FIPS Product: YES
FIPS Kernel: NO
FIPS Mode: NO
NSS DB directory: sql:/etc/ipsec.d
Initializing NSS
Opening NSS database "sql:/etc/ipsec.d" read-only
NSS initialized
NSS crypto library initialized
FIPS HMAC integrity support [enabled]
FIPS mode disabled for pluto daemon
FIPS HMAC integrity verification self-test FAILED
libcap-ng support [enabled]
Linux audit support [enabled]
Linux audit activated
Starting Pluto (Libreswan Version v3.28-685-gbfd5aef521-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:26945
core dump dir: /var/tmp
secrets file: /etc/ipsec.secrets
leak-detective enabled
NSS crypto [enabled]
XAUTH PAM support [enabled]
| libevent is using pluto's memory allocator
Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
| libevent_malloc: new ptr-libevent@0x559e01bd7988 size 40
| libevent_malloc: new ptr-libevent@0x559e01bd7cd8 size 40
| libevent_malloc: new ptr-libevent@0x559e01bd7dd8 size 40
| creating event base
| libevent_malloc: new ptr-libevent@0x559e01c5cd68 size 56
| libevent_malloc: new ptr-libevent@0x559e01c00718 size 664
| libevent_malloc: new ptr-libevent@0x559e01c5cdd8 size 24
| libevent_malloc: new ptr-libevent@0x559e01c5ce28 size 384
| libevent_malloc: new ptr-libevent@0x559e01c5cd28 size 16
| libevent_malloc: new ptr-libevent@0x559e01bd7908 size 40
| libevent_malloc: new ptr-libevent@0x559e01bd7d38 size 48
| libevent_realloc: new ptr-libevent@0x559e01c003a8 size 256
| libevent_malloc: new ptr-libevent@0x559e01c5cfd8 size 16
| libevent_free: release ptr-libevent@0x559e01c5cd68
| libevent initialized
| libevent_realloc: new ptr-libevent@0x559e01c5cd68 size 64
| global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds
| init_nat_traversal() initialized with keep_alive=0s
NAT-Traversal support  [enabled]
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized
| global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds
| global one-shot timer EVENT_REVIVE_CONNS initialized
| global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds
| global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds
Encryption algorithms:
  AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
  AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_b
  AES_CCM_8               IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_a
  3DES_CBC                IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  3des
  CAMELLIA_CTR            IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
  CAMELLIA_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  camellia
  AES_GCM_16              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm, aes_gcm_c
  AES_GCM_12              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_b
  AES_GCM_8               IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_a
  AES_CTR                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aesctr
  AES_CBC                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes
  SERPENT_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  serpent
  TWOFISH_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  twofish
  TWOFISH_SSH             IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  twofish_cbc_ssh
  NULL_AUTH_AES_GMAC      IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_gmac
  NULL                    IKEv1:     ESP     IKEv2:     ESP           []
  CHACHA20_POLY1305       IKEv1:             IKEv2: IKE ESP           [*256]  chacha20poly1305
Hash algorithms:
  MD5                     IKEv1: IKE         IKEv2:                 
  SHA1                    IKEv1: IKE         IKEv2:             FIPS  sha
  SHA2_256                IKEv1: IKE         IKEv2:             FIPS  sha2, sha256
  SHA2_384                IKEv1: IKE         IKEv2:             FIPS  sha384
  SHA2_512                IKEv1: IKE         IKEv2:             FIPS  sha512
PRF algorithms:
  HMAC_MD5                IKEv1: IKE         IKEv2: IKE               md5
  HMAC_SHA1               IKEv1: IKE         IKEv2: IKE         FIPS  sha, sha1
  HMAC_SHA2_256           IKEv1: IKE         IKEv2: IKE         FIPS  sha2, sha256, sha2_256
  HMAC_SHA2_384           IKEv1: IKE         IKEv2: IKE         FIPS  sha384, sha2_384
  HMAC_SHA2_512           IKEv1: IKE         IKEv2: IKE         FIPS  sha512, sha2_512
  AES_XCBC                IKEv1:             IKEv2: IKE               aes128_xcbc
Integrity algorithms:
  HMAC_MD5_96             IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        md5, hmac_md5
  HMAC_SHA1_96            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha, sha1, sha1_96, hmac_sha1
  HMAC_SHA2_512_256       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha512, sha2_512, sha2_512_256, hmac_sha2_512
  HMAC_SHA2_384_192       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha384, sha2_384, sha2_384_192, hmac_sha2_384
  HMAC_SHA2_256_128       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
  HMAC_SHA2_256_TRUNCBUG  IKEv1:     ESP AH  IKEv2:         AH      
  AES_XCBC_96             IKEv1:     ESP AH  IKEv2: IKE ESP AH        aes_xcbc, aes128_xcbc, aes128_xcbc_96
  AES_CMAC_96             IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  aes_cmac
  NONE                    IKEv1:     ESP     IKEv2: IKE ESP     FIPS  null
DH algorithms:
  NONE                    IKEv1:             IKEv2: IKE ESP AH  FIPS  null, dh0
  MODP1536                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh5
  MODP2048                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh14
  MODP3072                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh15
  MODP4096                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh16
  MODP6144                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh17
  MODP8192                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh18
  DH19                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_256, ecp256
  DH20                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_384, ecp384
  DH21                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_521, ecp521
  DH31                    IKEv1: IKE         IKEv2: IKE ESP AH        curve25519
testing CAMELLIA_CBC:
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 128-bit key
  Camellia: 16 bytes with 256-bit key
  Camellia: 16 bytes with 256-bit key
testing AES_GCM_16:
  empty string
  one block
  two blocks
  two blocks with associated data
testing AES_CTR:
  Encrypting 16 octets using AES-CTR with 128-bit key
  Encrypting 32 octets using AES-CTR with 128-bit key
  Encrypting 36 octets using AES-CTR with 128-bit key
  Encrypting 16 octets using AES-CTR with 192-bit key
  Encrypting 32 octets using AES-CTR with 192-bit key
  Encrypting 36 octets using AES-CTR with 192-bit key
  Encrypting 16 octets using AES-CTR with 256-bit key
  Encrypting 32 octets using AES-CTR with 256-bit key
  Encrypting 36 octets using AES-CTR with 256-bit key
testing AES_CBC:
  Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
  Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
  Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
  Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
testing AES_XCBC:
  RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input
  RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input
  RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input
  RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input
  RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input
  RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input
  RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
  RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
testing HMAC_MD5:
  RFC 2104: MD5_HMAC test 1
  RFC 2104: MD5_HMAC test 2
  RFC 2104: MD5_HMAC test 3
8 CPU cores online
starting up 7 crypto helpers
started thread for crypto helper 0
| starting up helper thread 0
| status value returned by setting the priority of this thread (crypto helper 0) 22
| crypto helper 0 waiting (nothing to do)
started thread for crypto helper 1
started thread for crypto helper 2
started thread for crypto helper 3
| starting up helper thread 3
| status value returned by setting the priority of this thread (crypto helper 3) 22
| crypto helper 3 waiting (nothing to do)
started thread for crypto helper 4
| starting up helper thread 4
| status value returned by setting the priority of this thread (crypto helper 4) 22
| crypto helper 4 waiting (nothing to do)
| starting up helper thread 2
| status value returned by setting the priority of this thread (crypto helper 2) 22
started thread for crypto helper 5
| crypto helper 2 waiting (nothing to do)
| starting up helper thread 5
| status value returned by setting the priority of this thread (crypto helper 5) 22
| crypto helper 5 waiting (nothing to do)
| starting up helper thread 6
| status value returned by setting the priority of this thread (crypto helper 6) 22
| starting up helper thread 1
started thread for crypto helper 6
| crypto helper 6 waiting (nothing to do)
| status value returned by setting the priority of this thread (crypto helper 1) 22
| crypto helper 1 waiting (nothing to do)
| checking IKEv1 state table
|   MAIN_R0: category: half-open IKE SA flags: 0:
|     -> MAIN_R1 EVENT_SO_DISCARD
|   MAIN_I1: category: half-open IKE SA flags: 0:
|     -> MAIN_I2 EVENT_RETRANSMIT
|   MAIN_R1: category: open IKE SA flags: 200:
|     -> MAIN_R2 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_I2: category: open IKE SA flags: 0:
|     -> MAIN_I3 EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|     -> UNDEFINED EVENT_RETRANSMIT
|   MAIN_R2: category: open IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> MAIN_R3 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_I3: category: open IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> MAIN_I4 EVENT_SA_REPLACE
|     -> UNDEFINED EVENT_SA_REPLACE
|   MAIN_R3: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   MAIN_I4: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R0: category: half-open IKE SA flags: 0:
|     -> AGGR_R1 EVENT_SO_DISCARD
|   AGGR_I1: category: half-open IKE SA flags: 0:
|     -> AGGR_I2 EVENT_SA_REPLACE
|     -> AGGR_I2 EVENT_SA_REPLACE
|   AGGR_R1: category: open IKE SA flags: 200:
|     -> AGGR_R2 EVENT_SA_REPLACE
|     -> AGGR_R2 EVENT_SA_REPLACE
|   AGGR_I2: category: established IKE SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   AGGR_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R0: category: established CHILD SA flags: 0:
|     -> QUICK_R1 EVENT_RETRANSMIT
|   QUICK_I1: category: established CHILD SA flags: 0:
|     -> QUICK_I2 EVENT_SA_REPLACE
|   QUICK_R1: category: established CHILD SA flags: 0:
|     -> QUICK_R2 EVENT_SA_REPLACE
|   QUICK_I2: category: established CHILD SA flags: 200:
|     -> UNDEFINED EVENT_NULL
|   QUICK_R2: category: established CHILD SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   INFO_PROTECTED: category: informational flags: 0:
|     -> UNDEFINED EVENT_NULL
|   XAUTH_R0: category: established IKE SA flags: 0:
|     -> XAUTH_R1 EVENT_NULL
|   XAUTH_R1: category: established IKE SA flags: 0:
|     -> MAIN_R3 EVENT_SA_REPLACE
|   MODE_CFG_R0: category: informational flags: 0:
|     -> MODE_CFG_R1 EVENT_SA_REPLACE
|   MODE_CFG_R1: category: established IKE SA flags: 0:
|     -> MODE_CFG_R2 EVENT_SA_REPLACE
|   MODE_CFG_R2: category: established IKE SA flags: 0:
|     -> UNDEFINED EVENT_NULL
|   MODE_CFG_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_SA_REPLACE
|   XAUTH_I0: category: established IKE SA flags: 0:
|     -> XAUTH_I1 EVENT_RETRANSMIT
|   XAUTH_I1: category: established IKE SA flags: 0:
|     -> MAIN_I4 EVENT_RETRANSMIT
| checking IKEv2 state table
|   PARENT_I0: category: ignore flags: 0:
|     -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT)
|   PARENT_I1: category: half-open IKE SA flags: 0:
|     -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification)
|     -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH)
|   PARENT_I2: category: open IKE SA flags: 0:
|     -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification)
|     -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response)
|     -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification)
|   PARENT_I3: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)
|     -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)
|   PARENT_R0: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT)
|   PARENT_R1: category: half-open IKE SA flags: 0:
|     -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED))
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request)
|   PARENT_R2: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request)
|     -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response)
|   V2_CREATE_I0: category: established IKE SA flags: 0:
|     -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA)
|   V2_CREATE_I: category: established IKE SA flags: 0:
|     -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response)
|   V2_REKEY_IKE_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_IKE_I: category: established IKE SA flags: 0:
|     -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response)
|   V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:
|     -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA)
|   V2_REKEY_CHILD_I: category: established IKE SA flags: 0: <none>
|   V2_CREATE_R: category: established IKE SA flags: 0:
|     -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request)
|   V2_REKEY_IKE_R: category: established IKE SA flags: 0:
|     -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey)
|   V2_REKEY_CHILD_R: category: established IKE SA flags: 0: <none>
|   V2_IPSEC_I: category: established CHILD SA flags: 0: <none>
|   V2_IPSEC_R: category: established CHILD SA flags: 0: <none>
|   IKESA_DEL: category: established IKE SA flags: 0:
|     -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL)
|   CHILDSA_DEL: category: informational flags: 0: <none>
Using Linux XFRM/NETKEY IPsec interface code on 5.1.18-200.fc29.x86_64
| Hard-wiring algorithms
| adding AES_CCM_16 to kernel algorithm db
| adding AES_CCM_12 to kernel algorithm db
| adding AES_CCM_8 to kernel algorithm db
| adding 3DES_CBC to kernel algorithm db
| adding CAMELLIA_CBC to kernel algorithm db
| adding AES_GCM_16 to kernel algorithm db
| adding AES_GCM_12 to kernel algorithm db
| adding AES_GCM_8 to kernel algorithm db
| adding AES_CTR to kernel algorithm db
| adding AES_CBC to kernel algorithm db
| adding SERPENT_CBC to kernel algorithm db
| adding TWOFISH_CBC to kernel algorithm db
| adding NULL_AUTH_AES_GMAC to kernel algorithm db
| adding NULL to kernel algorithm db
| adding CHACHA20_POLY1305 to kernel algorithm db
| adding HMAC_MD5_96 to kernel algorithm db
| adding HMAC_SHA1_96 to kernel algorithm db
| adding HMAC_SHA2_512_256 to kernel algorithm db
| adding HMAC_SHA2_384_192 to kernel algorithm db
| adding HMAC_SHA2_256_128 to kernel algorithm db
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db
| adding AES_XCBC_96 to kernel algorithm db
| adding AES_CMAC_96 to kernel algorithm db
| adding NONE to kernel algorithm db
| net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes
| global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds
| setup kernel fd callback
| add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x559e01c61ae8
| libevent_malloc: new ptr-libevent@0x559e01c01ed8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c61bf8 size 16
| add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x559e01c62608
| libevent_malloc: new ptr-libevent@0x559e01c03918 size 128
| libevent_malloc: new ptr-libevent@0x559e01c625c8 size 16
| global one-shot timer EVENT_CHECK_CRLS initialized
selinux support is enabled.
