDNS | FOR_EACH_CONNECTION_... in connection_check_ddns | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | elapsed time in connection_check_ddns for hostname lookup 0.000006 | spent 0.0111 milliseconds in global timer EVENT_PENDING_DDNS | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.0035 milliseconds in global timer EVENT_SHUNT_SCAN | timer_event_cb: processing event@0x55c3e15f5948 | handling event EVENT_SA_REPLACE for parent state #1 | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in timer_event_cb() at timer.c:250) | picked newest_isakmp_sa #1 for #1 | replacing stale ISAKMP SA | dup_any(fd@-1) -> fd@-1 (in ipsecdoi_replace() at ipsec_doi.c:310) | creating state object #5 at 0x55c3e1617d18 | State DB: adding IKEv1 state #5 in UNDEFINED | pstats #5 ikev1.isakmp started | suspend processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in main_outI1() at ikev1_main.c:118) | start processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in main_outI1() at ikev1_main.c:118) | parent state #5: UNDEFINED(ignore) => MAIN_I1(half-open IKE SA) "TUNNEL-C" #5: initiating Main Mode to replace #1 | **emit ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | no specific IKE algorithms specified - using defaults | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_256=4 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_512=6 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_256=4 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_512=6 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_256=4 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_512=6 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_256=4 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_512=6 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() returning 0x55c3e161d1c8 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 18 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 1 (0x1) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 2 (0x2) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 3 (0x3) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 4 (0x4) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 5 (0x5) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 6 (0x6) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 7 (0x7) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 8 (0x8) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 9 (0x9) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 10 (0xa) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 11 (0xb) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 12 (0xc) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 13 (0xd) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 14 (0xe) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 15 (0xf) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 16 (0x10) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 17 (0x11) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 632 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 644 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | nat add vid | sending draft and RFC NATT VIDs | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | skipping VID_NATT_RFC | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-03] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02_n] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 792 | sending 792 bytes for reply packet for main_outI1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #5) | b4 bc 8a 9d ef a6 cf 19 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 00 3c 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 00 3c 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 00 3c 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 00 3c 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 00 3c 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 00 3c 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 00 3c 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 00 3c 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 00 3c 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | event_schedule: new EVENT_RETRANSMIT-pe@0x7f0800002b78 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #5 | libevent_malloc: new ptr-libevent@0x7f0810003f28 size 128 | #5 STATE_MAIN_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29842.013931 | #5 spent 1.12 milliseconds in main_outI1() | stop processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in main_outI1() at ikev1_main.c:228) | event_schedule: new EVENT_SA_EXPIRE-pe@0x55c3e1595938 | inserting event EVENT_SA_EXPIRE, timeout in 1 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c3e15eede8 size 128 | libevent_free: release ptr-libevent@0x55c3e16130d8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55c3e15f5948 | #1 spent 1.16 milliseconds in timer_event_cb() EVENT_SA_REPLACE | processing: STOP state #0 (in timer_event_cb() at timer.c:557) | spent 0.00217 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 144 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | b4 bc 8a 9d ef a6 cf 19 01 5d ef c2 6b 98 30 d0 | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 00 3c | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 01 5d ef c2 6b 98 30 d0 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 144 (0x90) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #5 in MAIN_I1 (find_state_ikev1_init) | start processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in process_v1_packet() at ikev1.c:1459) | #5 is idle | #5 idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 56 (0x38) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inR1_outI2' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 44 (0x2c) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 60 (0x3c) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | adding outI2 KE work-order 9 for state #5 | state #5 requesting EVENT_RETRANSMIT to be deleted | #5 STATE_MAIN_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x7f0810003f28 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f0800002b78 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f0800002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #5 | libevent_malloc: new ptr-libevent@0x7f0810003f28 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #5 and saving MD | #5 is busy; has a suspended MD | #5 spent 0.0896 milliseconds in process_packet_tail() | crypto helper 1 resuming | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 1 starting work-order 9 for state #5 | stop processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | crypto helper 1 doing build KE and nonce (outI2 KE); request ID 9 | spent 0.185 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 1 finished build KE and nonce (outI2 KE); request ID 9 time elapsed 0.000921 seconds | (#5) spent 0.926 milliseconds in crypto helper computing work-order 9: outI2 KE (pcr) | crypto helper 1 sending results from work-order 9 for state #5 to event queue | scheduling resume sending helper answer for #5 | libevent_malloc: new ptr-libevent@0x7f080c004fd8 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #5 | start processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 9 | calling continuation function 0x55c3e079eb50 | main_inR1_outI2_continue for #5: calculated ke+nonce, sending I2 | **emit ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 01 5d ef c2 6b 98 30 d0 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 25 d6 87 db 23 3e e3 44 6a 99 4e b1 2a 22 7d fe | keyex value 67 4f 9e ef 18 63 44 02 aa 59 dd de 19 61 5d 0e | keyex value 6e 79 1f 69 18 6e 4a 5b 8e 7a 1d 0a c7 ba 52 b7 | keyex value 3e 05 ca d5 29 bc b8 b3 d1 61 7c b8 11 8f 2d 2c | keyex value dc 85 e9 ee 6d 8e 31 ed 92 cd 86 4f b2 be 8a d5 | keyex value 0a 68 3d 9f b6 60 7d 1c 3c 12 6f 81 99 00 90 1f | keyex value 38 b6 87 2b c4 3e 17 d5 1f 0f 2a a5 d2 f3 2d 55 | keyex value a9 e1 77 8a eb 29 0e d4 c0 ad 1e 62 65 e1 9f b5 | keyex value 9d d2 15 01 c3 01 11 48 a1 6e 59 a3 49 07 f2 ea | keyex value 3e 12 c1 5f 5f 37 77 72 70 56 5c 4c 7f 07 56 6f | keyex value 01 c5 6a 6b 83 bd b3 b8 e9 26 61 26 06 04 04 df | keyex value 8a 89 ba 7d 86 11 69 fe e6 2d 70 94 2f 40 70 e2 | keyex value db d9 e8 2b ee b0 6a 47 e4 7b 0b 27 2a f7 2a 7b | keyex value d5 47 1c bf d6 d8 02 c3 8f b5 b6 59 3a 57 6a d4 | keyex value 61 2a a5 24 5e 83 ec 2e 8c 54 c0 93 2d 51 c6 30 | keyex value 76 7e 89 90 f1 cf 3a 3e ca c1 3a 80 71 ac 7d f7 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni a6 1f 85 d1 30 15 af c6 dc 55 32 a0 22 41 42 da | Ni 4d e8 5d 6a 89 48 f7 64 6a cf f0 53 ba 29 cc 04 | emitting length of ISAKMP Nonce Payload: 36 | NAT-T checking st_nat_traversal | NAT-T found (implies NAT_T_WITH_NATD) | sending NAT-D payloads | natd_hash: hasher=0x55c3e0873ca0(32) | natd_hash: icookie= b4 bc 8a 9d ef a6 cf 19 | natd_hash: rcookie= 01 5d ef c2 6b 98 30 d0 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= e8 17 33 03 4d f9 80 50 1f 26 67 0f 44 00 db 21 | natd_hash: hash= 3e 9a 59 5f 63 83 84 9e 14 92 5a 85 a8 15 a0 67 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D e8 17 33 03 4d f9 80 50 1f 26 67 0f 44 00 db 21 | NAT-D 3e 9a 59 5f 63 83 84 9e 14 92 5a 85 a8 15 a0 67 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x55c3e0873ca0(32) | natd_hash: icookie= b4 bc 8a 9d ef a6 cf 19 | natd_hash: rcookie= 01 5d ef c2 6b 98 30 d0 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 0e b2 54 d4 fe 28 bb 1a e6 3a 9b f9 08 93 9d e4 | natd_hash: hash= 35 00 b5 04 ed 3b 77 76 4c d1 51 6d 74 58 cf 37 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 0e b2 54 d4 fe 28 bb 1a e6 3a 9b f9 08 93 9d e4 | NAT-D 35 00 b5 04 ed 3b 77 76 4c d1 51 6d 74 58 cf 37 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | State DB: re-hashing IKEv1 state #5 IKE SPIi and SPI[ir] | complete v1 state transition with STF_OK | [RE]START processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in complete_v1_state_transition() at ikev1.c:2673) | #5 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 | parent state #5: MAIN_I1(half-open IKE SA) => MAIN_I2(open IKE SA) | event_already_set, deleting event | state #5 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7f0810003f28 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f0800002b78 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 396 bytes for STATE_MAIN_I1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #5) | b4 bc 8a 9d ef a6 cf 19 01 5d ef c2 6b 98 30 d0 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 25 d6 87 db 23 3e e3 44 6a 99 4e b1 2a 22 7d fe | 67 4f 9e ef 18 63 44 02 aa 59 dd de 19 61 5d 0e | 6e 79 1f 69 18 6e 4a 5b 8e 7a 1d 0a c7 ba 52 b7 | 3e 05 ca d5 29 bc b8 b3 d1 61 7c b8 11 8f 2d 2c | dc 85 e9 ee 6d 8e 31 ed 92 cd 86 4f b2 be 8a d5 | 0a 68 3d 9f b6 60 7d 1c 3c 12 6f 81 99 00 90 1f | 38 b6 87 2b c4 3e 17 d5 1f 0f 2a a5 d2 f3 2d 55 | a9 e1 77 8a eb 29 0e d4 c0 ad 1e 62 65 e1 9f b5 | 9d d2 15 01 c3 01 11 48 a1 6e 59 a3 49 07 f2 ea | 3e 12 c1 5f 5f 37 77 72 70 56 5c 4c 7f 07 56 6f | 01 c5 6a 6b 83 bd b3 b8 e9 26 61 26 06 04 04 df | 8a 89 ba 7d 86 11 69 fe e6 2d 70 94 2f 40 70 e2 | db d9 e8 2b ee b0 6a 47 e4 7b 0b 27 2a f7 2a 7b | d5 47 1c bf d6 d8 02 c3 8f b5 b6 59 3a 57 6a d4 | 61 2a a5 24 5e 83 ec 2e 8c 54 c0 93 2d 51 c6 30 | 76 7e 89 90 f1 cf 3a 3e ca c1 3a 80 71 ac 7d f7 | 14 00 00 24 a6 1f 85 d1 30 15 af c6 dc 55 32 a0 | 22 41 42 da 4d e8 5d 6a 89 48 f7 64 6a cf f0 53 | ba 29 cc 04 14 00 00 24 e8 17 33 03 4d f9 80 50 | 1f 26 67 0f 44 00 db 21 3e 9a 59 5f 63 83 84 9e | 14 92 5a 85 a8 15 a0 67 00 00 00 24 0e b2 54 d4 | fe 28 bb 1a e6 3a 9b f9 08 93 9d e4 35 00 b5 04 | ed 3b 77 76 4c d1 51 6d 74 58 cf 37 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7f0800002b78 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #5 | libevent_malloc: new ptr-libevent@0x55c3e1618808 size 128 | #5 STATE_MAIN_I2: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29842.015956 "TUNNEL-C" #5: STATE_MAIN_I2: sent MI2, expecting MR2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #5 suppresed complete_v1_state_transition() | #5 spent 0.334 milliseconds in resume sending helper answer | stop processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f080c004fd8 | spent 0.00221 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | b4 bc 8a 9d ef a6 cf 19 01 5d ef c2 6b 98 30 d0 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 66 31 b0 0a 32 87 1d 08 28 f3 6b 2c 9e cb 18 e5 | be 8e cc 5b a5 aa bc e6 43 6e a9 8b 7a f5 f7 13 | c1 c3 d3 66 20 e5 d7 19 52 3f 5f 17 7e 70 a9 9e | e0 35 c8 99 df e3 04 7c fb 60 39 53 09 dd f9 7d | da d0 2f ac 76 ab e8 85 0d 07 9c 8e 17 5d d8 91 | 9d 5f 2c a3 a8 c9 72 16 7a 31 ef ee c9 ae 98 72 | a8 16 07 b2 6e 65 95 9c 87 7a b8 77 cd 63 7b 25 | 6f 44 dd 39 34 bf 7f 0a 29 bb 5a 9a 08 c3 64 10 | 53 2e bb 64 e5 b6 68 78 80 b8 33 7c 2a 4d 5e 58 | 3c 3e 09 a4 d4 58 39 5e 26 42 40 e2 24 1b dd 8c | 67 ab 40 0c 15 21 c8 6f ae 3d 4a 4c e7 c9 88 2a | 58 3a 0c 09 b8 98 3c 8e 26 a1 08 25 a0 5d 39 5c | 40 e4 98 e1 a2 46 89 7a f4 12 65 80 2c 0a c2 7f | 4d a7 6f c3 c9 4e cf 76 19 12 b2 37 2d 8d b7 92 | a1 42 b5 64 b8 52 48 d9 b3 93 a5 dd 46 fa dd da | d1 ed 04 23 53 83 97 61 b1 e2 55 0a 8c 3d e6 35 | 14 00 00 24 da 87 6e 58 ed 89 fb b7 08 aa 00 65 | f4 ae 65 a8 12 3b 8c 3d ca 72 f9 77 c9 d5 dc f9 | 07 e3 c0 ba 14 00 00 24 0e b2 54 d4 fe 28 bb 1a | e6 3a 9b f9 08 93 9d e4 35 00 b5 04 ed 3b 77 76 | 4c d1 51 6d 74 58 cf 37 00 00 00 24 e8 17 33 03 | 4d f9 80 50 1f 26 67 0f 44 00 db 21 3e 9a 59 5f | 63 83 84 9e 14 92 5a 85 a8 15 a0 67 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 01 5d ef c2 6b 98 30 d0 | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #5 in MAIN_I2 (find_state_ikev1) | start processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in process_v1_packet() at ikev1.c:1459) | #5 is idle | #5 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inR2_outI3' HASH payload not checked early | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding aggr outR1 DH work-order 10 for state #5 | state #5 requesting EVENT_RETRANSMIT to be deleted | #5 STATE_MAIN_I2: retransmits: cleared | libevent_free: release ptr-libevent@0x55c3e1618808 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f0800002b78 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f0800002b78 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #5 | libevent_malloc: new ptr-libevent@0x7f080c004fd8 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in complete_v1_state_transition() at ikev1.c:2648) | suspending state #5 and saving MD | crypto helper 2 resuming | #5 is busy; has a suspended MD | crypto helper 2 starting work-order 10 for state #5 | #5 spent 0.0793 milliseconds in process_packet_tail() | crypto helper 2 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 10 | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.227 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 2 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 10 time elapsed 0.001169 seconds | (#5) spent 1.18 milliseconds in crypto helper computing work-order 10: aggr outR1 DH (pcr) | crypto helper 2 sending results from work-order 10 for state #5 to event queue | scheduling resume sending helper answer for #5 | libevent_malloc: new ptr-libevent@0x7f081000bcf8 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #5 | start processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 10 | calling continuation function 0x55c3e079eb50 | main_inR2_outI3_cryptotail for #5: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 01 5d ef c2 6b 98 30 d0 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so send cert. | I am sending a certificate request | I will NOT send an initial contact payload | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55c3e0873ca0(32) | natd_hash: icookie= b4 bc 8a 9d ef a6 cf 19 | natd_hash: rcookie= 01 5d ef c2 6b 98 30 d0 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 0e b2 54 d4 fe 28 bb 1a e6 3a 9b f9 08 93 9d e4 | natd_hash: hash= 35 00 b5 04 ed 3b 77 76 4c d1 51 6d 74 58 cf 37 | natd_hash: hasher=0x55c3e0873ca0(32) | natd_hash: icookie= b4 bc 8a 9d ef a6 cf 19 | natd_hash: rcookie= 01 5d ef c2 6b 98 30 d0 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= e8 17 33 03 4d f9 80 50 1f 26 67 0f 44 00 db 21 | natd_hash: hash= 3e 9a 59 5f 63 83 84 9e 14 92 5a 85 a8 15 a0 67 | expected NAT-D(me): 0e b2 54 d4 fe 28 bb 1a e6 3a 9b f9 08 93 9d e4 | expected NAT-D(me): 35 00 b5 04 ed 3b 77 76 4c d1 51 6d 74 58 cf 37 | expected NAT-D(him): | e8 17 33 03 4d f9 80 50 1f 26 67 0f 44 00 db 21 | 3e 9a 59 5f 63 83 84 9e 14 92 5a 85 a8 15 a0 67 | received NAT-D: 0e b2 54 d4 fe 28 bb 1a e6 3a 9b f9 08 93 9d e4 | received NAT-D: 35 00 b5 04 ed 3b 77 76 4c d1 51 6d 74 58 cf 37 | received NAT-D: e8 17 33 03 4d f9 80 50 1f 26 67 0f 44 00 db 21 | received NAT-D: 3e 9a 59 5f 63 83 84 9e 14 92 5a 85 a8 15 a0 67 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_CERT (0x6) | ID type: ID_DER_ASN1_DN (0x9) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 6:ISAKMP_NEXT_CERT | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Identification Payload (IPsec DOI): 191 "TUNNEL-C" #5: I am sending my cert | ***emit ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: ignoring supplied 'ISAKMP Certificate Payload'.'next payload type' value 