| unbound context created - setting debug level to 5
| /etc/hosts lookups activated
| /etc/resolv.conf usage activated
| outgoing-port-avoid set 0-65535
| outgoing-port-permit set 32768-60999
| Loading dnssec root key from:/var/lib/unbound/root.key
| No additional dnssec trust anchors defined via dnssec-trusted= option
| Setting up events, loop start
| add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x559e01c62678
| libevent_malloc: new ptr-libevent@0x559e01c6e808 size 128
| libevent_malloc: new ptr-libevent@0x559e01c79a58 size 16
| libevent_realloc: new ptr-libevent@0x559e01c79a98 size 256
| libevent_malloc: new ptr-libevent@0x559e01c79bc8 size 8
| libevent_realloc: new ptr-libevent@0x559e01c01288 size 144
| libevent_malloc: new ptr-libevent@0x559e01c0d288 size 152
| libevent_malloc: new ptr-libevent@0x559e01c79c08 size 16
| signal event handler PLUTO_SIGCHLD installed
| libevent_malloc: new ptr-libevent@0x559e01c79c48 size 8
| libevent_malloc: new ptr-libevent@0x559e01c04e98 size 152
| signal event handler PLUTO_SIGTERM installed
| libevent_malloc: new ptr-libevent@0x559e01c79c88 size 8
| libevent_malloc: new ptr-libevent@0x559e01c79cc8 size 152
| signal event handler PLUTO_SIGHUP installed
| libevent_malloc: new ptr-libevent@0x559e01c79d98 size 8
| libevent_realloc: release ptr-libevent@0x559e01c01288
| libevent_realloc: new ptr-libevent@0x559e01c79dd8 size 256
| libevent_malloc: new ptr-libevent@0x559e01c79f08 size 152
| signal event handler PLUTO_SIGSYS installed
| created addconn helper (pid:27043) using fork+execve
| forked child 27043
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.2.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.23
Kernel supports NIC esp-hw-offload
adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth1/eth1 192.1.2.23:4500
adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface eth0/eth0 192.0.2.254:4500
adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
| NAT-Traversal: Trying sockopt style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| no interfaces to sort
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a468
| libevent_malloc: new ptr-libevent@0x559e01c6e758 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a4d8 size 16
| setup callback for interface lo 127.0.0.1:4500 fd 22
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a518
| libevent_malloc: new ptr-libevent@0x559e01c00bb8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a588 size 16
| setup callback for interface lo 127.0.0.1:500 fd 21
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a5c8
| libevent_malloc: new ptr-libevent@0x559e01c00b08 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a638 size 16
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a678
| libevent_malloc: new ptr-libevent@0x559e01c04dc8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a6e8 size 16
| setup callback for interface eth0 192.0.2.254:500 fd 19
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a728
| libevent_malloc: new ptr-libevent@0x559e01bddba8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a798 size 16
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a7d8
| libevent_malloc: new ptr-libevent@0x559e01bd81d8 size 128
| libevent_malloc: new ptr-libevent@0x559e01c7a848 size 16
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID  61 55 99 73  d3 ac ef 7d  3a 37 0e 3e  82 ad 92 c1
| computed rsa CKAID  8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.757 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
listening for IKE messages
| Inspecting interface lo 
| found lo with address 127.0.0.1
| Inspecting interface eth0 
| found eth0 with address 192.0.2.254
| Inspecting interface eth1 
| found eth1 with address 192.1.2.23
| no interfaces to sort
| libevent_free: release ptr-libevent@0x559e01c6e758
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a468
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a468
| libevent_malloc: new ptr-libevent@0x559e01c6e758 size 128
| setup callback for interface lo 127.0.0.1:4500 fd 22
| libevent_free: release ptr-libevent@0x559e01c00bb8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a518
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a518
| libevent_malloc: new ptr-libevent@0x559e01c00bb8 size 128
| setup callback for interface lo 127.0.0.1:500 fd 21
| libevent_free: release ptr-libevent@0x559e01c00b08
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a5c8
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a5c8
| libevent_malloc: new ptr-libevent@0x559e01c00b08 size 128
| setup callback for interface eth0 192.0.2.254:4500 fd 20
| libevent_free: release ptr-libevent@0x559e01c04dc8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a678
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a678
| libevent_malloc: new ptr-libevent@0x559e01c04dc8 size 128
| setup callback for interface eth0 192.0.2.254:500 fd 19
| libevent_free: release ptr-libevent@0x559e01bddba8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a728
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a728
| libevent_malloc: new ptr-libevent@0x559e01bddba8 size 128
| setup callback for interface eth1 192.1.2.23:4500 fd 18
| libevent_free: release ptr-libevent@0x559e01bd81d8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a7d8
| add_fd_read_event_handler: new ethX-pe@0x559e01c7a7d8
| libevent_malloc: new ptr-libevent@0x559e01bd81d8 size 128
| setup callback for interface eth1 192.1.2.23:500 fd 17
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
loading secrets from "/etc/ipsec.secrets"
| saving Modulus
| saving PublicExponent
| ignoring PrivateExponent
| ignoring Prime1
| ignoring Prime2
| ignoring Exponent1
| ignoring Exponent2
| ignoring Coefficient
| ignoring CKAIDNSS
| computed rsa CKAID  61 55 99 73  d3 ac ef 7d  3a 37 0e 3e  82 ad 92 c1
| computed rsa CKAID  8a 82 25 f1
loaded private key for keyid: PKK_RSA:AQO9bJbr3
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secret'
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.248 milliseconds in whack
| processing signal PLUTO_SIGCHLD
| waitpid returned pid 27043 (exited with status 0)
| reaped addconn helper child (status 0)
| waitpid returned ECHILD (no child processes left)
| spent 0.0151 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| FOR_EACH_CONNECTION_... in foreach_connection_by_alias
| FOR_EACH_CONNECTION_... in conn_by_name
| Added new connection road-eastnet-nonat with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
| No AUTH policy was set - defaulting to RSASIG
| ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
| from whack: got --esp=
| ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128
| counting wild cards for @road is 0
| counting wild cards for @east is 0
| based upon policy, the connection is a template.
| connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none
| new hp@0x559e01c7ce98
added connection description "road-eastnet-nonat"
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
| 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]---192.1.2.254...%any[@road]===192.0.2.219/32
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.189 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
add keyid @road
| add pubkey  01 03 c7 15  fa 72 27 70  a4 e1 f3 0a  70 21 f9 0c
| add pubkey  3f e2 65 12  87 d9 fd 12  cb af d4 e0  c2 e3 dd 77
| add pubkey  a0 ef aa c7  d6 a2 b2 30  f2 64 b0 c5  e6 c7 a7 27
| add pubkey  17 54 7a 8e  32 c9 ac fd  bf 8f b3 33  b9 74 74 73
| add pubkey  dd 23 83 11  53 d6 d4 91  0e 36 7e 67  fc 89 1e 48
| add pubkey  ac e9 da 2e  66 9d 6e 4f  e2 98 a7 dc  41 b3 a4 37
| add pubkey  f5 07 a9 9c  23 69 83 54  87 7b ea 00  a7 5b ab 2d
| add pubkey  41 34 d1 a3  17 1e a7 64  2d 7f ff 45  7a 5d 85 5c
| add pubkey  73 dd 63 e7  40 ad eb 71  e6 5f 21 43  80 f5 23 4c
| add pubkey  3d 4a 11 2c  ca 9a d6 79  c5 c2 51 6e  af c3 6e 99
| add pubkey  f5 26 1c 67  ee 8a 3e 30  4b c1 93 a7  92 34 36 8c
| add pubkey  bf e6 d0 d3  fe 78 0b 0a  64 04 44 ca  8c 83 fd f1
| add pubkey  2e b5 00 76  61 a6 de f1  59 67 2b 6d  c2 57 e0 f2
| add pubkey  7d 6b 9f d3  46 41 8c 31  c2 fd c4 60  72 08 3b bb
| add pubkey  56 fb 01 fc  1d 57 4e cf  7c 0f c4 6f  72 6f 2a 0e
| add pubkey  f3 30 db a0  80 f9 70 cc  bb 07 a9 f9  d7 76 99 63
| add pubkey  4b 6a 0f 1a  37 95 cb 9b  ea 17 f7 55  62 6b 8a 83
| add pubkey  05 ff 43 78  57 dd bd 08  85 9c f1 62  35 6e 69 c7
| add pubkey  04 0b 4b c4  1b d2 38 89  8c de 56 d0  c8 2c 51 54
| add pubkey  32 1b 7d 27  dc cd 37 7a  4e cb 1a ec  d2 ce 48 ed
| add pubkey  43 48 9c 8a  fc 30 9f b1  57 1c a9 98  e5 84 93 6c
| add pubkey  da 4d cc 95  e3 f5 f2 a5  b3 9d 70 ae  24 8d 08 3b
| add pubkey  0f 8c e9 5a  a5 f0 4d 9c  3c 2f 7f bc  10 95 34 1c
| add pubkey  96 74 29 fc  ab fb 8f 4b  71 aa 0b 26  b5 f0 32 98
| add pubkey  90 6a fd 31  f5 ab
| computed rsa CKAID  1a 15 cc e8  92 73 43 9c  2b f4 20 2a  c1 06 6e f2
| computed rsa CKAID  59 b0 ef 45
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.105 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
add keyid @east
| add pubkey  01 03 bd 6c  96 eb df 78  89 b3 ed 77  0d a1 7f 7b
| add pubkey  e5 16 c2 c9  e4 7d 92 0a  90 9d 55 43  b4 62 13 03
| add pubkey  85 7a e0 26  7b 54 1f ca  09 93 cf ff  25 c9 02 4c
| add pubkey  78 ca 94 e5  3e ac d1 f9  a8 e5 bb 7f  cc 20 84 e0
| add pubkey  21 c9 f0 0d  c5 44 ba f3  48 64 61 58  f6 0f 63 0d
| add pubkey  d2 67 1e 59  8b ec f3 50  39 71 fb 39  da 11 64 b6
| add pubkey  62 cd 5f d3  8d 2e c1 50  ed 9c 6e 22  0c 39 a7 ce
| add pubkey  62 b5 af 8a  80 0f 2e 4c  05 5c 82 c7  8d 29 02 2e
| add pubkey  bb 23 5f db  f2 9e b5 7d  e2 20 70 1a  63 f3 8e 5d
| add pubkey  ac 47 f0 5c  26 4e b1 d0  42 60 52 4a  b0 77 25 ce
| add pubkey  e0 98 2b 43  f4 c7 59 1a  64 01 83 ea  4e e3 1a 2a
| add pubkey  92 b8 55 ab  63 dd 4b 70  47 29 dc e9  b4 60 bf 43
| add pubkey  4d 58 8f 64  73 95 70 ac  35 89 b2 c2  9c d4 62 c0
| add pubkey  5f 56 5f ad  1b e5 dd 49  93 6a f5 23  82 ed d4 e7
| add pubkey  d5 f1 55 f2  2d a2 26 a6  36 53 2f 94  fb 99 22 5c
| add pubkey  47 cc 6d 80  30 88 96 38  0c f5 f2 ed  37 d0 09 d5
| add pubkey  07 8f 69 ef  a9 99 ce 4d  1a 77 9e 39  c4 38 f3 c5
| add pubkey  51 51 48 ef
| computed rsa CKAID  61 55 99 73  d3 ac ef 7d  3a 37 0e 3e  82 ad 92 c1
| computed rsa CKAID  8a 82 25 f1
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.0581 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.26 milliseconds in whack
| spent 0.00306 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 828 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   f5 24 5f 61  40 70 2b d5  00 00 00 00  00 00 00 00
|   21 20 22 08  00 00 00 00  00 00 03 3c  22 00 01 b4
|   02 00 00 64  01 01 00 0b  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  03 00 00 08
|   02 00 00 05  03 00 00 08  04 00 00 0e  03 00 00 08
|   04 00 00 0f  03 00 00 08  04 00 00 10  03 00 00 08
|   04 00 00 12  03 00 00 08  04 00 00 13  03 00 00 08
|   04 00 00 14  03 00 00 08  04 00 00 15  00 00 00 08
|   04 00 00 1f  02 00 00 64  02 01 00 0b  03 00 00 0c
|   01 00 00 14  80 0e 00 80  03 00 00 08  02 00 00 07
|   03 00 00 08  02 00 00 05  03 00 00 08  04 00 00 0e
|   03 00 00 08  04 00 00 0f  03 00 00 08  04 00 00 10
|   03 00 00 08  04 00 00 12  03 00 00 08  04 00 00 13
|   03 00 00 08  04 00 00 14  03 00 00 08  04 00 00 15
|   00 00 00 08  04 00 00 1f  02 00 00 74  03 01 00 0d
|   03 00 00 0c  01 00 00 0c  80 0e 01 00  03 00 00 08
|   02 00 00 07  03 00 00 08  02 00 00 05  03 00 00 08
|   03 00 00 0e  03 00 00 08  03 00 00 0c  03 00 00 08
|   04 00 00 0e  03 00 00 08  04 00 00 0f  03 00 00 08
|   04 00 00 10  03 00 00 08  04 00 00 12  03 00 00 08
|   04 00 00 13  03 00 00 08  04 00 00 14  03 00 00 08
|   04 00 00 15  00 00 00 08  04 00 00 1f  00 00 00 74
|   04 01 00 0d  03 00 00 0c  01 00 00 0c  80 0e 00 80
|   03 00 00 08  02 00 00 07  03 00 00 08  02 00 00 05
|   03 00 00 08  03 00 00 0e  03 00 00 08  03 00 00 0c
|   03 00 00 08  04 00 00 0e  03 00 00 08  04 00 00 0f
|   03 00 00 08  04 00 00 10  03 00 00 08  04 00 00 12
|   03 00 00 08  04 00 00 13  03 00 00 08  04 00 00 14
|   03 00 00 08  04 00 00 15  00 00 00 08  04 00 00 1f
|   28 00 01 08  00 0e 00 00  68 29 7e 9e  b1 9f 26 93
|   6a 9a 52 78  5e bb b3 05  b1 6f 0f 54  a8 73 60 98
|   e5 6c cf 6a  21 e7 ad a4  87 18 62 0b  73 f2 e7 6c
|   b6 8d 1e 93  e9 bb e7 d7  18 fc 26 8f  cf 9f 4e 89
|   6c 5e 20 a7  36 17 a4 fc  ba 60 87 74  e2 4f 90 15
|   c3 1a ce 11  15 65 8a 85  25 4e ae 40  bc 20 6c 3d
|   3e a0 53 b3  4b 08 6b c4  60 6f 9d 81  ff d8 51 5d
|   c8 e2 fa 55  de a2 10 33  ea 8b 6b d7  39 be 04 1c
|   7a 8b b5 b5  fc 3a d5 f9  51 e1 42 e2  98 4c 89 43
|   19 92 04 db  e1 68 87 a2  4e 99 ce 54  c6 ca 01 a8
|   4b 32 9c 98  33 bc a3 51  29 a7 ea 06  45 62 dc ae
|   66 cc 8e af  b3 39 a0 04  6e e4 eb 27  ad 73 42 64
|   f4 31 62 94  e4 4f f5 8d  d1 31 1b 38  5b 85 d9 0c
|   b1 fc ee 54  d9 7e d2 be  50 6a 77 49  8f 47 5b 27
|   01 3d 2d 19  62 b4 6f 7f  62 f5 a6 ee  93 4f eb f8
|   bd 9c e8 18  ea 28 62 79  a3 78 05 b5  58 f9 1d 9a
|   18 e6 44 24  3d 18 00 af  29 00 00 24  e8 28 cf b3
|   91 a8 2f ba  16 fd db b9  86 92 6c b9  df aa fc 6e
|   92 2b c7 12  f0 1c f7 52  09 92 dd aa  29 00 00 08
|   00 00 40 2e  29 00 00 1c  00 00 40 04  f1 08 01 1d
|   21 c2 88 9a  9e 6e 1e 6d  7b 80 de e6  06 a4 15 71
|   00 00 00 1c  00 00 40 05  03 3e c9 13  e1 80 91 05
|   8e c9 f9 ed  8c 74 4c 82  97 ae 6f 5d
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   f5 24 5f 61  40 70 2b d5
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_v2SA (0x21)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 0 (0x0)
|    length: 828 (0x33c)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request 
| State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| ***parse IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2KE (0x22)
|    flags: none (0x0)
|    length: 436 (0x1b4)
| processing payload: ISAKMP_NEXT_v2SA (len=432)
| Now let's proceed with payload (ISAKMP_NEXT_v2KE)
| ***parse IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2Ni (0x28)
|    flags: none (0x0)
|    length: 264 (0x108)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| processing payload: ISAKMP_NEXT_v2KE (len=256)
| Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
| ***parse IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 36 (0x24)
| processing payload: ISAKMP_NEXT_v2Ni (len=32)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 8 (0x8)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| processing payload: ISAKMP_NEXT_v2N (len=0)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| Now let's proceed with payload (ISAKMP_NEXT_v2N)
| ***parse IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 28 (0x1c)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| processing payload: ISAKMP_NEXT_v2N (len=20)
| DDOS disabled and no cookie sent, continuing
| find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=ECDSA+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=ECDSA+IKEV2_ALLOW
| found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (road-eastnet-nonat)
| find_next_host_connection returns empty
| initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW
| find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| find_host_connection local=192.1.2.23:500 remote=<none:> policy=RSASIG+IKEV2_ALLOW but ignoring ports
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (road-eastnet-nonat)
| find_next_host_connection returns road-eastnet-nonat
| find_next_host_connection policy=RSASIG+IKEV2_ALLOW
| find_next_host_connection returns empty
| rw_instantiate
| connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none
| new hp@0x559e01c7f368
| rw_instantiate() instantiated "road-eastnet-nonat"[1] 192.1.3.209 for 192.1.3.209
| found connection: road-eastnet-nonat[1] 192.1.3.209 with policy RSASIG+IKEV2_ALLOW
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| creating state object #1 at 0x559e01c7f778
| State DB: adding IKEv2 state #1 in UNDEFINED
| pstats #1 ikev2.ike started
| Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0
| parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA)
| Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1
| Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0
| #1 in state PARENT_R0: processing SA_INIT request
| selected state microcode Respond to IKE_SA_INIT
| Now let's proceed with state specific processing
| calling processor Respond to IKE_SA_INIT
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| constructing local IKE proposals for road-eastnet-nonat (IKE SA responder matching remote proposals)
| converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ...
| ...  ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
"road-eastnet-nonat"[1] 192.1.3.209: constructed local IKE proposals for road-eastnet-nonat (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
| Comparing remote proposals against IKE responder 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 2 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 8 transforms
| local proposal 1 type ESN has 0 transforms
| local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 2 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 8 transforms
| local proposal 2 type ESN has 0 transforms
| local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 2 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 8 transforms
| local proposal 3 type ESN has 0 transforms
| local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 2 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 8 transforms
| local proposal 4 type ESN has 0 transforms
| local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 100 (0x64)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0
| remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0
| remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none
| comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH
| remote proposal 1 matches local proposal 1
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 100 (0x64)
|    prop #: 2 (0x2)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 11 (0xb)
| Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH
| remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 116 (0x74)
|    prop #: 3 (0x3)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
| ****parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    length: 116 (0x74)
|    prop #: 4 (0x4)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 13 (0xd)
| Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| ******parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15)
| *****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f)
| remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH
| remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH
"road-eastnet-nonat"[1] 192.1.3.209 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
| accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048
| converting proposal to internal trans attrs
| natd_hash: rcookie is zero
| natd_hash: hasher=0x559e00398800(20)
| natd_hash: icookie=  f5 24 5f 61  40 70 2b d5
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  03 3e c9 13  e1 80 91 05  8e c9 f9 ed  8c 74 4c 82
| natd_hash: hash=  97 ae 6f 5d
| natd_hash: rcookie is zero
| natd_hash: hasher=0x559e00398800(20)
| natd_hash: icookie=  f5 24 5f 61  40 70 2b d5
| natd_hash: rcookie=  00 00 00 00  00 00 00 00
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  f1 08 01 1d  21 c2 88 9a  9e 6e 1e 6d  7b 80 de e6
| natd_hash: hash=  06 a4 15 71
| NAT_TRAVERSAL encaps using auto-detect
| NAT_TRAVERSAL this end is NOT behind NAT
| NAT_TRAVERSAL that end is NOT behind NAT
| NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209
| adding ikev2_inI1outR1 KE work-order 1 for state #1
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x559e01c7cf78
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x559e01c7d2f8 size 128
| crypto helper 0 resuming
| crypto helper 0 starting work-order 1 for state #1
| crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1
| crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000978 seconds
| (#1) spent 0.978 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr)
| crypto helper 0 sending results from work-order 1 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f6658002888 size 128
| crypto helper 0 waiting (nothing to do)
|   #1 spent 0.759 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269)
| "road-eastnet-nonat"[1] 192.1.3.209 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 1.18 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 1.19 milliseconds in comm_handle_cb() reading and processing packet
| processing resume sending helper answer for #1
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 0 replies to request ID 1
| calling continuation function 0x559e002c3b50
| ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1
| **emit ISAKMP Message:
|    initiator cookie:
|   f5 24 5f 61  40 70 2b d5
|    responder cookie:
|   ae d8 70 55  7a d7 61 61
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_SA_INIT (0x22)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| Emitting ikev2_proposal ...
| ***emit IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| ****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_IKE (0x1)
|    spi size: 0 (0x0)
|    # transforms: 3 (0x3)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| ******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_PRF (0x2)
|    IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_DH (0x4)
|    IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 36
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 40
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ***emit IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    DH group: OAKLEY_GROUP_MODP2048 (0xe)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE)
| next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet'
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x  90 7c ea 65  9b df 1f 11  fc 0a 4a d6  b9 46 5a e4
| ikev2 g^x  96 4e 45 1a  c2 9e 2a 37  82 a3 69 99  3d e4 30 09
| ikev2 g^x  5a 01 d1 85  20 70 79 b1  52 0e 87 95  a9 78 ea df
| ikev2 g^x  28 a0 88 96  79 c8 bd c8  92 21 93 9d  85 a4 26 2b
| ikev2 g^x  88 b4 4b 37  8c cc da 7d  29 f2 58 66  0d 9a 9d 2e
| ikev2 g^x  eb 87 dc ed  6c c0 1d 83  fa c3 71 d5  76 c0 0d f3
| ikev2 g^x  9f 8d f9 e0  07 bc 36 2e  aa cc 3a a6  95 ff 7d ec
| ikev2 g^x  9d 6a be 82  ad 12 c8 91  14 69 5b 89  74 a8 42 03
| ikev2 g^x  a0 ca 3b 99  74 ce 0f 00  b3 a4 15 82  3b 79 cf b1
| ikev2 g^x  e0 17 22 a0  06 b6 5c a8  42 77 52 46  76 fc 73 e5
| ikev2 g^x  9a e6 55 a1  a4 89 fb 1f  49 db 51 c1  4b b9 87 ba
| ikev2 g^x  e2 7c 2b 3f  02 a4 f2 07  e6 82 5e ef  59 a2 9f 87
| ikev2 g^x  d2 4e 5e 53  4a 24 8b 56  21 a6 eb 6a  d1 fb 8f 95
| ikev2 g^x  de 77 26 98  d3 d0 3d 7d  d2 81 82 88  b4 93 71 b9
| ikev2 g^x  89 b5 84 a0  d5 f2 d0 af  4b b0 6b 3c  c9 3f bd b2
| ikev2 g^x  40 9c e4 67  96 7d 4a 31  12 38 98 9a  f5 32 7b 1f
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2N (0x29)
|    flags: none (0x0)
| next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N
| next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni)
| next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet'
| emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce  56 99 82 72  70 90 b5 be  91 73 1e 81  5d 54 b7 61
| IKEv2 nonce  4e 5e 31 6b  56 10 9c a2  06 3d d8 84  87 27 47 36
| emitting length of IKEv2 Nonce Payload: 36
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
| next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Notify Payload: 8
|  NAT-Traversal support  [enabled] add v2N payloads.
| natd_hash: hasher=0x559e00398800(20)
| natd_hash: icookie=  f5 24 5f 61  40 70 2b d5
| natd_hash: rcookie=  ae d8 70 55  7a d7 61 61
| natd_hash: ip=  c0 01 02 17
| natd_hash: port=500
| natd_hash: hash=  62 d2 f8 5f  69 df d9 80  ce aa 8b 7e  9e 95 f6 c4
| natd_hash: hash=  2c 80 7f 78
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  62 d2 f8 5f  69 df d9 80  ce aa 8b 7e  9e 95 f6 c4
| Notify data  2c 80 7f 78
| emitting length of IKEv2 Notify Payload: 28
| natd_hash: hasher=0x559e00398800(20)
| natd_hash: icookie=  f5 24 5f 61  40 70 2b d5
| natd_hash: rcookie=  ae d8 70 55  7a d7 61 61
| natd_hash: ip=  c0 01 03 d1
| natd_hash: port=500
| natd_hash: hash=  9d 84 5b 9e  42 69 28 3d  ee 40 b4 d7  98 64 8a 4a
| natd_hash: hash=  88 8c 03 bd
| Adding a v2N Payload
| ***emit IKEv2 Notify Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    Protocol ID: PROTO_v2_RESERVED (0x0)
|    SPI size: 0 (0x0)
|    Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N)
| next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet'
| emitting 20 raw bytes of Notify data into IKEv2 Notify Payload
| Notify data  9d 84 5b 9e  42 69 28 3d  ee 40 b4 d7  98 64 8a 4a
| Notify data  88 8c 03 bd
| emitting length of IKEv2 Notify Payload: 28
| going to send a certreq
| connection->kind is not CK_PERMANENT (instance), so collect CAs
| find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports
| Not a roadwarrior instance, sending empty CA in CERTREQ
| ***emit IKEv2 Certificate Request Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    ikev2 cert encoding: CERT_X509_SIGNATURE (0x4)
| next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ)
| next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet'
| emitting length of IKEv2 Certificate Request Payload: 5
| emitting length of ISAKMP Message: 437
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK
| IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1
| parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA)
| Message ID: updating counters for #1 to 0 after switching state
| Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1
| Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1
"road-eastnet-nonat"[1] 192.1.3.209 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
| sending V2 new request packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 437 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
|   f5 24 5f 61  40 70 2b d5  ae d8 70 55  7a d7 61 61
|   21 20 22 20  00 00 00 00  00 00 01 b5  22 00 00 28
|   00 00 00 24  01 01 00 03  03 00 00 0c  01 00 00 14
|   80 0e 01 00  03 00 00 08  02 00 00 07  00 00 00 08
|   04 00 00 0e  28 00 01 08  00 0e 00 00  90 7c ea 65
|   9b df 1f 11  fc 0a 4a d6  b9 46 5a e4  96 4e 45 1a
|   c2 9e 2a 37  82 a3 69 99  3d e4 30 09  5a 01 d1 85
|   20 70 79 b1  52 0e 87 95  a9 78 ea df  28 a0 88 96
|   79 c8 bd c8  92 21 93 9d  85 a4 26 2b  88 b4 4b 37
|   8c cc da 7d  29 f2 58 66  0d 9a 9d 2e  eb 87 dc ed
|   6c c0 1d 83  fa c3 71 d5  76 c0 0d f3  9f 8d f9 e0
|   07 bc 36 2e  aa cc 3a a6  95 ff 7d ec  9d 6a be 82
|   ad 12 c8 91  14 69 5b 89  74 a8 42 03  a0 ca 3b 99
|   74 ce 0f 00  b3 a4 15 82  3b 79 cf b1  e0 17 22 a0
|   06 b6 5c a8  42 77 52 46  76 fc 73 e5  9a e6 55 a1
|   a4 89 fb 1f  49 db 51 c1  4b b9 87 ba  e2 7c 2b 3f
|   02 a4 f2 07  e6 82 5e ef  59 a2 9f 87  d2 4e 5e 53
|   4a 24 8b 56  21 a6 eb 6a  d1 fb 8f 95  de 77 26 98
|   d3 d0 3d 7d  d2 81 82 88  b4 93 71 b9  89 b5 84 a0
|   d5 f2 d0 af  4b b0 6b 3c  c9 3f bd b2  40 9c e4 67
|   96 7d 4a 31  12 38 98 9a  f5 32 7b 1f  29 00 00 24
|   56 99 82 72  70 90 b5 be  91 73 1e 81  5d 54 b7 61
|   4e 5e 31 6b  56 10 9c a2  06 3d d8 84  87 27 47 36
|   29 00 00 08  00 00 40 2e  29 00 00 1c  00 00 40 04
|   62 d2 f8 5f  69 df d9 80  ce aa 8b 7e  9e 95 f6 c4
|   2c 80 7f 78  26 00 00 1c  00 00 40 05  9d 84 5b 9e
|   42 69 28 3d  ee 40 b4 d7  98 64 8a 4a  88 8c 03 bd
|   00 00 00 05  04
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x559e01c7d2f8
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x559e01c7cf78
| event_schedule: new EVENT_SO_DISCARD-pe@0x559e01c7cf78
| inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1
| libevent_malloc: new ptr-libevent@0x559e01c7f548 size 128
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| #1 spent 0.383 milliseconds in resume sending helper answer
| stop processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f6658002888
| spent 0.00312 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 539 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   f5 24 5f 61  40 70 2b d5  ae d8 70 55  7a d7 61 61
|   35 20 23 08  00 00 00 01  00 00 02 1b  23 00 01 ff
|   00 01 00 02  45 90 f0 71  d9 a2 1b bc  93 11 b2 c2
|   58 e3 dd 42  9a 0d db 34  fc 04 7c 1f  15 f4 2f 97