7:ISAKMP_NEXT_CR | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Certificate Payload (6:ISAKMP_NEXT_CERT) | next payload chain: saving location 'ISAKMP Certificate Payload'.'next payload type' in 'reply packet' | emitting 1260 raw bytes of CERT into ISAKMP Certificate Payload | CERT 30 82 04 e8 30 82 04 51 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 39 30 38 32 34 30 39 30 37 35 33 | CERT 5a 18 0f 32 30 32 32 30 38 32 33 30 39 30 37 35 | CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 b1 1e 7c b3 bf 11 | CERT 96 94 23 ca 97 5e c7 66 36 55 71 49 95 8d 0c 2a | CERT 5c 30 4d 58 29 a3 7b 4d 3b 3f 03 06 46 a6 04 63 | CERT 71 0d e1 59 4f 9c ec 3a 17 24 8d 91 6a a8 e2 da | CERT 57 41 de f4 ff 65 bf f6 11 34 d3 7d 5a 7f 6e 3a | CERT 3b 74 3c 51 2b e4 bf ce 6b b2 14 47 26 52 f5 57 | CERT 28 bc c5 fb f9 bc 2d 4e b9 f8 46 54 c7 95 41 a7 | CERT a4 b4 d3 b3 fe 55 4b df f5 c3 78 39 8b 4e 04 57 | CERT c0 1d 5b 17 3c 28 eb 40 9d 1d 7c b3 bb 0f f0 63 | CERT c7 c0 84 b0 4e e4 a9 7c c5 4b 08 43 a6 2d 00 22 | CERT fd 98 d4 03 d0 ad 97 85 d1 48 15 d3 e4 e5 2d 46 | CERT 7c ab 41 97 05 27 61 77 3d b6 b1 58 a0 5f e0 8d | CERT 26 84 9b 03 20 ce 5e 27 7f 7d 14 03 b6 9d 6b 9f | CERT fd 0c d4 c7 2d eb be ea 62 87 fa 99 e0 a6 1c 85 | CERT 4f 34 da 93 2e 5f db 03 10 58 a8 c4 99 17 2d b1 | CERT bc e5 7b bd af 0e 28 aa a5 74 ea 69 74 5e fa 2c | CERT c3 00 3c 2f 58 d0 20 cf e3 46 8d de aa f9 f7 30 | CERT 5c 16 05 04 89 4c 92 9b 8a 33 11 70 83 17 58 24 | CERT 2a 4b ab be b6 ec 84 9c 78 9c 11 04 2a 02 ce 27 | CERT 83 a1 1f 2b 38 3f 27 7d 46 94 63 ff 64 59 4e 6c | CERT 87 ca 3e e6 31 df 1e 7d 48 88 02 c7 9d fa 4a d7 | CERT f2 5b a5 fd 7f 1b c6 dc 1a bb a6 c4 f8 32 cd bf | CERT a7 0b 71 8b 2b 31 41 17 25 a4 18 52 7d 32 fc 0f | CERT 5f b8 bb ca e1 94 1a 42 4d 1f 37 16 67 84 ae b4 | CERT 32 42 9c 5a 91 71 62 b4 4b 07 02 03 01 00 01 a3 | CERT 82 01 06 30 82 01 02 30 09 06 03 55 1d 13 04 02 | CERT 30 00 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 | CERT 1d 0f 04 04 03 02 07 80 30 1d 06 03 55 1d 25 04 | CERT 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b | CERT 06 01 05 05 07 03 02 30 41 06 08 2b 06 01 05 05 | CERT 07 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 | CERT 07 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e | CERT 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 | CERT 6e 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d | CERT 1f 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 | CERT 70 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e | CERT 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 | CERT 76 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 | CERT 86 f7 0d 01 01 0b 05 00 03 81 81 00 3a 56 a3 7d | CERT b1 4e 62 2f 82 0d e3 fe 74 40 ef cb eb 93 ea ad | CERT e4 74 8b 80 6f ae 8b 65 87 12 a6 24 0d 21 9c 5f | CERT 70 5c 6f d9 66 8d 98 8b ea 59 f8 96 52 6a 6c 86 | CERT d6 7d ba 37 a9 8c 33 8c 77 18 23 0b 1b 2a 66 47 | CERT e7 95 94 e6 75 84 30 d4 db b8 23 eb 89 82 a9 fd | CERT ed 46 8b ce 46 7f f9 19 8f 49 da 29 2e 1e 97 cd | CERT 12 42 86 c7 57 fc 4f 0a 19 26 8a a1 0d 26 81 4d | CERT 53 f4 5c 92 a1 03 03 8d 6c 51 33 cc | emitting length of ISAKMP Certificate Payload: 1265 "TUNNEL-C" #5: I am sending a certificate request | ***emit ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_SIG (0x9) | cert type: CERT_X509_SIGNATURE (0x4) | next payload chain: ignoring supplied 'ISAKMP Certificate RequestPayload'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Certificate Payload'.'next payload type' to current ISAKMP Certificate RequestPayload (7:ISAKMP_NEXT_CR) | next payload chain: saving location 'ISAKMP Certificate RequestPayload'.'next payload type' in 'reply packet' | emitting length of ISAKMP Certificate RequestPayload: 5 | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbEef vs PKK_RSA:AwEAAbEef | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Certificate RequestPayload'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 384 raw bytes of SIG_I into ISAKMP Signature Payload | SIG_I 9c d8 68 5d 9f 46 cd eb 0b 66 13 86 54 58 3c ed | SIG_I d7 2d 30 90 7e b8 ec 4d 95 be b3 f8 e4 34 fd 5d | SIG_I d6 a3 e5 2e 98 35 57 fc 28 14 d9 39 e9 75 2d 15 | SIG_I c6 ae 0a 1a ba 49 f9 e3 b0 dd 69 18 b0 6d 5d 55 | SIG_I f7 f2 6e d8 03 85 fb 69 33 7f 7d b6 36 8a c1 bf | SIG_I a1 df 43 d0 14 d0 f1 09 43 be df 60 80 4b 74 d0 | SIG_I c2 ac 40 b8 a3 3f 60 84 36 17 8d c3 86 8b 09 1f | SIG_I bd 48 01 c6 8e 32 2b 28 55 af 6b ff ed ea 75 50 | SIG_I ad 27 81 34 9d 15 4d 28 93 d7 28 cd f8 0f 3b fa | SIG_I 3f 02 2a b8 7c 96 3c 16 92 cb 0f b6 c9 75 0b 5c | SIG_I 0a 18 04 51 10 01 e1 1b f9 63 21 28 e4 fb b9 33 | SIG_I 9c ec ef 3f fe fa eb 3d 99 33 45 03 d0 d5 4a c2 | SIG_I 10 fb 6b 39 34 33 62 52 0e 5d 42 ce 84 20 91 f2 | SIG_I 2d 41 fc e8 e7 99 5d c3 ef 7c 10 13 84 4a a2 2f | SIG_I 6f 70 50 4b 1d b0 26 12 a3 d1 03 aa 51 7e f9 de | SIG_I 70 86 3b b0 eb 0c fb d7 a0 5e f6 22 73 55 ab 91 | SIG_I 13 6f 8d b1 3a de 92 8d f7 87 d0 3f 04 29 08 e2 | SIG_I 07 7e 6f 63 47 e7 39 8d 0b ef 56 69 0c 36 a8 4f | SIG_I 1f d3 c3 0c 4d 71 34 b9 37 49 3c 89 77 cd ac 04 | SIG_I 0b 40 c3 fc 94 0a cf d7 90 bc f1 61 2e 26 a3 05 | SIG_I c7 eb 88 d5 00 4d a1 6a 60 e1 28 4c fd 07 3a 0f | SIG_I d0 fc a7 0e 64 17 d9 ff 7a ed d6 3a 08 8b fb 00 | SIG_I 74 a1 b2 37 3b 83 e5 2e 0c e9 bc f0 40 8d 9e 40 | SIG_I 16 9e 32 ee 16 a4 d5 a4 05 19 01 e2 e1 cf c0 1b | emitting length of ISAKMP Signature Payload: 388 | Not sending INITIAL_CONTACT | emitting 7 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 1884 | complete v1 state transition with STF_OK | [RE]START processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in complete_v1_state_transition() at ikev1.c:2673) | #5 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 | parent state #5: MAIN_I2(open IKE SA) => MAIN_I3(open IKE SA) | event_already_set, deleting event | state #5 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7f080c004fd8 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f0800002b78 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 1884 bytes for STATE_MAIN_I2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #5) | b4 bc 8a 9d ef a6 cf 19 01 5d ef c2 6b 98 30 d0 | 05 10 02 01 00 00 00 00 00 00 07 5c f9 e7 f4 88 | 07 be cb 4c a7 0f d9 f0 5b fa 66 b8 0b 48 50 ea | d0 ee a9 6a 74 fc 8d 12 b1 22 a7 cb a0 5d f9 c2 | 5c 00 a0 2c 70 92 3f 62 45 bc 8a cb 27 b9 d1 bf | d6 be 59 9d 61 2a 0f d2 f0 05 e0 66 6f ab 88 bf | 38 29 f5 2d 93 5a bc 02 53 31 e0 da 1e 51 b3 3d | 9e 22 da 14 d4 89 b1 fc a0 fe 8e ab a8 b5 7a db | 79 17 58 77 72 b5 8e 34 6d 05 b0 f0 c6 77 14 90 | cf c1 af 6e 3e 52 56 ac cd b3 f8 8f 08 89 16 46 | de c9 ea d9 66 d9 1e 61 a1 5c b2 f3 46 62 f4 3d | da 1f bf 2f 09 71 13 f8 14 5c ab e5 27 5d b6 ab | 6c f9 95 28 4c bd ee 02 72 9c 88 e0 ee d8 f8 62 | 96 85 f5 6e df f2 b9 be 5b c1 5d 58 b5 e8 45 ad | b1 5e 73 07 c3 73 73 76 50 af 0e e9 fa 50 58 85 | 46 c6 fe 24 2a 0e a1 a5 6a 93 4d 61 b3 b4 b7 d6 | b1 62 2a 06 7a f8 8d 37 0f a9 50 08 63 c8 54 49 | e2 e0 e4 50 60 f5 ae ee aa f0 3b f4 49 ca 62 97 | cc 3e f2 93 21 1f 94 b1 b4 0e ba 45 61 66 10 ae | 1b 98 ac d4 54 79 9d 2c 5f af 7b 13 e7 5e cc 6c | af ee 4b 48 43 a5 e8 d8 44 90 e4 b5 83 f3 98 01 | e1 09 e2 7b d3 f6 7e 23 61 89 19 d4 a8 ff e4 3c | 04 b6 b1 21 ed 81 13 73 d3 2c 59 e6 73 b1 60 92 | 98 5f bd 30 a8 4a cb dc c6 a0 7b e3 6a 87 7d b5 | 02 a4 2b 1a 4b bd 60 6e f5 f9 03 b9 47 0a e9 96 | d3 f5 18 5c 4d ac 0d 59 b9 bc 03 91 d2 21 9a 74 | e0 a3 fa ff 77 dd 04 f9 a9 9f d4 76 f2 31 d1 d8 | 20 5a d0 92 d5 e7 fc 79 42 18 f8 c6 8c a5 58 88 | 6f 3f 78 3c 9f 4c 1c 2b 2e 76 fe ed c2 72 9a b4 | ee cd d9 79 9f 3c 01 71 cb 17 00 66 cf 8c 0d a8 | 2b d0 46 40 18 56 8f 07 33 8b a8 00 48 2c 86 83 | 98 06 a6 8c 54 ed ef 98 e9 73 92 d7 27 7f ff 02 | 51 ea da 54 f0 fe fd 1d ee ba bb da e7 99 e5 0b | 58 48 08 1f 30 1a 55 56 2c 71 95 16 0d f9 64 b6 | 35 e7 c1 11 03 6b ba 3c 78 f5 49 8d c0 a9 2f bc | b7 ec 38 ce 68 b1 8f 5b 44 18 67 c9 a4 c7 fd 69 | 32 86 bc 67 29 c4 72 57 2b 82 94 3a 75 d3 e1 48 | 21 90 35 c1 b0 03 22 d5 71 39 c3 c4 90 47 77 32 | 4b 30 5c 4b 85 56 24 07 29 43 be 2e 8c 14 c1 7b | f0 fa e8 13 e8 5f 8d 5b ec e3 6f 4d 6d 26 1c a8 | 63 f1 f4 1d e8 5d 5d 82 76 36 db aa 22 48 20 b3 | 88 76 a0 c7 6d 60 31 9a e4 0d 12 5e 85 85 da b1 | 19 53 fb 70 1e a3 fc c8 8e e4 46 6b 78 14 ac 56 | 15 fd 72 11 be c3 e8 8a 9c 9b 72 ed b8 c9 79 ce | ae 66 0a 14 02 80 d9 37 e2 7f 56 fe b2 a4 9f c6 | 12 92 44 41 3c d9 52 1e 48 6a cd 2d 3b 3b 15 d5 | 73 1e 43 a4 d1 c7 15 fc c6 66 ea cd 6e a1 8a 88 | bc 14 fb 37 a0 5e ed 2c 5f 26 05 52 50 4a 57 5d | 70 29 ee d0 77 fe fc f0 6e 73 32 84 3d 32 24 64 | bf 2a 2b d2 fc 73 64 44 8d 73 4d 13 78 75 a3 8e | ae b0 d9 da 33 2b 7a ba 3e 