|   32 03 c2 70  a3 95 f1 27  c7 4c 80 f3  54 24 0d 16
|   b5 c4 ed 35  53 fb 16 1b  78 27 2f 8f  91 ca c3 cd
|   1e d5 d5 0e  04 99 bd 6d  8f 46 46 0f  f3 54 8c 4a
|   d7 d4 72 8e  b4 d4 bf d6  aa 47 78 a7  bf 6a 76 a4
|   88 88 78 3e  52 a1 fa 23  11 c8 fe 39  44 23 4d 3a
|   83 61 10 30  b5 9a d8 3c  1f b8 95 ce  b9 85 50 32
|   b3 c7 d7 37  a4 97 2c 59  55 e2 15 d5  60 c2 25 73
|   7c 44 1d f9  b6 6d f2 0f  ec 67 d5 0c  16 41 48 ec
|   10 36 37 b8  48 e2 8a 2d  74 ec 57 30  8c cd 8f 59
|   e0 23 e9 32  a6 36 ed 75  ee 6f 44 e4  8e 3f 28 99
|   e6 e4 de d0  54 85 c8 05  0b 07 a3 51  b1 85 cc dc
|   9e 00 1d e0  a4 d0 8c 06  16 64 04 55  b6 5b 48 b7
|   f0 48 51 8b  72 d9 a8 67  1d 5b 48 d5  46 0e fd b2
|   a7 d0 ad db  55 ea 64 4d  0f 0a 34 94  f6 b9 04 9d
|   7f ce f2 ca  6d 9d ca c7  8a d6 09 5f  e5 be b1 e8
|   c5 de 40 85  50 82 dd fd  1e b3 08 f7  52 44 3e 5a
|   e4 77 70 ed  ee 82 c5 d1  35 ad 6a 0f  f1 52 75 61
|   63 9d 1c 96  dc 8e 5f b9  fe 73 74 05  04 4d fa 28
|   ab 99 80 ae  bb 01 f3 a1  bd d8 73 00  eb 19 8e a5
|   3a 60 53 23  a0 50 24 ad  72 dc f5 08  b9 06 37 1b
|   2a 1b 16 a6  11 3a b7 1b  bd f9 21 17  f5 bf 17 f0
|   65 b5 84 4d  e1 cc 7b 2f  08 40 1b c2  93 40 9c c4
|   a2 7b f0 52  11 ee f0 6d  97 4c a9 ef  7e 81 a4 ea
|   49 f7 3c ee  7f 82 5f 7d  2f 91 f3 4d  44 ab 4f 0c
|   f7 51 cd 4b  de c5 be 72  10 e8 18 12  cb 17 48 e7
|   1f 77 df 7f  d4 17 df 79  c7 ff 16 32  57 6a 8a 24
|   dd c2 b0 5c  fa 30 97 55  ef 38 99 6f  7a fd 56 0a
|   d9 a4 e5 96  ed 41 31 8c  a5 ce f2 f0  ba bc 13 08
|   b6 41 49 21  53 b9 38 05  79 f4 a5 71  1a f0 7d 1d
|   47 cd 74 c1  57 46 ad 09  40 b8 ff
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   f5 24 5f 61  40 70 2b d5
|    responder cookie:
|   ae d8 70 55  7a d7 61 61
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 539 (0x21b)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| State DB: IKEv2 state not found (find_v2_sa_by_responder_wip)
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2064)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2IDi (0x23)
|    flags: none (0x0)
|    length: 511 (0x1ff)
|    fragment number: 1 (0x1)
|    total fragments: 2 (0x2)
| processing payload: ISAKMP_NEXT_v2SKF (len=503)
| Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '1', total number '2', next payload '35'
|  updated IKE fragment state to respond using fragments without waiting for re-transmits
| stop processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.167 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.182 milliseconds in comm_handle_cb() reading and processing packet
| spent 0.00133 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue()
| *received 215 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500)
|   f5 24 5f 61  40 70 2b d5  ae d8 70 55  7a d7 61 61
|   35 20 23 08  00 00 00 01  00 00 00 d7  00 00 00 bb
|   00 02 00 02  43 6d d1 f2  c6 a4 7d c6  91 e3 9b e6
|   6f 8d c3 db  4a 99 1c b5  a6 5c 36 1a  47 38 8a fb
|   dc 9d 5d 69  93 98 d8 3c  3a 49 ad b6  80 6f 64 ef
|   e1 6d 58 42  70 fa fa c1  5f 55 ed b8  cf 12 cf 40
|   e7 cf 91 2c  f8 2b 54 93  59 90 36 8d  cf 78 2c fe
|   2d f8 b3 20  29 4b 67 29  2b f6 19 a2  b4 66 7d 18
|   2b c3 e5 f9  ee e0 62 a2  c6 93 ee 3d  28 01 21 32
|   f2 ec 0e 37  5b ab 6e 17  d4 fe 79 ba  84 eb 97 40
|   18 08 04 e0  10 be 7d 77  ec 67 24 02  39 04 40 97
|   fe 7a cc 47  59 8a 7a d0  74 90 05 7e  25 0a 91 e1
|   90 cb 08 81  a7 86 88 c7  00 5e 85 1f  4d 08 ca 8d
|   ec f6 a6 32  aa 43 79
| start processing: from 192.1.3.209:500 (in process_md() at demux.c:378)
| **parse ISAKMP Message:
|    initiator cookie:
|   f5 24 5f 61  40 70 2b d5
|    responder cookie:
|   ae d8 70 55  7a d7 61 61
|    next payload type: ISAKMP_NEXT_v2SKF (0x35)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
|    Message ID: 1 (0x1)
|    length: 215 (0xd7)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35)
| I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request 
| State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa)
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2016)
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ike_process_packet() at ikev2.c:2062)
| #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001
| #1 is idle
| #1 idle
| Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1
| unpacking clear payload
| Now let's proceed with payload (ISAKMP_NEXT_v2SKF)
| ***parse IKEv2 Encrypted Fragment:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 187 (0xbb)
|    fragment number: 2 (0x2)
|    total fragments: 2 (0x2)
| processing payload: ISAKMP_NEXT_v2SKF (len=179)
| #1 in state PARENT_R1: received v2I1, sent v2R1
| received IKE encrypted fragment number '2', total number '2', next payload '0'
| selected state microcode Responder: process IKE_AUTH request (no SKEYSEED)
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request (no SKEYSEED)
| ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2
| offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16
| adding ikev2_inI2outR2 KE work-order 2 for state #1
| state #1 requesting EVENT_SO_DISCARD to be deleted
| libevent_free: release ptr-libevent@0x559e01c7f548
| free_event_entry: release EVENT_SO_DISCARD-pe@0x559e01c7cf78
| event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x559e01c7cf78
| inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1
| libevent_malloc: new ptr-libevent@0x7f6658002888 size 128
|   #1 spent 0.0334 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet()
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| crypto helper 3 resuming
| #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND
| suspending state #1 and saving MD
| #1 is busy; has a suspended MD
| crypto helper 3 starting work-order 2 for state #1
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in log_stf_suspend() at ikev2.c:3269)
| crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2
| "road-eastnet-nonat"[1] 192.1.3.209 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3451
| stop processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in ikev2_process_packet() at ikev2.c:2018)
| #1 spent 0.19 milliseconds in ikev2_process_packet()
| stop processing: from 192.1.3.209:500 (in process_md() at demux.c:380)
| processing: STOP state #0 (in process_md() at demux.c:382)
| processing: STOP connection NULL (in process_md() at demux.c:383)
| spent 0.2 milliseconds in comm_handle_cb() reading and processing packet
| calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4
| crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001389 seconds
| (#1) spent 1.38 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr)
| crypto helper 3 sending results from work-order 2 for state #1 to event queue
| scheduling resume sending helper answer for #1
| libevent_malloc: new ptr-libevent@0x7f6650000f48 size 128
| crypto helper 3 waiting (nothing to do)
| processing resume sending helper answer for #1
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797)
| crypto helper 3 replies to request ID 2
| calling continuation function 0x559e002c3b50
| ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2
| #1 in state PARENT_R1: received v2I1, sent v2R1
| already have all fragments, skipping fragment collection
| already have all fragments, skipping fragment collection
| #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success
| Now let's proceed with payload (ISAKMP_NEXT_v2IDi)
| **parse IKEv2 Identification - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2IDr (0x24)
|    flags: none (0x0)
|    length: 12 (0xc)
|    ID type: ID_FQDN (0x2)
| processing payload: ISAKMP_NEXT_v2IDi (len=4)
| Now let's proceed with payload (ISAKMP_NEXT_v2IDr)
| **parse IKEv2 Identification - Responder - Payload:
|    next payload type: ISAKMP_NEXT_v2AUTH (0x27)
|    flags: none (0x0)
|    length: 12 (0xc)
|    ID type: ID_FQDN (0x2)
| processing payload: ISAKMP_NEXT_v2IDr (len=4)
| Now let's proceed with payload (ISAKMP_NEXT_v2AUTH)
| **parse IKEv2 Authentication Payload:
|    next payload type: ISAKMP_NEXT_v2SA (0x21)
|    flags: none (0x0)
|    length: 396 (0x18c)
|    auth method: IKEv2_AUTH_RSA (0x1)
| processing payload: ISAKMP_NEXT_v2AUTH (len=388)
| Now let's proceed with payload (ISAKMP_NEXT_v2SA)
| **parse IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2TSi (0x2c)
|    flags: none (0x0)
|    length: 164 (0xa4)
| processing payload: ISAKMP_NEXT_v2SA (len=160)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSi)
| **parse IKEv2 Traffic Selector - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2TSr (0x2d)
|    flags: none (0x0)
|    length: 24 (0x18)
|    number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSi (len=16)
| Now let's proceed with payload (ISAKMP_NEXT_v2TSr)
| **parse IKEv2 Traffic Selector - Responder - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    length: 24 (0x18)
|    number of TS: 1 (0x1)
| processing payload: ISAKMP_NEXT_v2TSr (len=16)
| selected state microcode Responder: process IKE_AUTH request
| Now let's proceed with state specific processing
| calling processor Responder: process IKE_AUTH request
"road-eastnet-nonat"[1] 192.1.3.209 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr}
| #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2669)
| received IDr payload - extracting our alleged ID
| refine_host_connection for IKEv2: starting with "road-eastnet-nonat"[1] 192.1.3.209
|    match_id a=@road
|             b=@road
|    results  matched
| refine_host_connection: checking "road-eastnet-nonat"[1] 192.1.3.209 against "road-eastnet-nonat"[1] 192.1.3.209, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0))
| Warning: not switching back to template of current instance
| Peer expects us to be @east (ID_FQDN) according to its IDr payload
| This connection's local id is @east (ID_FQDN)
| refine_host_connection: checked road-eastnet-nonat[1] 192.1.3.209 against road-eastnet-nonat[1] 192.1.3.209, now for see if best
| started looking for secret for @east->@road of kind PKK_RSA
| actually looking for secret for @east->@road of kind PKK_RSA
| line 1: key type PKK_RSA(@east) to type PKK_RSA
| 1: compared key (none) to @east / @road -> 002
| 2: compared key (none) to @east / @road -> 002
| line 1: match=002
| match 002 beats previous best_match 000 match=0x559e01bd3b58 (line=1)
| concluding with best_match=002 best=0x559e01bd3b58 (lineno=1)
| returning because exact peer id match
| offered CA: '%none'
"road-eastnet-nonat"[1] 192.1.3.209 #1: IKEv2 mode peer ID is ID_FQDN: '@road'
| verifying AUTH payload
| required RSA CA is '%any'
| checking RSA keyid '@east' for match with '@road'
| checking RSA keyid '@road' for match with '@road'
| key issuer CA is '%any'
| an RSA Sig check passed with *AQPHFfpyJ [preloaded key]
|       #1 spent 0.0972 milliseconds in try_all_RSA_keys() trying a pubkey
"road-eastnet-nonat"[1] 192.1.3.209 #1: Authenticated using RSA
|     #1 spent 0.125 milliseconds in ikev2_verify_rsa_hash()
| parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA)
| #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key)
| state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted
| libevent_free: release ptr-libevent@0x7f6658002888
| free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x559e01c7cf78
| event_schedule: new EVENT_SA_REKEY-pe@0x559e01c7cf78
| inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1
| libevent_malloc: new ptr-libevent@0x559e01c7f548 size 128
| pstats #1 ikev2.ike established
| **emit ISAKMP Message:
|    initiator cookie:
|   f5 24 5f 61  40 70 2b d5
|    responder cookie:
|   ae d8 70 55  7a d7 61 61
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_IKE_AUTH (0x23)
|    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| IKEv2 CERT: send a certificate?
| IKEv2 CERT: no certificate to send
| ***emit IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED
| ****emit IKEv2 Identification - Responder - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    ID type: ID_FQDN (0x2)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr)
| next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet'
| emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload
| my identity  65 61 73 74
| emitting length of IKEv2 Identification - Responder - Payload: 12
| assembled IDr payload
| CHILD SA proposals received
| going to assemble AUTH payload
| ****emit IKEv2 Authentication Payload:
|    next payload type: ISAKMP_NEXT_v2SA (0x21)
|    flags: none (0x0)
|    auth method: IKEv2_AUTH_RSA (0x1)
| next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA
| next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH)
| next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet'
| started looking for secret for @east->@road of kind PKK_RSA
| actually looking for secret for @east->@road of kind PKK_RSA
| line 1: key type PKK_RSA(@east) to type PKK_RSA
| 1: compared key (none) to @east / @road -> 002
| 2: compared key (none) to @east / @road -> 002
| line 1: match=002
| match 002 beats previous best_match 000 match=0x559e01bd3b58 (line=1)
| concluding with best_match=002 best=0x559e01bd3b58 (lineno=1)
|       #1 spent 4.91 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA()
| emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload
| rsa signature  3f b2 04 a0  0f 95 67 fc  5a 74 67 84  eb 18 cd a5
| rsa signature  db 6a 1c 02  fb c5 b5 73  64 10 32 93  47 dc ba e0
| rsa signature  b3 f8 63 83  2f d2 06 47  5b da 8b 24  04 bc 6d 1f
| rsa signature  e0 c5 05 d4  10 70 61 a5  1c ad ba 23  2d f7 71 fc
| rsa signature  bd 09 d9 43  31 ed f0 ad  71 f3 a6 bc  af ef c5 3f
| rsa signature  c6 fa 73 84  98 de d9 db  61 0c 04 e1  9b 5b 99 42
| rsa signature  79 96 35 75  7a 0b f9 15  f9 e4 5b 98  01 8b b6 f5
| rsa signature  18 64 7f 50  4b dd 1e 02  55 2a 5e 8d  93 b3 c6 96
| rsa signature  89 91 7a fc  c9 22 a7 87  c7 2d 4c 61  ca 00 98 6b
| rsa signature  cb 0f ac bb  6d cc ce 00  a6 1a 09 0e  36 f6 e1 54
| rsa signature  35 4d 94 c3  5b 8a a6 c0  55 5b cf 21  f4 01 38 56
| rsa signature  fc 28 c0 a7  ad a0 bf 89  1e 5b 7d 03  05 e3 12 20
| rsa signature  ae 2f 81 f7  1e 2f 52 45  a0 1c 46 4b  44 32 54 3e
| rsa signature  21 fb 87 68  53 96 d4 3d  41 36 20 46  d7 21 ea 7f
| rsa signature  80 d1 91 42  c4 0e 03 ce  95 fa d6 43  eb 8e 81 39
| rsa signature  3b 08 a5 a0  35 d5 4d 70  06 58 4c 9d  e9 4c 5b e5
| rsa signature  2d 1f b3 6c  e0 10 67 0e  e2 83 0c a0  f4 e0 c5 80
| rsa signature  f6 f9
|     #1 spent 4.99 milliseconds in ikev2_calculate_rsa_hash()
| emitting length of IKEv2 Authentication Payload: 282
| creating state object #2 at 0x559e01c8abd8
| State DB: adding IKEv2 state #2 in UNDEFINED
| pstats #2 ikev2.child started
| duplicating state object #1 "road-eastnet-nonat"[1] 192.1.3.209 as #2 for IPSEC SA
| #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1484)
| Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1
| Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1
| Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1
| Child SA TS Request has ike->sa == md->st; so using parent connection
| TSi: parsing 1 traffic selectors
| ***parse IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    length: 16 (0x10)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| parsing 4 raw bytes of IKEv2 Traffic Selector into TS low
| TS low  c0 00 02 db
| parsing 4 raw bytes of IKEv2 Traffic Selector into TS high
| TS high  c0 00 02 db
| TSi: parsed 1 traffic selectors
| TSr: parsing 1 traffic selectors
| ***parse IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    length: 16 (0x10)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| parsing 4 raw bytes of IKEv2 Traffic Selector into TS low
| TS low  c0 00 02 00
| parsing 4 raw bytes of IKEv2 Traffic Selector into TS high
| TS high  c0 00 02 ff
| TSr: parsed 1 traffic selectors
| looking for best SPD in current connection
| evaluating our conn="road-eastnet-nonat"[1] 192.1.3.209 I=192.0.2.219/32:0/0 R=192.0.2.0/24:0/0 to their:
|     TSi[0] .net=192.0.2.219-192.0.2.219 .iporotoid=0 .{start,end}port=0..65535
|         match address end->client=192.0.2.219/32 == TSi[0]net=192.0.2.219-192.0.2.219: YES fitness 32
|         narrow port end=0..65535 == TSi[0]=0..65535: 0
|           TSi[0] port match: YES fitness 65536
|         narrow protocol end=*0 == TSi[0]=*0: 0
|         match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255
|     TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535
|         match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32
|         narrow port end=0..65535 == TSr[0]=0..65535: 0
|           TSr[0] port match: YES fitness 65536
|         narrow protocol end=*0 == TSr[0]=*0: 0
|         match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255
| best fit so far: TSi[0] TSr[0]
|     found better spd route for TSi[0],TSr[0]
| looking for better host pair
| find_host_pair: comparing 192.1.2.23:500 to 192.1.3.209:500 but ignoring ports
|   checking hostpair 192.0.2.0/24 -> 192.0.2.219/32 is found
|   investigating connection "road-eastnet-nonat" as a better match
|    match_id a=@road
|             b=@road
|    results  matched
| evaluating our conn="road-eastnet-nonat"[1] 192.1.3.209 I=192.0.2.219/32:0/0 R=192.0.2.0/24:0/0 to their:
|     TSi[0] .net=192.0.2.219-192.0.2.219 .iporotoid=0 .{start,end}port=0..65535
|         match address end->client=192.0.2.219/32 == TSi[0]net=192.0.2.219-192.0.2.219: YES fitness 32
|         narrow port end=0..65535 == TSi[0]=0..65535: 0
|           TSi[0] port match: YES fitness 65536
|         narrow protocol end=*0 == TSi[0]=*0: 0
|         match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255
|     TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535
|         match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32
|         narrow port end=0..65535 == TSr[0]=0..65535: 0
|           TSr[0] port match: YES fitness 65536
|         narrow protocol end=*0 == TSr[0]=*0: 0
|         match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255
| best fit so far: TSi[0] TSr[0]
|   did not find a better connection using host pair
| printing contents struct traffic_selector
|   ts_type: IKEv2_TS_IPV4_ADDR_RANGE
|   ipprotoid: 0
|   port range: 0-65535
|   ip range: 192.0.2.0-192.0.2.255
| printing contents struct traffic_selector
|   ts_type: IKEv2_TS_IPV4_ADDR_RANGE
|   ipprotoid: 0
|   port range: 0-65535
|   ip range: 192.0.2.219-192.0.2.219
| constructing ESP/AH proposals with all DH removed  for road-eastnet-nonat (IKE_AUTH responder matching remote ESP/AH proposals)
| converting proposal AES_GCM_16_256-NONE to ikev2 ...
| ...  ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_GCM_16_128-NONE to ikev2 ...
| ...  ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ...  ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ...
| ...  ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
"road-eastnet-nonat"[1] 192.1.3.209: constructed local ESP/AH proposals for road-eastnet-nonat (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
| Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals
| local proposal 1 type ENCR has 1 transforms
| local proposal 1 type PRF has 0 transforms
| local proposal 1 type INTEG has 1 transforms
| local proposal 1 type DH has 1 transforms
| local proposal 1 type ESN has 1 transforms
| local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH
| local proposal 2 type ENCR has 1 transforms
| local proposal 2 type PRF has 0 transforms
| local proposal 2 type INTEG has 1 transforms
| local proposal 2 type DH has 1 transforms
| local proposal 2 type ESN has 1 transforms
| local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH
| local proposal 3 type ENCR has 1 transforms
| local proposal 3 type PRF has 0 transforms
| local proposal 3 type INTEG has 2 transforms
| local proposal 3 type DH has 1 transforms
| local proposal 3 type ESN has 1 transforms
| local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH
| local proposal 4 type ENCR has 1 transforms
| local proposal 4 type PRF has 0 transforms
| local proposal 4 type INTEG has 2 transforms
| local proposal 4 type DH has 1 transforms
| local proposal 4 type ESN has 1 transforms
| local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH
| ***parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 32 (0x20)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 2 (0x2)
| parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI
| remote SPI  dc 90 fe 8d
| Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| *****parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0
| remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0
| remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0
| remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0
| remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none
| comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN
| remote proposal 1 matches local proposal 1
| ***parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 32 (0x20)
|    prop #: 2 (0x2)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 2 (0x2)
| parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI
| remote SPI  dc 90 fe 8d
| Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| *****parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN
| remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN
| ***parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_NON_LAST (0x2)
|    length: 48 (0x30)
|    prop #: 3 (0x3)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 4 (0x4)
| parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI
| remote SPI  dc 90 fe 8d
| Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| *****parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN
| remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN
| ***parse IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    length: 48 (0x30)
|    prop #: 4 (0x4)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 4 (0x4)
| parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI
| remote SPI  dc 90 fe 8d
| Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 12 (0xc)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_CBC (0xc)
| *****parse IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 128 (0x80)
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe)
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_INTEG (0x3)
|    IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc)
| ****parse IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    length: 8 (0x8)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN
| remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN
"road-eastnet-nonat"[1] 192.1.3.209 #1: proposal 1:ESP:SPI=dc90fe8d;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
| IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=dc90fe8d;ENCR=AES_GCM_C_256;ESN=DISABLED
| converting proposal to internal trans attrs
| netlink_get_spi: allocated 0xc47cdd66 for esp.0@192.1.2.23
| Emitting ikev2_proposal ...