93 7f 74 dd 80 78 6b | 09 9f 45 c0 51 e4 e6 a3 34 61 a6 8c 3d e1 c7 a0 | c8 5f c2 83 dd 97 df dc 9e b5 9a 18 be 19 1c dc | 03 e2 03 88 e8 60 63 84 b1 c3 75 58 7b ec ac c9 | 04 38 0b 45 da fc 8c e3 ce 0f 7d 30 cf ab cd 36 | 87 05 d9 b8 d0 6a a3 a9 ec f6 40 95 2c ef 5f 7c | 82 74 38 0e 55 2a 55 11 32 cb df d6 58 da 66 68 | c2 13 b8 31 2e 25 bd 05 55 87 6c 5b 60 ee a9 2b | 3a 35 8d 64 d3 f6 29 31 40 3f b2 4e 39 e0 9e 29 | 57 81 33 b3 51 27 08 33 91 80 16 66 c5 cf 6b 19 | 1a 5d 5a 97 7c d6 00 1b 3a fe e2 ce e7 98 51 c4 | b5 8b dc 8b df 29 e1 09 a7 31 95 da b6 29 34 f6 | b9 99 45 58 40 84 2d e2 cc cd cd 50 64 38 8c fb | 78 3b 9e 19 d9 37 96 3f 16 86 3c d5 ee dc 07 19 | d7 73 fd a0 e0 52 87 c0 96 59 33 c5 75 0d 46 97 | 7b 57 57 86 3b 5d ba 7b 28 60 e6 a0 15 05 bf a9 | 4e a8 5f f6 f7 26 49 0e 4c 17 61 fe e0 d7 ec c9 | 1f 34 7d ae a4 99 66 d6 f1 b2 78 af 8a 9c 1d fd | 43 8e 51 cb 47 2a 86 3e 89 ba dc 5c 4f d9 d9 c0 | 84 24 98 be 07 1e f8 c0 4b 74 c6 80 19 e1 71 22 | a4 f0 2d dd 41 71 27 be 13 9d bd 85 a4 72 41 fa | e5 5c e7 ed 7d cc 4e 95 d2 27 23 58 b4 3f b6 9c | 2c 1e 08 6a 30 02 81 a2 e9 60 ab 1d ed 12 b7 82 | 5f 68 a5 ff 40 29 96 a1 9e dd 10 7b f2 a6 cd 8d | f6 da e5 ef 23 d6 0d 2f fd e8 f2 a0 fa 00 69 3f | 75 b3 c6 2a ec 15 8f fc ac 1f 2b e1 c5 0b 9b 1e | 44 99 e0 b8 c9 91 77 8f 61 6c 06 26 c6 b6 6e c3 | c3 13 6c df e8 6b cd 24 00 69 0a bf 7e 7e 08 16 | 22 c8 be 45 c6 a9 40 d8 f4 01 18 55 40 94 f1 ad | 95 98 01 65 bf b7 f2 14 a1 23 d2 2c 5b 94 fa bc | 9e c5 03 93 dc 92 4e bf a6 3c 87 c1 0d 15 5b 0e | a1 95 e6 64 8a d9 e5 31 58 69 72 86 5a 26 fe 79 | 67 a8 9d 54 54 33 6b 6d d0 85 e4 6a 5a 42 25 2a | 28 98 25 89 59 8c 0c f0 b6 a3 2c 9a 0b fc a1 16 | e6 63 da a2 dd a9 aa 0d 59 e2 62 4e 60 3d 4d d6 | 46 43 d2 22 c6 ba 65 5e c1 f0 7e 6a 46 da a0 54 | c8 a4 60 d2 32 55 34 dc 26 0d e8 85 95 f8 1a a3 | 4f a9 9f 12 3a 8b bc 70 e6 37 0d 78 b9 4b 77 fd | 84 f5 51 74 33 9f 53 52 23 69 bf b2 3b 96 34 69 | 61 82 36 3d 1b 7c ee 26 fd fd be 1e 18 ca c2 c8 | 0d cb 70 d0 07 ce f7 53 31 df 46 52 53 d2 70 53 | 05 3e 34 d2 6f 59 b4 11 e8 19 70 10 d6 3b 54 a8 | fd 8b 5a 89 07 7a a7 0a a9 a7 a4 1f 19 32 c5 12 | e4 da 55 73 39 ff 30 dc 6f ff dd d0 93 80 d1 26 | 34 47 55 42 9d 8c a2 75 c7 4d c8 7a 8f 69 44 57 | 99 8b f7 c2 c5 9c fd f0 f4 d4 3b ce d5 4c 05 5e | 52 bb da 09 91 a3 7f 3a 62 07 58 4c ce 11 61 bb | 98 77 a1 07 95 eb b9 ad 0d a9 17 d8 3b cd eb 77 | 8a b5 c8 48 a8 63 33 a9 ed 86 28 d7 3f 61 9d 49 | 17 e9 2c 8d 10 00 9d a5 c5 46 7b a9 95 94 50 c2 | 0b f7 44 61 4f 6f 58 ab 14 23 d9 c9 f5 28 54 b2 | 3e 4e fc d4 de 8b ea f4 a1 49 59 a4 2f 63 de d0 | 15 aa 02 b3 33 71 3d a9 ef df ed 76 0b ac 66 d9 | 0e fe 1f 24 d5 7c 15 7c c0 4e c8 98 b7 62 44 48 | 32 fb 98 3f 46 6f 6e a9 9c ed 78 9c 2f 7d 60 e3 | 47 54 fd 41 29 f2 a8 03 2c 74 f7 50 df de cc 78 | 04 7f cf e3 b3 10 e5 4c d3 d3 30 3a 70 bc ea 9a | bd 7b 6d 51 98 6a 9c b4 b6 e8 5a b4 e7 8a e5 4b | f6 eb e2 72 31 1e fc 09 9e 0c 3b a9 4d 5f 03 42 | 9b 75 2c 7e a4 07 64 08 bd 16 26 b0 19 00 31 63 | 06 d2 4f c3 ce 92 43 01 04 a2 31 ac 77 df 55 2c | f9 87 69 75 a3 5f a2 a8 e0 f7 ae 8a 49 e6 b3 2b | 34 59 7b 37 9a aa 35 91 71 47 55 e8 9a d0 0b 5e | af d1 e0 8d 6f ea a2 e7 0d 3c 02 37 34 b9 b6 3d | 50 a0 ac f1 75 93 8f f6 ef bc 72 e3 4a 73 7d 0d | f8 10 68 3b a2 93 94 e6 6d 69 8f b9 8e 85 1f 50 | 64 c3 df 5a 84 c9 bd 4b 29 32 77 1f 7a 51 88 87 | 05 33 e2 9b 68 34 83 cd 15 f3 1d 6c | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7f0800002b78 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #5 | libevent_malloc: new ptr-libevent@0x55c3e1618808 size 128 | #5 STATE_MAIN_I3: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 29842.028717 "TUNNEL-C" #5: STATE_MAIN_I3: sent MI3, expecting MR3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #5 suppresed complete_v1_state_transition() | #5 spent 9.24 milliseconds in resume sending helper answer | stop processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f081000bcf8 | spent 0.00262 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 1884 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | b4 bc 8a 9d ef a6 cf 19 01 5d ef c2 6b 98 30 d0 | 05 10 02 01 00 00 00 00 00 00 07 5c 1d b5 bb ae | bd 7d c8 3b c3 6d 70 e3 4d cf fa 45 8e e8 85 de | 60 93 4b f0 b1 9a 25 52 86 8c 81 3d 59 76 9c 2f | 69 23 e4 0f a4 77 ee 91 0a ac 37 58 4f 70 11 3a | 39 b0 56 11 45 95 9c 1c 5e 17 51 43 35 8c 19 4b | dc 97 4a d4 ab 52 9d d2 37 c9 70 89 6a f6 77 8d | a1 48 13 37 21 f9 7a d0 38 ed 8a 76 ff c8 13 53 | e5 ba 93 9b 86 3b 8d d5 44 4f df 06 ad e8 f0 5c | 33 c4 fc 37 4f b9 a6 e6 f5 80 f2 5e 7b 4b 95 fa | f7 81 f6 92 d7 67 16 1c 4c 4b 4e 43 9b 2e ba 2f | 08 32 b9 a7 0b 31 23 c5 56 27 cc af 53 18 57 70 | d1 67 3d b9 72 3d 9b fa 68 22 a8 c0 2a ca 58 5a | f1 0d c4 56 53 1b 45 df 99 21 9c 68 ca 81 8c a2 | d6 ec 3a cb 6d 43 4e 96 49 2c 36 8d 3d a2 61 39 | 04 58 bf 5a 97 63 46 b0 b5 7f 1d ed 13 77 80 83 | 8c d5 45 c9 f4 5b e4 f2 5c 62 d1 e0 bd 3d ec 6a | 57 50 31 e2 a4 e1 a3 1b 33 3e 21 f6 ab df 25 68 | 27 22 c6 21 8f 86 4d 6c 96 41 ae 99 62 66 00 72 | b5 00 d9 fc d7 2c 48 e7 3f 62 b8 9b f1 61 09 4d | d3 c3 4e 01 cb 51 e0 4e 80 44 50 9f e0 94 04 ca | cf 68 e4 55 3e 22 15 10 b7 23 34 6c 44 81 b0 e4 | 72 65 3b 0b 43 c3 3c 0c 91 04 d2 81 5c 2f 1f 20 | d1 0f ef ff 3b 0e 29 2f b5 8e 88 44 55 81 0a f2 | db 8d 44 43 3c a6 f1 8b b2 9e e2 26 0f 84 ca db | 5e b3 2d 24 91 0e 58 6b 05 89 10 78 1b ef a1 a8 | 2b ea 00 50 77 8c d5 df 12 61 5a 6f 59 72 ef c4 | 8b 55 57 a7 4f 2a ed 47 15 b2 c8 4d 0d f5 e0 6d | 75 a9 b7 b8 0e 97 42 29 f4 c0 ce d5 e9 d6 f5 1f | af e5 f7 4b b6 aa 74 fb 98 29 06 d8 ad 52 ac aa | ba 5a 76 8b a1 b4 b2 43 39 d1 17 5e 1c 25 e7 b4 | a5 c5 11 3c be cb 59 98 d1 c9 2a 66 d6 62 08 95 | 1e c0 95 a7 8b 64 a7 33 33 cf 24 9d 72 e7 c2 60 | 49 fe 0b 1d bd 36 8f c6 62 ef fb 0a ed 42 6b e0 | 5c 4c 00 df 85 0f d2 1a 4f 08 d6 d9 98 34 87 01 | fa e9 5f ce fe a5 d4 c0 d5 4d 4c 66 ba cd 64 e8 | 56 c1 39 43 00 ff ba 6d 86 fe b9 96 6d 01 5c 78 | 43 59 ad 74 70 9e 99 98 fa 39 b8 1f 11 85 b6 bb | 8b fc 68 bd 02 07 98 c6 f1 cc e8 27 33 c7 e6 7f | 5a b2 e2 56 08 18 84 d7 3b ec 9a 7a 7c c0 5e 58 | 33 f0 38 93 70 6e fb 49 a3 b3 62 09 22 51 59 0c | c2 f4 af fe bc 64 98 d5 f1 1b e0 b5 6b cf 93 91 | 21 53 fe 6b 26 dd 57 f8 82 84 37 07 7a cf b4 5e | 83 bb 75 e5 5d 16 b9 23 8e e8 28 e7 68 13 2b 71 | 87 77 41 87 db 11 9d a4 cb 3b 1c 83 4c aa 06 ba | 80 eb d0 be fa 6e a6 2b e6 e3 d8 6c a4 78 6d d2 | 22 04 48 09 47 9a a7 01 8b 5e 58 f4 a5 9e b3 95 | 50 43 e7 d0 07 a7 9c 0e 04 88 37 9e 80 2d 5c 91 | 86 04 93 03 a0 ee 87 39 e7 ed 75 89 82 a0 a6 76 | 37 8d 1f ac 62 6d e5 57 a7 2b 73 2c e8 24 77 23 | d9 37 36 22 66 0f aa 5c fb 6c 3a 8c 98 1e 56 57 | ea 6e 83 08 79 bf 6e 88 13 97 a8 45 8f 08 f1 f3 | d7 96 7c 72 bf cd bc 8b 2d ef 86 cf ff 3c 7b 4f | 57 3f bc 20 6f 9d 72 2c c9 16 ee e2 bf 5a bc cc | 48 64 7e 02 21 2a 86 ca 78 08 52 ae 87 7a d6 5b | 1a 36 45 f3 64 28 1c 8a 6b ce d9 73 ff 7d 56 c3 | ee b2 41 71 f9 2e 08 e6 07 87 7f 72 7a a1 3e d9 | 33 b4 32 10 0b f7 ef d1 50 f4 5a a1 15 b7 93 7c | 2b e5 e7 1b 1a 91 c4 cb 54 84 d8 c0 1e 86 f5 59 | 80 0c 39 91 e0 87 d5 78 0e cf dc 1a 7f 6b c9 45 | a3 36 0f e0 d8 80 a9 00 49 79 e0 b2 fb 67 69 3e | c5 5c 38 5c c7 57 2f 37 15 30 1a 04 c7 45 fe 3b | c4 00 f4 d0 1a 60 0c 18 5e 3c b2 bc f0 d0 a9 34 | 71 3a 03 f5 37 81 a6 5d 6b 19 10 6b d8 fc 4f 67 | 58 9f 02 83 41 04 18 11 28 ca 83 1d bd 9b 90 2c | e7 10 86 c3 60 6f 81 6b 4d c7 f8 a9 4c 44 44 66 | 32 77 3d 96 da eb 0f 53 7a 56 10 e5 89 f3 b0 2b | a0 0d 44 66 b1 2b 72 ea e0 3b 2b f2 14 66 6f 65 | 86 90 ee 23 e0 6b b4 c5 4c 83 df ce a1 82 07 93 | b3 4b bf 3a bd ec b1 d7 41 43 0e 12 88 4d 26 0e | 94 ed b4 4a e0 c4 65 5b 4f e4 30 39 c2 6a 34 e2 | 29 5c f1 0c 66 7c db f1 15 9d 5e 80 fc 2c 00 df | 49 6a d9 48 82 ed b1 2b 51 03 57 69 ec 4c b2 93 | e6 7a 1c c0 2d 69 18 72 02 ce f7 62 74 71 7b c6 | 58 cb 89 48 6e a9 4d 2a a5 ae b8 0f 9a 5a fd 0a | cd 54 f8 cf 67 39 b1 0d b7 91 68 63 93 a1 af 13 | e7 20 10 ad 23 7b a5 92 94 69 9f 64 c5 d5 f5 18 | 70 29 c9 a0 23 3b 04 42 12 e2 4a b1 36 05 b5 59 | 55 30 00 e8 30 b4 65 2a 81 ac a8 53 d8 9b 01 c0 | 02 5e 5f 7d b4 20 ab 36 41 fa 5e 52 af bb fa cc | 4e 34 8e 9a 78 b5 98 d3 9e 8c 85 cd 9d 04 74 35 | 91 e5 e4 6f 8d aa 5b 31 5b 32 65 ca 39 98 f4 11 | 11 c9 da 46 87 0c 7e db 1b 94 d2 01 3f 25 dc 82 | 2f 59 0d d0 a4 2a ab 41 2b 87 78 05 21 f2 7f 26 | f1 71 e3 17 4e c7 57 50 eb 10 69 c3 a4 ee 06 eb | 49 5c 6a b4 5e 29 be 1b 85 ad 03 bc 4d 72 0c 5c | 88 07 e6 32 c9 44 48 bf 44 d6 16 cf 49 1a 05 d5 | 06 52 e7 0c e2 bf 42 04 4b b7 42 6d 03 43 6b 4a | fe 3e 23 b1 2d 86 cc 36 92 b0 a0 a2 fc b9 12 21 | 37 5e db 6c 9b 0e e0 0e fa 54 70 5f 07 55 1e 46 | e2 84 68 46 6a 64 b6 ff 90 29 de 06 c6 b8 32 6e | 77 f8 76 5e 31 0c ec ce 31 43 03 6b 88 2f f1 cb | a1 2f