| ****emit IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA)
| next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Proposal Substructure Payload:
|    last proposal: v2_PROPOSAL_LAST (0x0)
|    prop #: 1 (0x1)
|    proto ID: IKEv2_SEC_PROTO_ESP (0x3)
|    spi size: 4 (0x4)
|    # transforms: 2 (0x2)
| last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal'
| emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload
| our spi  c4 7c dd 66
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_NON_LAST (0x3)
|    IKEv2 transform type: TRANS_TYPE_ENCR (0x1)
|    IKEv2 transform ID: AES_GCM_C (0x14)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| *******emit IKEv2 Attribute Substructure Payload:
|    af+type: AF+IKEv2_KEY_LENGTH (0x800e)
|    length/value: 256 (0x100)
| emitting length of IKEv2 Transform Substructure Payload: 12
| ******emit IKEv2 Transform Substructure Payload:
|    last transform: v2_TRANSFORM_LAST (0x0)
|    IKEv2 transform type: TRANS_TYPE_ESN (0x5)
|    IKEv2 transform ID: ESN_DISABLED (0x0)
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3)
| last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform'
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 32
| last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0
| emitting length of IKEv2 Security Association Payload: 36
| last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0
| ****emit IKEv2 Traffic Selector - Initiator - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi)
| next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start  c0 00 02 db
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end  c0 00 02 db
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24
| ****emit IKEv2 Traffic Selector - Responder - Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    number of TS: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr)
| next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet'
| *****emit IKEv2 Traffic Selector:
|    TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7)
|    IP Protocol ID: 0 (0x0)
|    start port: 0 (0x0)
|    end port: 65535 (0xffff)
| emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector
| ipv4 start  c0 00 02 00
| emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector
| ipv4 end  c0 00 02 ff
| emitting length of IKEv2 Traffic Selector: 16
| emitting length of IKEv2 Traffic Selector - Responder - Payload: 24
| Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED
| integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36
| FOR_EACH_CONNECTION_... in ISAKMP_SA_established
| install_ipsec_sa() for #2: inbound and outbound
| could_route called for road-eastnet-nonat (kind=CK_INSTANCE)
| FOR_EACH_CONNECTION_... in route_owner
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000
| route owner of "road-eastnet-nonat"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL
| looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE
| encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20
| AES_GCM_16 requires 4 salt bytes
| st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0
| setting IPsec SA replay-window to 32
| NIC esp-hw-offload not for connection 'road-eastnet-nonat' not available on interface eth1
| netlink: enabling tunnel mode
| netlink: setting IPsec SA replay-window to 32 using old-style req
| netlink: esp-hw-offload not set for IPsec SA
| netlink response for Add SA esp.dc90fe8d@192.1.3.209 included non-error error
| set up outgoing SA, ref=0/0
| looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE
| encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20
| AES_GCM_16 requires 4 salt bytes
| st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0
| setting IPsec SA replay-window to 32
| NIC esp-hw-offload not for connection 'road-eastnet-nonat' not available on interface eth1
| netlink: enabling tunnel mode
| netlink: setting IPsec SA replay-window to 32 using old-style req
| netlink: esp-hw-offload not set for IPsec SA
| netlink response for Add SA esp.c47cdd66@192.1.2.23 included non-error error
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| add inbound eroute 192.0.2.219/32:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute)
| IPsec Sa SPD priority set to 1042399
| raw_eroute result=success
| set up incoming SA, ref=0/0
| sr for #2: unrouted
| route_and_eroute() for proto 0, and source port 0 dest port 0
| FOR_EACH_CONNECTION_... in route_owner
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000
| route owner of "road-eastnet-nonat"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: road-eastnet-nonat (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.2.219/32:0 => tun.0@192.1.3.209 (raw_eroute)
| IPsec Sa SPD priority set to 1042399
| raw_eroute result=success
| running updown command "ipsec _updown" for verb up 
| command executing up-client
| executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=
| popen cmd is 1044 chars long
| cmd(   0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat':
| cmd(  80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO:
| cmd( 160):_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PL:
| cmd( 240):UTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO:
| cmd( 320):_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@r:
| cmd( 400):oad' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUT:
| cmd( 480):O_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0':
| cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSAS:
| cmd( 640):IG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_:
| cmd( 720):KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CIS:
| cmd( 800):CO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLU:
| cmd( 880):TO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_:
| cmd( 960):ROUTING='no' VTI_SHARED='no' SPI_IN=0xdc90fe8d SPI_OUT=0xc47cdd66 ipsec _updown :
| cmd(1040):2>&1:
| route_and_eroute: firewall_notified: true
| running updown command "ipsec _updown" for verb prepare 
| command executing prepare-client
| executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n
| popen cmd is 1049 chars long
| cmd(   0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-n:
| cmd(  80):onat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.:
| cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' :
| cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_I:
| cmd( 400):D='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219':
| cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO:
| cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=:
| cmd( 640):'RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_:
| cmd( 720):CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEE:
| cmd( 800):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=':
| cmd( 880):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='':
| cmd( 960): VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xdc90fe8d SPI_OUT=0xc47cdd66 ipsec _up:
| cmd(1040):down 2>&1:
| running updown command "ipsec _updown" for verb route 
| command executing route-client
| executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' S
| popen cmd is 1047 chars long
| cmd(   0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-non:
| cmd(  80):at' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PL:
| cmd( 160):UTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0':
| cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL:
| cmd( 320):UTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID=:
| cmd( 400):'@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' P:
| cmd( 480):LUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=:
| cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='R:
| cmd( 640):SASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CO:
| cmd( 720):NN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_:
| cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' :
| cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V:
| cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xdc90fe8d SPI_OUT=0xc47cdd66 ipsec _updo:
| cmd(1040):wn 2>&1:
| route_and_eroute: instance "road-eastnet-nonat"[1] 192.1.3.209, setting eroute_owner {spd=0x559e01c7ed78,sr=0x559e01c7ed78} to #2 (was #0) (newest_ipsec_sa=#0)
|     #1 spent 1.8 milliseconds in install_ipsec_sa()
| ISAKMP_v2_IKE_AUTH: instance road-eastnet-nonat[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 407
| emitting length of ISAKMP Message: 435
| ikev2_parent_inI2outR2_continue_tail returned STF_OK
|   #1 spent 8.23 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet()
| suspend processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| start processing: state #2 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v2_state_transition() at ikev2.c:3379)
| #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK
| IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R
| child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA)
| Message ID: updating counters for #2 to 1 after switching state
| Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1
| Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1
| pstats #2 ikev2.child established
"road-eastnet-nonat"[1] 192.1.3.209 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.2.219-192.0.2.219:0-65535 0]
| NAT-T: encaps is 'auto'
"road-eastnet-nonat"[1] 192.1.3.209 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xdc90fe8d <0xc47cdd66 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
| sending V2 new request packet to 192.1.3.209:500 (from 192.1.2.23:500)
| sending 435 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
|   f5 24 5f 61  40 70 2b d5  ae d8 70 55  7a d7 61 61
|   2e 20 23 20  00 00 00 01  00 00 01 b3  24 00 01 97
|   da cf de 59  a2 21 3c a4  29 83 05 56  46 34 aa 09
|   19 27 1e 2c  1b 5a dc 6b  fc 10 f7 b3  3a f7 e4 9e
|   03 2b 3b 0d  d9 9c f7 64  d4 cf 18 09  fc af 8b f1
|   c5 58 47 34  ef b8 b1 63  53 57 a3 68  c9 38 9b c6
|   35 72 93 17  9e f6 ff 5d  e0 13 ab 0e  86 a7 9e 47
|   b0 85 e0 2b  22 0d 6c f8  15 b4 6e 1d  44 c9 f4 b0
|   70 eb 18 ab  c6 39 27 66  d7 53 78 59  76 4e 38 a3
|   2f ac e6 6c  06 b4 49 fb  f0 6d 64 65  d9 fd 63 22
|   ed e7 4d 76  d1 97 4c 4e  9b 4e 8d 55  16 9a c3 c3
|   65 b7 82 e5  e0 19 fc 1e  f5 80 6d 0e  67 46 01 59
|   c0 a2 da c7  11 5c d8 1b  9c 03 5a fc  18 03 e8 18
|   c5 31 f6 86  bb c2 2c 5b  5c 68 ac c6  90 f8 c6 12
|   63 3b 79 6c  4a 55 28 13  30 62 2c 56  a0 1a 0b 44
|   b8 44 72 fc  c7 42 ce f2  e0 7c e2 47  a9 39 89 00
|   a7 8a 5d 60  dc 28 5a db  6d d5 ec 59  0f 2e fd 4f
|   02 65 cd 33  9e 89 28 c7  db f1 48 18  53 bf e7 ab
|   6c 59 b6 8d  6b 3e c8 d2  c1 39 f0 99  81 54 34 d6
|   9d 85 5e 7c  42 89 64 c7  97 5c b0 29  df 6b cd 9b
|   bb 8a f1 91  b5 ff ec 89  ac 45 2a 31  73 b9 b5 49
|   66 4d 8d 36  c8 6a cd 7b  12 6f d0 97  59 cf c2 1e
|   b4 9a 20 5c  da 07 54 a5  81 60 08 3c  47 7e 9f a3
|   87 e6 51 86  d7 07 44 5b  3e 76 8e 59  ee 29 78 c0
|   80 f6 05 41  0f 47 2f a7  bc 59 a1 12  b7 18 cb c4
|   5d 75 ba 3d  92 bf 14 96  04 55 6a 33  b3 5e a1 d8
|   8d a9 a6 55  96 95 47 80  4e 07 34 35  7f f2 a4 ed
|   72 79 24
| releasing whack for #2 (sock=fd@-1)
| releasing whack and unpending for parent #1
| unpending state #1 connection "road-eastnet-nonat"[1] 192.1.3.209
| #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key)
| event_schedule: new EVENT_SA_REKEY-pe@0x7f6658002b78
| inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2
| libevent_malloc: new ptr-libevent@0x559e01c83a08 size 128
| resume sending helper answer for #1 suppresed complete_v2_state_transition()
| #1 spent 8.53 milliseconds in resume sending helper answer
| stop processing: state #2 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833)
| libevent_free: release ptr-libevent@0x7f6650000f48
| processing signal PLUTO_SIGCHLD
| waitpid returned ECHILD (no child processes left)
| spent 0.00423 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned ECHILD (no child processes left)
| spent 0.00267 milliseconds in signal handler PLUTO_SIGCHLD
| processing signal PLUTO_SIGCHLD
| waitpid returned ECHILD (no child processes left)
| spent 0.00266 milliseconds in signal handler PLUTO_SIGCHLD
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_CONNECTION_... in show_connections_status
| FOR_EACH_STATE_... in show_states_status (sort_states)
| FOR_EACH_STATE_... in sort_states
| get_sa_info esp.c47cdd66@192.1.2.23
| get_sa_info esp.dc90fe8d@192.1.3.209
| close_any(fd@16) (in whack_process() at rcv_whack.c:700)
| spent 0.95 milliseconds in whack
| accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:722)
shutting down
| processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825)
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshared_secrets'
| unreference key: 0x559e01c7d208 @east cnt 1--
| unreference key: 0x559e01bd3c48 @road cnt 2--
| start processing: connection "road-eastnet-nonat"[1] 192.1.3.209 (in delete_connection() at connections.c:189)
"road-eastnet-nonat"[1] 192.1.3.209: deleting connection "road-eastnet-nonat"[1] 192.1.3.209 instance with peer 192.1.3.209 {isakmp=#1/ipsec=#2}
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #2
| suspend processing: connection "road-eastnet-nonat"[1] 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310)
| start processing: state #2 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #2 ikev2.child deleted completed
| [RE]START processing: state #2 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879)
"road-eastnet-nonat"[1] 192.1.3.209 #2: deleting state (STATE_V2_IPSEC_R) aged 5.198s and sending notification