ec f2 19 34 88 9e a7 93 ea 5f 94 46 7b be | 30 84 8c 7f c0 51 fb 1f f3 e6 e1 8a 82 a8 11 b4 | 30 fe 1a 0e 44 d8 6f 99 cc 72 a8 d5 d4 20 83 ad | 18 fd fb a2 25 ee 93 0c a8 97 a0 9a e2 d5 b0 dd | 6d 67 75 78 93 06 36 48 67 c5 d2 a1 74 2a 44 27 | 68 d0 05 2c de 3f 1d 2d b1 a5 59 d4 2b ed bf b4 | 24 84 36 f3 9b 75 ea 94 1d 25 53 0c 31 6c 45 66 | 73 34 32 16 d9 33 44 99 dc b3 c9 ed 0b 16 48 cf | 6f 56 7c 20 f0 f4 35 4b 92 b8 3d e0 64 a5 a6 4b | a1 41 36 6e 5a 23 80 92 8f 1d 91 58 84 35 bb 60 | b4 13 14 a4 a5 e7 2e ad bd de db 75 43 f3 50 ff | 4e 77 b0 79 ba 07 1f fb 90 9a 1b 45 54 56 a9 10 | b4 08 8d f2 2c df 5f ae e0 e5 e4 41 4f be 77 42 | 49 df 68 a8 fa 9c 01 ec 72 22 83 f4 57 fa fd a4 | b6 a9 b2 df a0 32 76 5a ee e7 bc ff d3 11 f0 9b | 64 ff 5e 25 d3 a6 1b 0f e0 1e 03 1f cb fa 37 29 | 66 9c 41 c2 c0 15 97 be cc ed fa 1a e3 9c 53 9b | b2 9a dc ac a8 7b 28 6e 07 dc 4b 40 72 c9 6a 54 | 99 c5 59 37 9d b6 18 90 71 b7 bc de c7 8a b7 80 | 9c 0e cf 23 60 97 13 50 ef 7a 27 0f 00 29 4a df | 2d 31 0a 97 e9 a3 76 9b 9d 4c a4 a8 d2 90 b8 fc | 0e 90 c1 be f5 e4 3f 16 3d af 64 e2 05 48 a8 34 | 88 54 a1 1d 26 36 83 57 dc c0 dd 4e f0 49 7c e9 | 56 f0 af 60 0a 93 46 18 8b 79 6b 65 9f 87 d8 92 | 70 fc 3f d0 16 00 08 35 da 26 9e 31 b6 ed de c7 | bd 8a 62 61 02 63 ae 75 de 82 72 cb | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 01 5d ef c2 6b 98 30 d0 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 1884 (0x75c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #5 in MAIN_I3 (find_state_ikev1) | start processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in process_v1_packet() at ikev1.c:1459) | #5 is idle | #5 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_CERT (0x6) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | obj: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | obj: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | obj: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 | got payload 0x40 (ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 1265 (0x4f1) | cert encoding: CERT_X509_SIGNATURE (0x4) | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 12 bytes of padding | message 'main_inR3' HASH payload not checked early | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 "TUNNEL-C" #5: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds | #5 spent 0.00477 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #5 spent 0.0613 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #5 spent 0.103 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec | certificate is valid (profile IPsec) | #5 spent 0.114 milliseconds in find_and_verify_certs() calling verify_end_cert() "TUNNEL-C" #5: certificate verified OK: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e161d088 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15fecc8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e160c168 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e15fd0f8 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55c3e1601ab8 | unreference key: 0x55c3e160a368 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | #5 spent 0.28 milliseconds in decode_certs() calling add_pubkey_from_nss_cert() | #5 spent 0.591 milliseconds in decode_certs() | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' matched our ID | SAN ID matched, updating that.cert | X509: CERT and ID matches current connection | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAZd0v [remote certificates] | #5 spent 0.171 milliseconds in try_all_RSA_keys() trying a pubkey "TUNNEL-C" #5: Authenticated using RSA | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in complete_v1_state_transition() at ikev1.c:2673) | #5 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 | parent state #5: MAIN_I3(open IKE SA) => MAIN_I4(established IKE SA) | event_already_set, deleting event | state #5 requesting EVENT_RETRANSMIT to be deleted | #5 STATE_MAIN_I4: retransmits: cleared | libevent_free: release ptr-libevent@0x55c3e1618808 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f0800002b78 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7f0800002b78 | inserting event EVENT_SA_REPLACE, timeout in 57 seconds for #5 | libevent_malloc: new ptr-libevent@0x7f081000bcf8 size 128 | pstats #5 ikev1.isakmp established "TUNNEL-C" #5: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | unpending state #5 | #5 spent 1.01 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 1.35 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00287 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.45:500 | spent 0.0124 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-C | stop processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in for_each_state() at state.c:1577) | start processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-C | [RE]START processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:774) | ka_event: send NAT-KA to 192.1.2.45:500 (state=#4) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #4) | ff | stop processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:786) | processing: STOP state #0 (in for_each_state() at state.c:1577) | start processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-B | [RE]START processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:774) | ka_event: send NAT-KA to 192.1.2.45:500 (state=#3) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #3) | ff | stop processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:786) | processing: STOP state #0 (in for_each_state() at state.c:1577) | start processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-A | [RE]START processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:774) | ka_event: send NAT-KA to 192.1.2.45:500 (state=#2) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) | ff | stop processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in nat_traversal_send_ka() at nat_traversal.c:786) | processing: STOP state #0 (in for_each_state() at state.c:1577) | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in for_each_state() at state.c:1575) | not behind NAT: no NAT-T KEEP-ALIVE required for conn TUNNEL-C | stop processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in for_each_state() at state.c:1577) | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | spent 0.135 milliseconds in global timer EVENT_NAT_T_KEEPALIVE | spent 0.00128 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.45:500 | spent 0.0068 milliseconds in comm_handle_cb() reading and processing packet | spent 0.0014 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.45:500 | spent 0.0065 milliseconds in comm_handle_cb() reading and processing packet | timer_event_cb: processing event@0x55c3e1595938 | handling event EVENT_SA_EXPIRE for parent state #1 | start processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in timer_event_cb() at timer.c:250) | picked newest_isakmp_sa #5 for #1 | IKE SA expired (superseded by #5) | pstats #1 ikev1.isakmp deleted completed | [RE]START processing: state #1 connection "TUNNEL-C" from 192.1.2.45:500 (in delete_state() at state.c:879) "TUNNEL-C" #1: deleting state (STATE_MAIN_R3) aged 60.014s and sending notification | parent state #1: MAIN_R3(established IKE SA) => delete | #1 send IKEv1 delete notification for STATE_MAIN_R3 | **emit ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3659582334 (0xda20cb7e) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload | initiator SPI 50 48 d3 e7 c5 a5 6d 29 | emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload | responder SPI ba db bc b1 d4 d2 34 51 | emitting length of ISAKMP Delete Payload: 28 | send delete HASH(1): | e3 b2 29 1d c0 84 ff 3f 22 7d e9 97 2b 71 5c c1 | 2c db d4 e7 04 b9 12 fb 2c 7e 16 66 b0 f8 0b 91 | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 05 01 da 20 cb 7e 00 00 00 5c ab ea 17 19 | 2d da d8 f2 a2 b4 fe 3b c0 dd 44 9e 14 a8 77 1e | 02 0a d9 2b 00 57 69 ec 01 66 a8 cb 7d 41 0a 79 | c5 98 3f 17 49 86 5d 81 3c 30 7e c3 28 e6 51 21 | 1e 8a a1 b7 b0 ee 35 5a 0d 40 f0 64 | State DB: IKEv1 state not found (flush_incomplete_children) | in connection_discard for connection TUNNEL-C | State DB: deleting IKEv1 state #1 in MAIN_R3 | parent state #1: MAIN_R3(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55c3e15f56a8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) | unreference key: 0x55c3e15f56a8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15fdd48 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e160a8d8 @west.testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15fdf98 west@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e160b308 192.1.2.45 cnt 1-- | libevent_free: release ptr-libevent@0x55c3e15eede8 | free_event_entry: release EVENT_SA_EXPIRE-pe@0x55c3e1595938 | in statetime_stop() and could not find #1 | processing: STOP state #0 (in timer_event_cb() at timer.c:557) | spent 0.00186 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 92 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 50 48 d3 e7 c5 a5 6d 29 ba db bc b1 d4 d2 34 51 | 08 10 05 01 76 e0 9c b3 00 00 00 5c b3 d0 de 14 | 03 b8 c0 e8 78 85 8e d3 ea 88 52 f9 26 1b 39 c6 | d0 52 4b 9a b3 f4 09 07 9a f3 d1 42 93 0b c5 3b | 5b d1 50 c7 5d f7 ea 31 06 f5 67 bb d8 9c 42 b2 | 2d 18 aa 09 9c 8a eb af 24 1d 52 e7 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 50 48 d3 e7 c5 a5 6d 29 | responder cookie: | ba db bc b1 d4 d2 34 51 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1994431667 (0x76e09cb3) | length: 92 (0x5c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | peer and cookies match on #4; msgid=00000000 st_msgid=7b61d43e st_msgid_phase15=00000000 | peer and cookies match on #3; msgid=00000000 st_msgid=d8c9a0c1 st_msgid_phase15=00000000 | peer and cookies match on #2; msgid=00000000 st_msgid=4c11ae0f st_msgid_phase15=00000000 | State DB: IKEv1 state not found (find_v1_info_state) | State DB: IKEv1 state not found (find_state_ikev1_init) | Informational Exchange is for an unknown (expired?) SA with MSGID:0x76e09cb3 | - unknown SA's md->hdr.isa_ike_initiator_spi.bytes: | 50 48 d3 e7 c5 a5 6d 29 | - unknown SA's md->hdr.isa_ike_responder_spi.bytes: | ba db bc b1 d4 d2 34 51 | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.0805 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00317 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 92 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | b4 bc 8a 9d ef a6 cf 19 01 5d ef c2 6b 98 30 d0 | 08 10 05 01 a8 e1 98 9a 00 00 00 5c c7 15 94 1c | 5b 43 95 ed 5a 92 91 6a 97 a2 f0 cd 28 41 0c 58 | 82 c6 1f 95 16 df eb d0 2c 75 c7 e7 49 8b 7a 4c | c0 a7 4e 18 d6 1a b3 4a e6 fb df d4 66 c2 48 c7 | a5 37 88 10 a7 53 f6 5c 79 ef 4c 97 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 01 5d ef c2 6b 98 30 d0 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2833356954 (0xa8e1989a) | length: 92 (0x5c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | peer and cookies match on #5; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #5 found, in STATE_MAIN_I4 | State DB: found IKEv1 state #5 in MAIN_I4 (find_v1_info_state) | start processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in process_v1_packet() at ikev1.c:1479) | #5 is idle | #5 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_D (0xc) | length: 36 (0x24) | got payload 0x1000 (ISAKMP_NEXT_D) needed: 0x0 opt: 0x0 | ***parse ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | removing 12 bytes of padding | informational HASH(1): | d3 69 53 e1 fa 0a 28 5d 96 14 59 3d 7c 86 bd 7c | 30 fb 0b 81 50 a3 98 4a 4e 36 07 dc 7e c6 b5 bb | received 'informational' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Delete Payload into SPI | SPI 37 2c 7d b6 | FOR_EACH_STATE_... in find_phase2_state_to_delete | start processing: connection "TUNNEL-B" (BACKGROUND) (in accept_delete() at ikev1_main.c:2515) "TUNNEL-C" #5: received Delete SA(0x372c7db6) payload: deleting IPsec State #3 | pstats #3 ikev1.ipsec deleted completed | suspend processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in delete_state() at state.c:879) | start processing: state #3 connection "TUNNEL-B" from 192.1.2.45:500 (in delete_state() at state.c:879) "TUNNEL-B" #3: deleting other state #3 connection (STATE_QUICK_R2) "TUNNEL-B" aged 69.923s and sending notification | child state #3: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.372c7db6@192.1.2.45 | get_sa_info esp.4cadbfb4@192.1.2.23 "TUNNEL-B" #3: ESP traffic information: in=336B out=336B | #3 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 01 5d ef c2 6b 98 30 d0 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1972138514 (0x758c7212) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload 4c ad bf b4 | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | 0b 5c 47 14 68 89 12 4d 4d c4 8a b7 0d eb d3 d8 | 43 3c 8e 29 25 18 1b 98 ee 1c 12 2d 1c 55 6f 7c | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #5) | b4 bc 8a 9d ef a6 cf 19 01 5d ef c2 6b 98 30 d0 | 08 10 05 01 75 8c 72 12 00 00 00 5c 7d 54 0d 9f | 94 8f 0d 3a e2 83 f9 12 96 57 b2 b3 ba 65 36 0c | 8f 31 d1 46 24 7a 66 6e c5 d5 cc 73 20 02 a6 0c | a3 08 fa 19 e2 b5 29 27 73 a1 a4 7d 57 58 30 9c | 2e 17 06 be 18 39 25 31 24 66 71 1e | state #3 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7f07fc001f78 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7f0810004218 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-B' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.244/32' PLUTO_MY_CLIENT_NET='192.0.2.244' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844497' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_C | popen cmd is 1324 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-B' PLUTO_I: | cmd( 80):NTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C: | cmd( 160):=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.lib: | cmd( 240):reswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.244/32' : | cmd( 320):PLUTO_MY_CLIENT_NET='192.0.2.244' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_M: | cmd( 400):Y_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUT: | cmd( 480):O_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=: | cmd( 560):Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.or: | cmd( 640):g' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_: | cmd( 720):PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: | cmd( 800):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844497' PLUTO_CONN_POLIC: | cmd( 880):Y='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: | cmd( 960):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_: | cmd(1040):SOURCEIP='192.0.2.244' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER: | cmd(1120):_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' P: | cmd(1200):LUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x37: | cmd(1280):2c7db6 SPI_OUT=0x4cadbfb4 ipsec _updown 2>&1: | shunt_eroute() called for connection 'TUNNEL-B' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "TUNNEL-B" is 0xfdfdf | IPsec Sa SPD priority set to 1040351 | delete esp.372c7db6@192.1.2.45 | netlink response for Del SA esp.372c7db6@192.1.2.45 included non-error error | priority calculation of connection "TUNNEL-B" is 0xfdfdf | delete inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.244/32:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.4cadbfb4@192.1.2.23 | netlink response for Del SA esp.4cadbfb4@192.1.2.23 included non-error error | stop processing: connection "TUNNEL-B" (BACKGROUND) (in update_state_connection() at connections.c:4076) | start processing: connection NULL (in update_state_connection() at connections.c:4077) | in connection_discard for connection TUNNEL-B | State DB: deleting IKEv1 state #3 in QUICK_R2 | child state #3: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #3 from 192.1.2.45:500 (in delete_state() at state.c:1143) | resume processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in delete_state() at state.c:1143) | connection 'TUNNEL-B' -POLICY_UP | Deleting states for connection - not including other IPsec SA's | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #5 | state #4 | state #2 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #5 | state #4 | state #2 | processing: STOP connection NULL (in accept_delete() at ikev1_main.c:2556) | processing: STOP connection NULL (in accept_delete() at ikev1_main.c:2559) | del: | in statetime_start() with no state | complete v1 state transition with STF_IGNORE | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 1.14 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00197 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 92 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | b4 bc 8a 9d ef a6 cf 19 01 5d ef c2 6b 98 30 d0 | 08 10 05 01 7c a3 7a 9c 00 00 00 5c d4 30 55 21 | eb 69 80 90 ed f8 60 78 f7 76 7f df 4c 32 58 56 | 1f ee 79 49 a7 4d fd 97 16 7f 90 71 c5 55 85 80 | 3f d9 0e 62 a6 3d 74 19 d0 79 a5 08 88 b5 ba 44 | da 03 a7 15 d8 b6 cf 6a 8f 6a 45 c8 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 01 5d ef c2 6b 98 30 d0 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2091088540 (0x7ca37a9c) | length: 92 (0x5c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | peer and cookies match on #5; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #5 