| child state #2: V2_IPSEC_R(established CHILD SA) => delete
| get_sa_info esp.dc90fe8d@192.1.3.209
| get_sa_info esp.c47cdd66@192.1.2.23
"road-eastnet-nonat"[1] 192.1.3.209 #2: ESP traffic information: in=336B out=336B
| #2 send IKEv2 delete notification for STATE_V2_IPSEC_R
| Opening output PBS informational exchange delete request
| **emit ISAKMP Message:
|    initiator cookie:
|   f5 24 5f 61  40 70 2b d5
|    responder cookie:
|   ae d8 70 55  7a d7 61 61
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
|    flags: none (0x0)
|    Message ID: 0 (0x0)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| ****emit IKEv2 Delete Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    protocol ID: PROTO_v2_ESP (0x3)
|    SPI size: 4 (0x4)
|    number of SPIs: 1 (0x1)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D)
| next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request'
| emitting 4 raw bytes of local spis into IKEv2 Delete Payload
| local spis  c4 7c dd 66
| emitting length of IKEv2 Delete Payload: 12
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 41
| emitting length of ISAKMP Message: 69
| sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2)
|   f5 24 5f 61  40 70 2b d5  ae d8 70 55  7a d7 61 61
|   2e 20 25 00  00 00 00 00  00 00 00 45  2a 00 00 29
|   3d c9 6c 74  6d df ce ae  66 c2 f0 fe  fb 3c 52 92
|   34 9d 33 9d  ef d5 0e 59  a5 ed 51 60  c0 40 d4 76
|   cd a6 99 e8  60
| Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0
| Message ID: IKE #1 sender #2 in send_delete hacking around record ' send
| Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1
| state #2 requesting EVENT_SA_REKEY to be deleted
| libevent_free: release ptr-libevent@0x559e01c83a08
| free_event_entry: release EVENT_SA_REKEY-pe@0x7f6658002b78
| running updown command "ipsec _updown" for verb down 
| command executing down-client
| executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843854' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHAR
| popen cmd is 1057 chars long
| cmd(   0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nona:
| cmd(  80):t' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLU:
| cmd( 160):TO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' :
| cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU:
| cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID=':
| cmd( 400):@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PL:
| cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=':
| cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1566843854' PLUTO_CONN_P:
| cmd( 640):OLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' :
| cmd( 720):PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUT:
| cmd( 800):O_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_:
| cmd( 880):BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_:
| cmd( 960):IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xdc90fe8d SPI_OUT=0xc47cdd66 i:
| cmd(1040):psec _updown 2>&1:
| shunt_eroute() called for connection 'road-eastnet-nonat' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| IPsec Sa SPD priority set to 1042399
| delete esp.dc90fe8d@192.1.3.209
| netlink response for Del SA esp.dc90fe8d@192.1.3.209 included non-error error
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| delete inbound eroute 192.0.2.219/32:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute)
| raw_eroute result=success
| delete esp.c47cdd66@192.1.2.23
| netlink response for Del SA esp.c47cdd66@192.1.2.23 included non-error error
| stop processing: connection "road-eastnet-nonat"[1] 192.1.3.209 (BACKGROUND) (in update_state_connection() at connections.c:4076)
| start processing: connection NULL (in update_state_connection() at connections.c:4077)
| in connection_discard for connection road-eastnet-nonat
| State DB: deleting IKEv2 state #2 in V2_IPSEC_R
| child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore)
| stop processing: state #2 from 192.1.3.209:500 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| state #1
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| state #1
| start processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in foreach_state_by_connection_func_delete() at state.c:1310)
| pstats #1 ikev2.ike deleted completed
| #1 spent 12.8 milliseconds in total
| [RE]START processing: state #1 connection "road-eastnet-nonat"[1] 192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879)
"road-eastnet-nonat"[1] 192.1.3.209 #1: deleting state (STATE_PARENT_R2) aged 5.233s and sending notification
| parent state #1: PARENT_R2(established IKE SA) => delete
| #1 send IKEv2 delete notification for STATE_PARENT_R2
| Opening output PBS informational exchange delete request
| **emit ISAKMP Message:
|    initiator cookie:
|   f5 24 5f 61  40 70 2b d5
|    responder cookie:
|   ae d8 70 55  7a d7 61 61
|    next payload type: ISAKMP_NEXT_NONE (0x0)
|    ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20)
|    exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
|    flags: none (0x0)
|    Message ID: 1 (0x1)
| next payload chain: saving message location 'ISAKMP Message'.'next payload type'
| ***emit IKEv2 Encryption Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
| next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK)
| next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request'
| emitting 8 zero bytes of IV into IKEv2 Encryption Payload
| ****emit IKEv2 Delete Payload:
|    next payload type: ISAKMP_NEXT_v2NONE (0x0)
|    flags: none (0x0)
|    protocol ID: PROTO_v2_IKE (0x1)
|    SPI size: 0 (0x0)
|    number of SPIs: 0 (0x0)
| next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D)
| next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request'
| emitting length of IKEv2 Delete Payload: 8
| adding 1 bytes of padding (including 1 byte padding-length)
| emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload
| emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload
| emitting length of IKEv2 Encryption Payload: 37
| emitting length of ISAKMP Message: 65
| sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1)
|   f5 24 5f 61  40 70 2b d5  ae d8 70 55  7a d7 61 61
|   2e 20 25 00  00 00 00 01  00 00 00 41  2a 00 00 25
|   4b c2 11 1e  e2 c3 63 ba  a0 85 58 f1  d6 bc 5c ba
|   33 92 bf dc  ef 14 b7 f4  f4 a0 58 6b  06 0c 7f 47
|   00
| Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1
| Message ID: IKE #1 sender #1 in send_delete hacking around record ' send
| Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1
| Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1
| state #1 requesting EVENT_SA_REKEY to be deleted
| libevent_free: release ptr-libevent@0x559e01c7f548
| free_event_entry: release EVENT_SA_REKEY-pe@0x559e01c7cf78
| State DB: IKEv2 state not found (flush_incomplete_children)
| in connection_discard for connection road-eastnet-nonat
| State DB: deleting IKEv2 state #1 in PARENT_R2
| parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore)
| unreference key: 0x559e01bd3c48 @road cnt 1--
| stop processing: state #1 from 192.1.3.209:500 (in delete_state() at state.c:1143)
| processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312)
| shunt_eroute() called for connection 'road-eastnet-nonat' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0
| netlink_shunt_eroute for proto 0, and source port 0 dest port 0
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| priority calculation of connection "road-eastnet-nonat" is 0xfe7df
| FOR_EACH_CONNECTION_... in route_owner
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000 vs
|  conn road-eastnet-nonat mark 0/00000000, 0/00000000
| route owner of "road-eastnet-nonat" unrouted: NULL
| running updown command "ipsec _updown" for verb unroute 
| command executing unroute-client
| executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-nonat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED
| popen cmd is 1038 chars long
| cmd(   0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='road-eastnet-n:
| cmd(  80):onat' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' :
| cmd( 160):PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.:
| cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' :
| cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.209' PLUTO_PEER_:
| cmd( 400):ID='@road' PLUTO_PEER_CLIENT='192.0.2.219/32' PLUTO_PEER_CLIENT_NET='192.0.2.219:
| cmd( 480):' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC:
| cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY:
| cmd( 640):='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO:
| cmd( 720):_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_:
| cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE:
| cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE:
| cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1:
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
unroute-client output: Error: Peer netns reference is invalid.
| free hp@0x559e01c7f368
| flush revival: connection 'road-eastnet-nonat' wasn't on the list
| processing: STOP connection NULL (in discard_connection() at connections.c:249)
| start processing: connection "road-eastnet-nonat" (in delete_connection() at connections.c:189)
| Deleting states for connection - including all other IPsec SA's of this IKE SA
| pass 0
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| pass 1
| FOR_EACH_STATE_... in foreach_state_by_connection_func_delete
| free hp@0x559e01c7ce98
| flush revival: connection 'road-eastnet-nonat' wasn't on the list
| stop processing: connection "road-eastnet-nonat" (in discard_connection() at connections.c:249)
| crl fetch request list locked by 'free_crl_fetch'
| crl fetch request list unlocked by 'free_crl_fetch'
shutting down interface lo/lo 127.0.0.1:4500
shutting down interface lo/lo 127.0.0.1:500
shutting down interface eth0/eth0 192.0.2.254:4500
shutting down interface eth0/eth0 192.0.2.254:500
shutting down interface eth1/eth1 192.1.2.23:4500
shutting down interface eth1/eth1 192.1.2.23:500
| FOR_EACH_STATE_... in delete_states_dead_interfaces
| libevent_free: release ptr-libevent@0x559e01c6e758
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a468
| libevent_free: release ptr-libevent@0x559e01c00bb8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a518
| libevent_free: release ptr-libevent@0x559e01c00b08
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a5c8
| libevent_free: release ptr-libevent@0x559e01c04dc8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a678
| libevent_free: release ptr-libevent@0x559e01bddba8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a728
| libevent_free: release ptr-libevent@0x559e01bd81d8
| free_event_entry: release EVENT_NULL-pe@0x559e01c7a7d8
| FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
| libevent_free: release ptr-libevent@0x559e01c6e808
| free_event_entry: release EVENT_NULL-pe@0x559e01c62678
| libevent_free: release ptr-libevent@0x559e01c03918
| free_event_entry: release EVENT_NULL-pe@0x559e01c62608
| libevent_free: release ptr-libevent@0x559e01c01ed8
| free_event_entry: release EVENT_NULL-pe@0x559e01c61ae8
| global timer EVENT_REINIT_SECRET uninitialized
| global timer EVENT_SHUNT_SCAN uninitialized
| global timer EVENT_PENDING_DDNS uninitialized
| global timer EVENT_PENDING_PHASE2 uninitialized
| global timer EVENT_CHECK_CRLS uninitialized
| global timer EVENT_REVIVE_CONNS uninitialized
| global timer EVENT_FREE_ROOT_CERTS uninitialized
| global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized
| global timer EVENT_NAT_T_KEEPALIVE uninitialized
| libevent_free: release ptr-libevent@0x559e01c0d288
| signal event handler PLUTO_SIGCHLD uninstalled
| libevent_free: release ptr-libevent@0x559e01c04e98
| signal event handler PLUTO_SIGTERM uninstalled
| libevent_free: release ptr-libevent@0x559e01c79cc8
| signal event handler PLUTO_SIGHUP uninstalled
| libevent_free: release ptr-libevent@0x559e01c79f08
| signal event handler PLUTO_SIGSYS uninstalled
| releasing event base
| libevent_free: release ptr-libevent@0x559e01c79dd8
| libevent_free: release ptr-libevent@0x559e01c5ce28
| libevent_free: release ptr-libevent@0x559e01c5cdd8
| libevent_free: release ptr-libevent@0x559e01c5cd68
| libevent_free: release ptr-libevent@0x559e01c5cd28
| libevent_free: release ptr-libevent@0x559e01c79a58
| libevent_free: release ptr-libevent@0x559e01c79c08
| libevent_free: release ptr-libevent@0x559e01c5cfd8
| libevent_free: release ptr-libevent@0x559e01c61bf8
| libevent_free: release ptr-libevent@0x559e01c625c8
| libevent_free: release ptr-libevent@0x559e01c7a848
| libevent_free: release ptr-libevent@0x559e01c7a798
| libevent_free: release ptr-libevent@0x559e01c7a6e8
| libevent_free: release ptr-libevent@0x559e01c7a638
| libevent_free: release ptr-libevent@0x559e01c7a588
| libevent_free: release ptr-libevent@0x559e01c7a4d8
| libevent_free: release ptr-libevent@0x559e01c003a8
| libevent_free: release ptr-libevent@0x559e01c79c88
| libevent_free: release ptr-libevent@0x559e01c79c48
| libevent_free: release ptr-libevent@0x559e01c79bc8
| libevent_free: release ptr-libevent@0x559e01c79d98
| libevent_free: release ptr-libevent@0x559e01c79a98
| libevent_free: release ptr-libevent@0x559e01bd7908
| libevent_free: release ptr-libevent@0x559e01bd7d38
| libevent_free: release ptr-libevent@0x559e01c00718
| releasing global libevent data
| libevent_free: release ptr-libevent@0x559e01bd7988
| libevent_free: release ptr-libevent@0x559e01bd7cd8
| libevent_free: release ptr-libevent@0x559e01bd7dd8
leak detective found no leaks