found, in STATE_MAIN_I4 | State DB: found IKEv1 state #5 in MAIN_I4 (find_v1_info_state) | start processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in process_v1_packet() at ikev1.c:1479) | #5 is idle | #5 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_D (0xc) | length: 36 (0x24) | got payload 0x1000 (ISAKMP_NEXT_D) needed: 0x0 opt: 0x0 | ***parse ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 28 (0x1c) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | informational HASH(1): | 29 0c 7f a8 2c b9 2b 19 01 ee d0 83 f8 34 ab 08 | 05 25 99 92 29 28 19 a3 80 fd 91 e5 af 73 84 aa | received 'informational' message HASH(1) data ok | parsing 8 raw bytes of ISAKMP Delete Payload into iCookie | iCookie b4 bc 8a 9d ef a6 cf 19 | parsing 8 raw bytes of ISAKMP Delete Payload into rCookie | rCookie 01 5d ef c2 6b 98 30 d0 | State DB: found IKEv1 state #5 in MAIN_I4 (find_state_ikev1) | del: "TUNNEL-C" #5: received Delete SA payload: self-deleting ISAKMP State #5 | pstats #5 ikev1.isakmp deleted completed | [RE]START processing: state #5 connection "TUNNEL-C" from 192.1.2.45 (in delete_state() at state.c:879) "TUNNEL-C" #5: deleting state (STATE_MAIN_I4) aged 11.039s and sending notification | parent state #5: MAIN_I4(established IKE SA) => delete | #5 send IKEv1 delete notification for STATE_MAIN_I4 | **emit ISAKMP Message: | initiator cookie: | b4 bc 8a 9d ef a6 cf 19 | responder cookie: | 01 5d ef c2 6b 98 30 d0 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1228273002 (0x4935f56a) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload | initiator SPI b4 bc 8a 9d ef a6 cf 19 | emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload | responder SPI 01 5d ef c2 6b 98 30 d0 | emitting length of ISAKMP Delete Payload: 28 | send delete HASH(1): | 3b d0 71 b4 12 24 fa 94 6b b8 50 ec 9c b3 eb 8c | a8 5c 66 81 89 fd d2 5c 75 22 81 bf 6d 3c 02 f9 | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #5) | b4 bc 8a 9d ef a6 cf 19 01 5d ef c2 6b 98 30 d0 | 08 10 05 01 49 35 f5 6a 00 00 00 5c 53 76 bb 84 | 28 16 08 66 87 2b e8 4d a1 35 37 4d 96 fa 53 87 | 78 45 98 0b 49 29 4e e6 6c a6 4a 37 69 db 41 98 | d0 ca 03 a4 91 20 db a7 a7 a1 6d 89 44 75 85 cc | d9 f8 47 75 5b b7 78 44 12 19 c1 84 | state #5 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7f081000bcf8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7f0800002b78 | State DB: IKEv1 state not found (flush_incomplete_children) | in connection_discard for connection TUNNEL-C | State DB: deleting IKEv1 state #5 in MAIN_I4 | parent state #5: MAIN_I4(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55c3e16014c8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | stop processing: state #5 from 192.1.2.45 (in delete_state() at state.c:1143) | unreference key: 0x55c3e16014c8 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e161e268 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e1601c38 @west.testing.libreswan.org cnt 1-- | unreference key: 0x55c3e16215a8 west@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e1601f78 192.1.2.45 cnt 1-- | in statetime_start() with no state | complete v1 state transition with STF_IGNORE | stop processing: from 192.1.2.45:500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.482 milliseconds in comm_handle_cb() reading and processing packet | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00447 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.f581f61c@192.1.2.23 | get_sa_info esp.6325f223@192.1.2.45 | get_sa_info esp.4dd21397@192.1.2.23 | get_sa_info esp.ed20532c@192.1.2.45 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.528 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) destroying root certificate cache | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | unreference key: 0x55c3e15f5188 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f4bf8 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f3828 @east.testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f3168 east@testing.libreswan.org cnt 1-- | unreference key: 0x55c3e15f61e8 192.1.2.23 cnt 1-- | start processing: connection "TUNNEL-C" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #4 | suspend processing: connection "TUNNEL-C" (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #4 ikev1.ipsec deleted completed | [RE]START processing: state #4 connection "TUNNEL-C" from 192.1.2.45:500 (in delete_state() at state.c:879) "TUNNEL-C" #4: deleting state (STATE_QUICK_R2) aged 71.389s and sending notification | child state #4: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.ed20532c@192.1.2.45 | get_sa_info esp.4dd21397@192.1.2.23 "TUNNEL-C" #4: ESP traffic information: in=336B out=336B | #4 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | no Phase 1 state for Delete | state #4 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7f08140027d8 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7f0808002b78 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-C' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.234/32' PLUTO_MY_CLIENT_NET='192.0.2.234' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844497' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_C | popen cmd is 1324 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-C' PLUTO_I: | cmd( 80):NTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C: | cmd( 160):=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.lib: | cmd( 240):reswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.234/32' : | cmd( 320):PLUTO_MY_CLIENT_NET='192.0.2.234' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_M: | cmd( 400):Y_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16396' PLUTO_SA_TYPE='ESP' PLUT: | cmd( 480):O_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=: | cmd( 560):Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.or: | cmd( 640):g' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_: | cmd( 720):PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: | cmd( 800):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844497' PLUTO_CONN_POLIC: | cmd( 880):Y='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: | cmd( 960):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_: | cmd(1040):SOURCEIP='192.0.2.234' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER: | cmd(1120):_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' P: | cmd(1200):LUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xed: | cmd(1280):20532c SPI_OUT=0x4dd21397 ipsec _updown 2>&1: | shunt_eroute() called for connection 'TUNNEL-C' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "TUNNEL-C" is 0xfdfdf | IPsec Sa SPD priority set to 1040351 | delete esp.ed20532c@192.1.2.45 | netlink response for Del SA esp.ed20532c@192.1.2.45 included non-error error | priority calculation of connection "TUNNEL-C" is 0xfdfdf | delete inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.234/32:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.4dd21397@192.1.2.23 | netlink response for Del SA esp.4dd21397@192.1.2.23 included non-error error | stop processing: connection "TUNNEL-C" (BACKGROUND) (in update_state_connection() at connections.c:4076) | start processing: connection NULL (in update_state_connection() at connections.c:4077) | in connection_discard for connection TUNNEL-C | State DB: deleting IKEv1 state #4 in QUICK_R2 | child state #4: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #4 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #2 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #2 | shunt_eroute() called for connection 'TUNNEL-C' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "TUNNEL-C" is 0xfdfdf | priority calculation of connection "TUNNEL-C" is 0xfdfdf | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-C mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-C mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-C" unrouted: "TUNNEL-A" erouted | flush revival: connection 'TUNNEL-C' wasn't on the list | processing: STOP connection NULL (in discard_connection() at connections.c:249) | start processing: connection "TUNNEL-B" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #2 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #2 | shunt_eroute() called for connection 'TUNNEL-B' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "TUNNEL-B" is 0xfdfdf | priority calculation of connection "TUNNEL-B" is 0xfdfdf | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-B mark 0/00000000, 0/00000000 | conn TUNNEL-B mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-B" unrouted: "TUNNEL-A" erouted | flush revival: connection 'TUNNEL-B' wasn't on the list | stop processing: connection "TUNNEL-B" (in discard_connection() at connections.c:249) | start processing: connection "TUNNEL-A" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #2 | suspend processing: connection "TUNNEL-A" (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #2 ikev1.ipsec deleted completed | [RE]START processing: state #2 connection "TUNNEL-A" from 192.1.2.45:500 (in delete_state() at state.c:879) "TUNNEL-A" #2: deleting state (STATE_QUICK_R2) aged 71.582s and sending notification | child state #2: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.6325f223@192.1.2.45 | get_sa_info esp.f581f61c@192.1.2.23 "TUNNEL-A" #2: ESP traffic information: in=336B out=336B | #2 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | no Phase 1 state for Delete | state #2 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7f0804003618 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55c3e15faed8 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844497' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_C | popen cmd is 1324 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUTO_I: | cmd( 80):NTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C: | cmd( 160):=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.lib: | cmd( 240):reswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' : | cmd( 320):PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_M: | cmd( 400):Y_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUT: | cmd( 480):O_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=: | cmd( 560):Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.or: | cmd( 640):g' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_: | cmd( 720):PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: | cmd( 800):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566844497' PLUTO_CONN_POLIC: | cmd( 880):Y='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: | cmd( 960):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_: | cmd(1040):SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER: | cmd(1120):_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' P: | cmd(1200):LUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x63: | cmd(1280):25f223 SPI_OUT=0xf581f61c ipsec _updown 2>&1: | shunt_eroute() called for connection 'TUNNEL-A' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "TUNNEL-A" is 0xfdfdf | IPsec Sa SPD priority set to 1040351 | delete esp.6325f223@192.1.2.45 | netlink response for Del SA esp.6325f223@192.1.2.45 included non-error error | priority calculation of connection "TUNNEL-A" is 0xfdfdf | delete inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.254/32:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.f581f61c@192.1.2.23 | netlink response for Del SA esp.f581f61c@192.1.2.23 included non-error error | stop processing: connection "TUNNEL-A" (BACKGROUND) (in update_state_connection() at connections.c:4076) | start processing: connection NULL (in update_state_connection() at connections.c:4077) | in connection_discard for connection TUNNEL-A | State DB: deleting IKEv1 state #2 in QUICK_R2 | child state #2: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'TUNNEL-A' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "TUNNEL-A" is 0xfdfdf | priority calculation of connection "TUNNEL-A" is 0xfdfdf | FOR_EACH_CONNECTION_... in route_owner | conn TUNNEL-A mark 0/00000000, 0/00000000 vs | conn TUNNEL-A mark 0/00000000, 0/00000000 | route owner of "TUNNEL-A" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CON | popen cmd is 1305 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='TUNNEL-A' PLUT: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: | cmd( 160):='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.: | cmd( 240):libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/3: | cmd( 320):2' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUT: | cmd( 400):O_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' : | cmd( 480):PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan,: | cmd( 560): OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswa: | cmd( 640):n.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PL: | cmd( 720):UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': | cmd( 800):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RS: | cmd( 880):ASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: | cmd( 960):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURC: | cmd(1040):EIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMA: | cmd(1120):IN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_: | cmd(1200):NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O: | cmd(1280):UT=0x0 ipsec _updown 2>&1: unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. | free hp@0x55c3e15f3428 | flush revival: connection 'TUNNEL-A' wasn't on the list | processing: STOP connection NULL (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth0:1/eth0:1 192.0.2.244:4500 shutting down interface eth0:1/eth0:1 192.0.2.244:500 shutting down interface eth0:2/eth0:2 192.0.2.234:4500 shutting down interface eth0:2/eth0:2 192.0.2.234:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x55c3e15e16b8 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed648 | libevent_free: release ptr-libevent@0x55c3e1587d38 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed6f8 | libevent_free: release ptr-libevent@0x55c3e1587688 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed7a8 | libevent_free: release ptr-libevent@0x55c3e1586f58 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed858 | libevent_free: release ptr-libevent@0x55c3e1587058 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ed908 | libevent_free: release ptr-libevent@0x55c3e1587108 | free_event_entry: release EVENT_NULL-pe@0x55c3e15edf78 | libevent_free: release ptr-libevent@0x55c3e15ee098 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ee028 | libevent_free: release ptr-libevent@0x55c3e15ee1f8 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ee188 | libevent_free: release ptr-libevent@0x55c3e15ee358 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ee2e8 | libevent_free: release ptr-libevent@0x55c3e15ee4b8 | free_event_entry: release EVENT_NULL-pe@0x55c3e15ee448 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x55c3e15e1768 | free_event_entry: release EVENT_NULL-pe@0x55c3e15d5908 | libevent_free: release ptr-libevent@0x55c3e1587c88 | free_event_entry: release EVENT_NULL-pe@0x55c3e15d5468 | libevent_free: release ptr-libevent@0x55c3e15ce468 | free_event_entry: release EVENT_NULL-pe@0x55c3e158f3e8 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x55c3e15939a8 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x55c3e1508f08 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x55c3e1501618 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x55c3e15016e8 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x55c3e15ecdc8 | libevent_free: release ptr-libevent@0x55c3e15cfd28 | libevent_free: release ptr-libevent@0x55c3e15cfcd8 | libevent_free: release ptr-libevent@0x55c3e15eeef8 | libevent_free: release ptr-libevent@0x55c3e15cfc98 | libevent_free: release ptr-libevent@0x55c3e15eca58 | libevent_free: release ptr-libevent@0x55c3e15eccc8 | libevent_free: release ptr-libevent@0x55c3e15cfed8 | libevent_free: release ptr-libevent@0x55c3e15d54d8 | libevent_free: release ptr-libevent@0x55c3e15d5138 | libevent_free: release ptr-libevent@0x55c3e15ee568 | libevent_free: release ptr-libevent@0x55c3e15ee408 | libevent_free: release ptr-libevent@0x55c3e15ee2a8 | libevent_free: release ptr-libevent@0x55c3e15ee148 | libevent_free: release ptr-libevent@0x55c3e15edfe8 | libevent_free: release ptr-libevent@0x55c3e15edf38 | libevent_free: release ptr-libevent@0x55c3e15ed8c8 | libevent_free: release ptr-libevent@0x55c3e15ed818 | libevent_free: release ptr-libevent@0x55c3e15ed768 | libevent_free: release ptr-libevent@0x55c3e15ed6b8 | libevent_free: release ptr-libevent@0x55c3e1508038 | libevent_free: release ptr-libevent@0x55c3e15ecd48 | libevent_free: release ptr-libevent@0x55c3e15ecd08 | libevent_free: release ptr-libevent@0x55c3e15ecbc8 | libevent_free: release ptr-libevent@0x55c3e15ecd88 | libevent_free: release ptr-libevent@0x55c3e15eca98 | libevent_free: release ptr-libevent@0x55c3e1595538 | libevent_free: release ptr-libevent@0x55c3e15954b8 | libevent_free: release ptr-libevent@0x55c3e15083a8 | releasing global libevent data | libevent_free: release ptr-libevent@0x55c3e15956b8 | libevent_free: release ptr-libevent@0x55c3e1595638 | libevent_free: release ptr-libevent@0x55c3e15955b8 leak detective found no leaks